Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Analysis ID:	1379474
MD5:	ea3a7609e12fe069ec2968793646876e
SHA1:	c727b1456e2c715cc80b992fe6c32ac70afc3402
SHA256:	a6c2b68b46b6b478ae984fd861f1681688a64c2f1f3227256e6fd436be1569e0
Infos:

Detection

PoshC2

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected PoshC2

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe (PID: 5892 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe MD5: EA3A7609E12FE069EC2968793646876E)

conhost.exe (PID: 992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PoshC2	PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.	APT33	http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/ https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md https://github.com/nettitude/PoshC2_Python/	https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2

Malware Configuration

Threatname: PoshC2

{"C2 url": "https://139.59.72.48:9443"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack	JoeSecurity_PoshC2	Yara detected PoshC2	Joe Security
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://139.59.72.48:9443/bh/sync/aol/?c	Avira URL Cloud: Label: malware
Source: https://139.59.72.48:9443	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack

Malware Configuration Extractor: PoshC2 {"C2 url": "https://139.59.72.48:9443"}

Multi AV Scanner detection for domain / URL

Source: https://139.59.72.48:9443/bh/sync/aol/?c	Virustotal: Detection: 11%			Perma Link
Source: https://139.59.72.48:9443	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	ReversingLabs: Detection: 85%
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Virustotal: Detection: 81%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01317E08 FindFirstFileExW,		0_2_01317E08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10007E04 FindFirstFileExW,		0_2_10007E04

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://139.59.72.48:9443

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 139.59.72.48:9443

Source: Joe Sandbox View

IP Address: 139.59.72.48 139.59.72.48

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48
Source: unknown	TCP traffic detected without corresponding DNS query: 139.59.72.48

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://139.59.72.48:9443
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://139.59.72.48:9443/bh/sync/aol/?c
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://139.59.72.48:9443t-

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01310031	0_2_01310031
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_013110B4	0_2_013110B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_0131E8D4	0_2_0131E8D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_0131DBF5	0_2_0131DBF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_100010B0	0_2_100010B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_1000E8D0	0_2_1000E8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_1000DBF1	0_2_1000DBF1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: String function: 10002D00 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: String function: 01312D04 appears 34 times

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	ReversingLabs: Detection: 85%
Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Virustotal: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs	.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs	.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.cs	.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.cs	.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_001114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001114E0

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01312D4A push ecx; ret	0_2_01312D5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_0131EC10 pushad ; ret	0_2_0131EC11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10002D46 push ecx; ret	0_2_10002D59

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: GetModuleHandleW,GetModuleFileNameA,StrStrIA,CreateThread,		0_2_01311644
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: GetModuleHandleW,GetModuleFileNameA,StrStrIA,CreateThread,		0_2_10001640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599089	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598548	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598316	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596681	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595014	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593484	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Window / User API: threadDelayed 890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Window / User API: threadDelayed 1528	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Window / User API: threadDelayed 7365	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 988	Thread sleep time: -44500000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -599089s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -598548s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -598316s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596681s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -595014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -593922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -593812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -593703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -593594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144	Thread sleep time: -593484s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01317E08 FindFirstFileExW,		0_2_01317E08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10007E04 FindFirstFileExW,		0_2_10007E04

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599201	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 599089	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598548	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 598316	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596681	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 595014	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Thread delayed: delay time: 593484	Jump to behavior

Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000148B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_01315D1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01315D1F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_001114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001114E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_0131799B mov eax, dword ptr fs:[00000030h]	0_2_0131799B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01310B11 mov eax, dword ptr fs:[00000030h]	0_2_01310B11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_013163A4 mov eax, dword ptr fs:[00000030h]	0_2_013163A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10007997 mov eax, dword ptr fs:[00000030h]	0_2_10007997
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_100063A0 mov eax, dword ptr fs:[00000030h]	0_2_100063A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_01319332 GetProcessHeap,

0_2_01319332

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_0011116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_0011116C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_00111160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00111160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_001111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_001111A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_001113C1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	0_2_001113C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01315D1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01315D1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01312BDD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01312BDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_01312EAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01312EAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10005D1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_10005D1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10002EA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10002EA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	Code function: 0_2_10002BD9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_10002BD9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_001116F9 exit,OpenProcess,exit,VirtualAllocEx,VirtualAllocEx,exit,VirtualProtect,VirtualProtect,WriteProcessMemory,WriteProcessMemory,exit,CreateRemoteThread,CreateRemoteThread,CloseHandle,

0_2_001116F9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_01312A36 cpuid

0_2_01312A36

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Code function: 0_2_01312D65 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01312D65

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PoshC2

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892, type: MEMORYSTR

Remote Access Functionality

Yara detected PoshC2

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Native API	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	86%	ReversingLabs	Win32.Trojan.Martey
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	81%	Virustotal		Browse
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	100%	Avira	TR/Hijacker.Gen
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://139.59.72.48:9443t-	0%	Avira URL Cloud	safe
https://139.59.72.48:9443/bh/sync/aol/?c	100%	Avira URL Cloud	malware
https://139.59.72.48:9443	100%	Avira URL Cloud	malware
https://139.59.72.48:9443/bh/sync/aol/?c	11%	Virustotal		Browse
https://139.59.72.48:9443	13%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
https://139.59.72.48:9443	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://139.59.72.48:9443t-	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://139.59.72.48:9443/bh/sync/aol/?c	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
139.59.72.48	unknown	Singapore		14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379474
Start date and time:	2024-01-23 13:29:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 62
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:30:01	API Interceptor	9604695x Sleep call for process: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
139.59.72.48	SecuriteInfo.com.Trojan.RunPowerShellNET.8.18821.3341.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.RunPowerShellNET.8.18821.3341.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.RunPowerShellNET.8.1922.27994.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.DownLoaderNET.485.23452.1035.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.RunPowerShellNET.8.27731.28340.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.RunPowerShellNET.8.7028.30924.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.DownLoaderNET.485.29542.11675.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.DownLoaderNET.485.23452.1035.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	http://104.131.132.54/dota3.tar.gz	Get hash	malicious	Unknown	Browse	104.131.132.54
	Chepstow Hospital 2024.html	Get hash	malicious	Unknown	Browse	178.128.135.204
	https://blueinsect-raxilaf176408090.codeanyapp.com/STR/SRT34/	Get hash	malicious	Unknown	Browse	45.55.112.74
	BbTm8TrVqb.exe	Get hash	malicious	LummaC, AsyncRAT, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	162.243.189.2
	SecuriteInfo.com.Python.CrealStealer.4.28055.30099.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	ghdfg64.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	java.exe	Get hash	malicious	Tinba	Browse	178.62.201.34
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	134.209.130.144
	python.exe	Get hash	malicious	CobaltStrike	Browse	159.89.124.188
	arm7.elf	Get hash	malicious	Mirai	Browse	157.245.182.60

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	159
Entropy (8bit):	3.8947409169014717
Encrypted:	false
SSDEEP:	3:TrA7F7HqYLhOw4yHXWcFU7F7HqYLhOw4yHXWcFU7F7HqYLhOw4yHXWy:XAB+YVKy3AB+YVKy3AB+YVKy33
MD5:	20AFD3CDD39C3CCA75BC64343D01D1C5
SHA1:	97D177F2D90153034DE3BE498E24C69181C1746E
SHA-256:	08092ABB159997EDC3B73C4450628DD96326B31DD08407ECE99BBA3782E3BD26
SHA-512:	74B6444E6945039EFE80A25CFF677C5AA65B0123A4506991884C97261900DBE90593AE825545D368FAB932A53AFB8453EF3197D27EC1D74992878AFBD12BB804
Malicious:	false
Reputation:	low
Preview:	> Exception Unable to connect to the remote server.. > Exception Unable to connect to the remote server.. > Exception Unable to connect to the remote server..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.413646596673889
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
File size:	140'288 bytes
MD5:	ea3a7609e12fe069ec2968793646876e
SHA1:	c727b1456e2c715cc80b992fe6c32ac70afc3402
SHA256:	a6c2b68b46b6b478ae984fd861f1681688a64c2f1f3227256e6fd436be1569e0
SHA512:	44d905a5b449b0cca54bd11bc4e4ef9a11f47e6062ec605540ba7be528b6d39d4ab0fd7870061ec57c1234ecb86899a032711dd447fa2875554936bc03304805
SSDEEP:	3072:RrKiddDSt4dtH1G2hfdE8pT+d6s377PhrU:BKiddDIK7GiOLdV7jhrU
TLSH:	0BD36E3E35B16807F6ED0A34F4F8FA1642003123BDE65CCE2D14AA2CC7739A7769A654
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.le...............%..... ...............0....@.......................................@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x656CC067 [Sun Dec 3 17:52:39 2023 UTC]
TLS Callbacks:	0x401980, 0x401930
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bb9dc484d891a7cf70c5c51b76b5d7db

Entrypoint Preview

Instruction
mov dword ptr [0042406Ch], 00000000h
jmp 00007F4504B000D6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F4504B017EEh
test eax, eax
sete al
add esp, 1Ch
movzx eax, al
neg eax
ret
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00422000h
call dword ptr [00425114h]
sub esp, 04h
test eax, eax
je 00007F4504B004A5h
mov ebx, eax
mov dword ptr [esp], 00422000h
call dword ptr [00425128h]
mov edi, dword ptr [00425118h]
sub esp, 04h
mov dword ptr [00424028h], eax
mov dword ptr [esp+04h], 00422013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00422029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [00403004h], eax
sub esp, 08h
test esi, esi
je 00007F4504B00443h
mov dword ptr [esp+04h], 0042402Ch
mov dword ptr [esp], 00423104h
call esi
mov dword ptr [esp], 00401590h
call 00007F4504B00393h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi
pop edi
pop ebp
ret
lea esi, dword ptr [esi+00000000h]
mov dword ptr [00403004h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25000	0x52c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0x254	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x22048	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x250f8	0xbc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1914	0x1a00	f0e37ec431e64213814ba85f8f3a0583	False	0.5638521634615384	data	5.846117818627713	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x1e460	0x1e600	808561d6c7bee8a881713bceda459c33	False	0.7740644290123457	data	7.471441078656051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x22000	0x640	0x800	f184779ef92be879efffb5516c16cde1	False	0.2509765625	data	4.429330729079639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x23000	0x808	0xa00	cc3c1d04c3f4f4a0fdc9a45b2ca212f9	False	0.357421875	data	4.019719986614664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x24000	0xc0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x25000	0x52c	0x600	05749aedd66fd8bf021e8c62acd1183e	False	0.408203125	data	4.50073620107875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x26000	0x30	0x200	4598190f1d736200bfeba72241c0036b	False	0.064453125	data	0.22091378450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x27000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x28000	0x254	0x400	d1aa0f9a3beb7a7f867d13fe0058fb9c	False	0.5634765625	data	4.5116431429364265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateRemoteThread, DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetCurrentProcessId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, OpenProcess, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAllocEx, VirtualProtect, VirtualQuery, WriteProcessMemory
msvcrt.dll	__getmainargs, __initenv, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:30:03.052087069 CET	49710	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:30:03.387289047 CET	9443	49710	139.59.72.48	192.168.2.6
Jan 23, 2024 13:30:03.889303923 CET	49710	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:30:04.225794077 CET	9443	49710	139.59.72.48	192.168.2.6
Jan 23, 2024 13:30:04.733181000 CET	49710	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:30:05.070205927 CET	9443	49710	139.59.72.48	192.168.2.6
Jan 23, 2024 13:30:05.577122927 CET	49710	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:30:05.914635897 CET	9443	49710	139.59.72.48	192.168.2.6
Jan 23, 2024 13:30:06.420614004 CET	49710	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:30:06.757477999 CET	9443	49710	139.59.72.48	192.168.2.6
Jan 23, 2024 13:31:06.825917006 CET	49718	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:31:07.162338018 CET	9443	49718	139.59.72.48	192.168.2.6
Jan 23, 2024 13:31:07.670464039 CET	49718	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:31:08.006757975 CET	9443	49718	139.59.72.48	192.168.2.6
Jan 23, 2024 13:31:08.514285088 CET	49718	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:31:08.850425005 CET	9443	49718	139.59.72.48	192.168.2.6
Jan 23, 2024 13:31:09.357989073 CET	49718	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:31:09.694246054 CET	9443	49718	139.59.72.48	192.168.2.6
Jan 23, 2024 13:31:10.201725960 CET	49718	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:31:10.537988901 CET	9443	49718	139.59.72.48	192.168.2.6
Jan 23, 2024 13:33:10.550234079 CET	49720	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:33:10.895445108 CET	9443	49720	139.59.72.48	192.168.2.6
Jan 23, 2024 13:33:11.420295954 CET	49720	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:33:11.764422894 CET	9443	49720	139.59.72.48	192.168.2.6
Jan 23, 2024 13:33:12.420315027 CET	49720	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:33:12.764312029 CET	9443	49720	139.59.72.48	192.168.2.6
Jan 23, 2024 13:33:13.326584101 CET	49720	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:33:13.670665979 CET	9443	49720	139.59.72.48	192.168.2.6
Jan 23, 2024 13:33:14.232789040 CET	49720	9443	192.168.2.6	139.59.72.48
Jan 23, 2024 13:33:14.576775074 CET	9443	49720	139.59.72.48	192.168.2.6

Target ID:	0
Start time:	13:30:01
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Imagebase:	0x110000
File size:	140'288 bytes
MD5 hash:	EA3A7609E12FE069EC2968793646876E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_PoshC2, Description: Yara detected PoshC2, Source: 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PoshC2, Description: Yara detected PoshC2, Source: 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PoshC2, Description: Yara detected PoshC2, Source: 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:30:01
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	88.7%
Signature Coverage:	6.2%
Total number of Nodes:	923
Total number of Limit Nodes:	12

Executed Functions

Function 01310031 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 811memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 013104A2
VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 013104D2

Strings

oc, xrefs: 01310153
tu, xrefs: 01310165
st, xrefs: 013101AC
b, xrefs: 01310286
a, xrefs: 0131011B
Cach, xrefs: 013101F9
Via, xrefs: 01310311
ee, xrefs: 013100EF
Li, xrefs: 0131010B
yA, xrefs: 01310124
Syst, xrefs: 01310218
otec, xrefs: 0131017E
o, xrefs: 013101C8
Fu, xrefs: 01310259
Ta, xrefs: 0131027C
ushI, xrefs: 0131019A
F, xrefs: 0131018B
ucti, xrefs: 013101BD
Rt, xrefs: 01310232
fo, xrefs: 0131022B
A, xrefs: 01310243
a, xrefs: 0131016C
t, xrefs: 01310186
tNat, xrefs: 01310209
b, xrefs: 01310112
a, xrefs: 0131013D
S, xrefs: 013100E6
G, xrefs: 01310204
mI, xrefs: 01310220
A, xrefs: 01310146
P, xrefs: 01310175
Lo, xrefs: 013100FB
Vi, xrefs: 0131012B
tu, xrefs: 01310136
iv, xrefs: 01310211
ctio, xrefs: 0131026A
p, xrefs: 013100F6
a, xrefs: 01310102

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 15b3c3a1d8b5dafea4a93bb4805a509b4eeb6b1eaca912e0ae13e9403863b76d
Instruction ID: 7b2379cb4cfe77b658b811011f3d6e46badaa25a8608b124416185de4145425d
Opcode Fuzzy Hash: 15b3c3a1d8b5dafea4a93bb4805a509b4eeb6b1eaca912e0ae13e9403863b76d
Instruction Fuzzy Hash: CA628D715083858FE729CF28C850BABBBE5BF84308F04492DF9C98B256E770D985CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0011116C Relevance: 19.7, APIs: 13, Instructions: 201
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00111238
__p__acmdln.MSVCRT ref: 00111261
malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C
GetStartupInfoA.KERNEL32 ref: 00111433

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 3241b6134ad71b06cddabb64e1f1b6d2517041563cdc483ba2e0f3dc5adf18b3
Instruction ID: 3e13e5c2c39c6c8a6ce7285121d1fa8cc886c211d9371be2d4db3ae2ff7aa083
Opcode Fuzzy Hash: 3241b6134ad71b06cddabb64e1f1b6d2517041563cdc483ba2e0f3dc5adf18b3
Instruction Fuzzy Hash: 66817A71A08205AFDB1CDFA4E9853E9BBE1FB45300F214438EB8597711D779A8C9CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001116F9 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 80
memoryinjectionthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCRT ref: 00111713
exit.MSVCRT ref: 00111748
VirtualAllocEx.KERNELBASE ref: 00111778
exit.MSVCRT ref: 0011178D
VirtualProtect.KERNELBASE ref: 001117B4
WriteProcessMemory.KERNELBASE ref: 001117F0
exit.MSVCRT ref: 00111800
CreateRemoteThread.KERNELBASE ref: 0011183F

Strings

@R$v, xrefs: 001117EB
@, xrefs: 00111799

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: exit$Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
String ID: @$@R$v
API String ID: 1541745093-913945927
Opcode ID: 239a91e40ceef394262e35a446f5b17ce7c1f329f896618502eba7a505617911
Instruction ID: a807750d7cfd637a3d5a0865b63070330ed1e61093569238d6fe43c7719e0d9b
Opcode Fuzzy Hash: 239a91e40ceef394262e35a446f5b17ce7c1f329f896618502eba7a505617911
Instruction Fuzzy Hash: EC4162B0908305DFDB00EF68C54979EBBF0BF44304F41882CE5989B290D7B99988CF92

Uniqueness

Uniqueness Score: -1.00%

Function 001113C1 Relevance: 12.1, APIs: 8, Instructions: 108
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00111238
__p__acmdln.MSVCRT ref: 00111261
malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C
_amsg_exit.MSVCRT ref: 001113E2
_initterm.MSVCRT ref: 00111404

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: a84490f7c8a172a9160b05ccbefae450e594c924262c94d33fa2c80debaae5ca
Instruction ID: 08176d44e39a40acc58d2747296506c306dc25bbe47fed9c93a9cc2e15d6c140
Opcode Fuzzy Hash: a84490f7c8a172a9160b05ccbefae450e594c924262c94d33fa2c80debaae5ca
Instruction Fuzzy Hash: 3541F5B4A083019FDB18EFA4E9853D9BBE0BB58340F11843DEA8497711D774A8D5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 001111A3 Relevance: 10.6, APIs: 7, Instructions: 114
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00111238
__p__acmdln.MSVCRT ref: 00111261
malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C
_amsg_exit.MSVCRT ref: 001113E2
_initterm.MSVCRT ref: 00111404

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: fd1e80fb912b508cb19d90fcc9c3f658a164941284d9efb4ebc095a0ac377f19
Instruction ID: 5709db2a58d5860180ae120d9d11d7f959b989cbdeae7f0793121cd94e5292f8
Opcode Fuzzy Hash: fd1e80fb912b508cb19d90fcc9c3f658a164941284d9efb4ebc095a0ac377f19
Instruction Fuzzy Hash: 704104B0A043019FDB18EFA9E98479DBBF0BB48344F11453DEA8497B51E774A8C5CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00111160 Relevance: 9.1, APIs: 6, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 001111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00111238
__p__acmdln.MSVCRT ref: 00111261
malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C
GetStartupInfoA.KERNEL32 ref: 00111433

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 9efc9fe1a2925956a7ea26fdc0e7879958266a462a8e57e976efcb6b64679b65
Instruction ID: c926760750d4b16cfe8953800f1ee7e9a56d415cb3d38b67e0f9aadf20a245cc
Opcode Fuzzy Hash: 9efc9fe1a2925956a7ea26fdc0e7879958266a462a8e57e976efcb6b64679b65
Instruction Fuzzy Hash: 67514771A042019FDB18DFA9E9807DABBF0FB48740F11453CEA449B761E774A8C5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001640 Relevance: 6.0, APIs: 4, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 10001652
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000167D
StrStrIA.KERNELBASE(?,1001B09C), ref: 1000168F
CreateThread.KERNELBASE(00000000,00000000,Function_00000930,?,00000000,00000000), ref: 100016A6

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: Module$CreateFileHandleNameThread
String ID:
API String ID: 345888460-0
Opcode ID: bc22102a787501f48ea84cdce432fbd2a449c4f78da8322cd65b092844ce9337
Instruction ID: 853a8ebf1c83869fb68250765f5e448e0e35acde037a291c0c52291fdf588ec9
Opcode Fuzzy Hash: bc22102a787501f48ea84cdce432fbd2a449c4f78da8322cd65b092844ce9337
Instruction Fuzzy Hash: 39F030FA900228BBF710DBA0DD89FEB3BACDB14391F044055FF44D6085E6B59A848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100010B0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8ba889e22dbf6d6dfe55392cd371212ae3a88e797661168e23d219cf0826e1
Instruction ID: 11154f04ebcacc2f8ba1ecc64ccd9bd9657e77d706722054fa73749317b682a1
Opcode Fuzzy Hash: 5c8ba889e22dbf6d6dfe55392cd371212ae3a88e797661168e23d219cf0826e1
Instruction Fuzzy Hash: 00712370A042868FFB05CB69D8D06EEBBF6EB5A380F5581BCD45597253C631DA4AC710

Uniqueness

Uniqueness Score: -1.00%

Function 10001930 Relevance: 51.3, APIs: 26, Strings: 3, Instructions: 575librarymemoryloaderCOMMON

Download Yara Rule

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 10001984
_com_util::ConvertStringToBSTR.COMSUPP ref: 100019BE
LoadLibraryW.KERNELBASE ref: 100019D2
GetProcAddress.KERNEL32(00000000,1001B0E0), ref: 100019F2
GetTickCount.KERNEL32 ref: 10001AC7
LoadLibraryW.KERNELBASE ref: 10001BCE
GetProcAddress.KERNEL32(00000000,1001B100), ref: 10001BDE
VirtualProtect.KERNELBASE(00000000,00000008,00000040,?), ref: 10001BF4
VirtualProtect.KERNELBASE(00000000,00000008,?,?), ref: 10001C13
LoadLibraryA.KERNEL32 ref: 10001C33
GetProcAddress.KERNEL32(00000000,1001B118), ref: 10001C43
VirtualProtect.KERNELBASE(00000000,00000004,00000040,?), ref: 10001C59
VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 10001C71
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 10001C9B
SafeArrayLock.OLEAUT32(00000000), ref: 10001CA6
SafeArrayUnlock.OLEAUT32(?), ref: 10001CBE
SysAllocString.OLEAUT32(1001B164), ref: 10001DC7
SafeArrayCreateVector.OLEAUT32 ref: 10001E31
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 10001E44
SafeArrayDestroy.OLEAUT32(00000000), ref: 10001E7C
SysFreeString.OLEAUT32(-00000001), ref: 10001EB6
SysFreeString.OLEAUT32(-00000001), ref: 10001F75
SysFreeString.OLEAUT32(-00000001), ref: 10001FC6
_com_issue_error.COMSUPP ref: 1000201B
_com_issue_error.COMSUPP ref: 10002025
_com_issue_error.COMSUPP ref: 10002034

Strings

AMS=1, xrefs: 10001BA5
ETW=1, xrefs: 10001C18
NTD=1, xrefs: 10001B8F

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafeString$ProtectVirtual$AddressFreeLibraryLoadProc_com_issue_error$ConvertCreate_com_util::$AllocCountDestroyElementLockTickUnlockVector
String ID: AMS=1$ETW=1$NTD=1
API String ID: 3002600872-336627247
Opcode ID: 796f0c940004429549ae6eb8774842e5ee17541114cfd9917d7b9634fe2cf08c
Instruction ID: a88584ebe180a9ddfa3272c619c8da86773b389a682b864c7f3e6777108a4b31
Opcode Fuzzy Hash: 796f0c940004429549ae6eb8774842e5ee17541114cfd9917d7b9634fe2cf08c
Instruction Fuzzy Hash: 59226770604302AFE740DF64C848BABB7E8EF85794F01492CF985DB299DB71E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100016C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 163
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 100016F7
GetModuleHandleA.KERNEL32(1001B0AC), ref: 10001715
K32GetModuleInformation.KERNEL32(00000000,00000000,?,0000000C), ref: 10001734
CreateFileA.KERNELBASE(1001B0B8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10001762
CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000), ref: 10001787
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 100017A7
VirtualProtect.KERNELBASE(?,00000001,00000040,00000000), ref: 1000183D
VirtualProtect.KERNELBASE(?,00000001,00000000,00000000), ref: 10001897
FindCloseChangeNotification.KERNELBASE(?), ref: 100018C6
FreeLibrary.KERNEL32(?), ref: 100018D5

Strings

.text, xrefs: 100017F1

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: File$CreateModuleProtectVirtual$ChangeCloseCurrentFindFreeHandleInformationLibraryMappingNotificationProcessView
String ID: .text
API String ID: 4217089541-2719751843
Opcode ID: 42bf4af3205321ef4fb61f54ca1fbf8812ee01829e6fef69a317e5cde49720a9
Instruction ID: 8e62270a08096e1423786b4b358ede1b0600daedc61b6570581ace5ccf4b68c9
Opcode Fuzzy Hash: 42bf4af3205321ef4fb61f54ca1fbf8812ee01829e6fef69a317e5cde49720a9
Instruction Fuzzy Hash: 9F519CB1D01259EBEB20CFA8CD45BEEBBB5EF05760F208259E920B72D0C7716A05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00111296 Relevance: 5.1, APIs: 4, Instructions: 79
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 975b66eac4cee8f2ecd7a7a1cbb1c06b761dce2c101cf0fdbc2d70f654957b19
Instruction ID: d3c23630670be1a7e0b46be245b690cafad206c113d7baf98b7e82f162c974eb
Opcode Fuzzy Hash: 975b66eac4cee8f2ecd7a7a1cbb1c06b761dce2c101cf0fdbc2d70f654957b19
Instruction Fuzzy Hash: D33123B5A047058FCB18DFA8E9807D9BBF1FB48300F148929EA8897711E735A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 001113B3 Relevance: 5.1, APIs: 4, Instructions: 65
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 001112EB
strlen.MSVCRT ref: 0011131B
malloc.MSVCRT ref: 00111326
memcpy.MSVCRT ref: 0011133C

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: b68e6561ee54b2dce608f785c255de36e88b039e9113446ac1a8d05fd9b5e075
Instruction ID: 0c4913e44fd868faa2d4fc5b0fdca6d9698188c0542aba65efe88167acabc795
Opcode Fuzzy Hash: b68e6561ee54b2dce608f785c255de36e88b039e9113446ac1a8d05fd9b5e075
Instruction Fuzzy Hash: D621F3B5E04705CFCB18DF69E9806DDBBF1FB48300B158929EA4897711E734A995CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1000680A Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 1000689A
_free.LIBCMT ref: 100068B5
_free.LIBCMT ref: 100068C0

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ec447606e695ca8d96ccb00ee95fe3c6875b47692bb4ece1ee0a099ee9ca4aae
Instruction ID: 86aff7daed6e6ca4daf406932b390ddcfa11c581d2506e93413d5501b65b1ad9
Opcode Fuzzy Hash: ec447606e695ca8d96ccb00ee95fe3c6875b47692bb4ece1ee0a099ee9ca4aae
Instruction Fuzzy Hash: 87217D7AA081515BFF04CE789C51BED3BE7DF8A2D0F3482ADE9849B24ADD225D078350

Uniqueness

Uniqueness Score: -1.00%

Function 00111617 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001116F9: exit.MSVCRT ref: 00111713
Part of subcall function 001116F9: exit.MSVCRT ref: 00111748
Part of subcall function 001116F9: VirtualAllocEx.KERNELBASE ref: 00111778
Part of subcall function 001116F9: exit.MSVCRT ref: 0011178D
Part of subcall function 001116F9: VirtualProtect.KERNELBASE ref: 001117B4
Part of subcall function 001116F9: WriteProcessMemory.KERNELBASE ref: 001117F0
Part of subcall function 001116F9: exit.MSVCRT ref: 00111800
Part of subcall function 001116F9: CreateRemoteThread.KERNELBASE ref: 0011183F

Sleep.KERNELBASE ref: 001116F2

Strings

random_alphanum_key_goes_here, xrefs: 001116C0
D, xrefs: 00111649

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: exit$Virtual$AllocCreateMemoryProcessProtectRemoteSleepThreadWrite
String ID: D$random_alphanum_key_goes_here
API String ID: 1304627603-2824002523
Opcode ID: 7669200c34e53b750834db85ec7a4b58797ec4d127b36fdf452e02e93a529f8d
Instruction ID: c0608ebfaa5494837f18a2e6f72cf59bf7a5184d176621b602919cbe6e36739f
Opcode Fuzzy Hash: 7669200c34e53b750834db85ec7a4b58797ec4d127b36fdf452e02e93a529f8d
Instruction Fuzzy Hash: 072103B08047489BDB14DFA8C9157CEFBF2AF40704F10852CE5586B385D7BA5548CF96

Uniqueness

Uniqueness Score: -1.00%

Function 019B0518 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 019B06BC

Strings

`, xrefs: 019B05E9

Memory Dump Source

Source File: 00000000.00000002.4530281687.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWindow
String ID: `
API String ID: 2863861424-1850852036
Opcode ID: 11ffd541cf12d9634cc3ea37d547b3d6402bc8d42561b3df42634b6626beef96
Instruction ID: 8b842c520f3e435dd0196d40d4bd623efa086123b3cdb4dff1adc192a4e6779c
Opcode Fuzzy Hash: 11ffd541cf12d9634cc3ea37d547b3d6402bc8d42561b3df42634b6626beef96
Instruction Fuzzy Hash: 20419B71A00349CFDB24EFB9C5847EFBBF5AF88320F14842AE559A7240DB749985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100093FF Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 1000944B
GetFileType.KERNELBASE(00000000), ref: 1000945D

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: fe743e4cd4d0bfc2eab60b12901d57e57474cc234274226526fb3892d2712727
Instruction ID: 599f08d5d62ceb4f41e51a86a7d9fdfc7cf1020932d14e2e860ee6c368c4bdcb
Opcode Fuzzy Hash: fe743e4cd4d0bfc2eab60b12901d57e57474cc234274226526fb3892d2712727
Instruction Fuzzy Hash: 5D11847150475146F770CE3E8D88E1ABAD4EB862F0B350719E4BA865F9C730D987D642

Uniqueness

Uniqueness Score: -1.00%

Function 10009BCA Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 10009BF8
_free.LIBCMT ref: 10009C1E

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cfb8fedcac5938e8f4ff3ef7597f04156b739f37f1d23cb70cec12d20cd620f4
Instruction ID: 9c7e522ad82f1947b556e6bfb0f7e1dafed128a7bbca0a0392cbc25c6116c220
Opcode Fuzzy Hash: cfb8fedcac5938e8f4ff3ef7597f04156b739f37f1d23cb70cec12d20cd620f4
Instruction Fuzzy Hash: 2211D0B1E012A15AF710DB38AC49B4A32D4F7417B0F04462AF924CB2E8D778EE428681

Uniqueness

Uniqueness Score: -1.00%

Function 100030BC Relevance: 3.0, APIs: 2, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,10001989,?,00000000,00000000,?,10003470,1001BC30,000000FE,?,10001989), ref: 100030DF
SysAllocString.OLEAUT32(00000000), ref: 100030EA

Part of subcall function 10006F2F: _free.LIBCMT ref: 10006F42

_com_issue_error.COMSUPP ref: 10003151
GetLastError.KERNEL32(8007000E,00000000,?,00000000,?,10003470,1001BC30,000000FE,?,10001989,1001B128,00000000), ref: 10003167
_com_issue_error.COMSUPP ref: 1000317A
_com_issue_error.COMSUPP ref: 10003184

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _com_issue_error$AllocByteCharErrorLastMultiStringWide_free
String ID:
API String ID: 182792476-0
Opcode ID: 706c3d890bde40cba28a937b679b14c5cd5aeb1eacbf683a0ec964cfe89feaa0
Instruction ID: 5b5ead60a7a82bb866404b811c20f2e458fdc686d5468b7aca27ff9607166220
Opcode Fuzzy Hash: 706c3d890bde40cba28a937b679b14c5cd5aeb1eacbf683a0ec964cfe89feaa0
Instruction Fuzzy Hash: F3018172F052289BEB11CF94DC81BEFBBB8EF4D7A0F004129ED0667295D770695086A0

Uniqueness

Uniqueness Score: -1.00%

Function 100022B9 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 10002A0F

Part of subcall function 10003357: RaiseException.KERNEL32(?,?,?,10002A31,?,?,?,?,?,?,?,?,10002A31,0000000C,1001BBF4,0000000C), ref: 100033B7

__CxxThrowException@8.LIBVCRUNTIME ref: 10002A2C

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 313425be139a5b0a71f0e29b9f9b5fc8c3fb65275ad68924b044c5295fb65c5d
Instruction ID: e8b066543e31c011d0eb4079a1d9dae6daeeaedf8c7b9d5cb8c0ddbcd33891b2
Opcode Fuzzy Hash: 313425be139a5b0a71f0e29b9f9b5fc8c3fb65275ad68924b044c5295fb65c5d
Instruction Fuzzy Hash: D2F0B43880460E76EB10E6A4EC46D9E336CDF001D0F608130BE24A549AEF70F6598591

Uniqueness

Uniqueness Score: -1.00%

Function 100067B8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 10008E0D: GetEnvironmentStringsW.KERNEL32 ref: 10008E16
Part of subcall function 10008E0D: _free.LIBCMT ref: 10008E75
Part of subcall function 10008E0D: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10008E84

_free.LIBCMT ref: 100067F8
_free.LIBCMT ref: 100067FF

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 27e7eb453691b214d2c45e92c14406a9259c1be68b0e89b864539f49905c338c
Instruction ID: 1b9df0ae2e8b24c1afa660b60c04bfb52ef19de7b96dc652cb42042ec6c5e8b8
Opcode Fuzzy Hash: 27e7eb453691b214d2c45e92c14406a9259c1be68b0e89b864539f49905c338c
Instruction Fuzzy Hash: A4E0E527A0955205F361F73D5D8165D1292EBC52F9B35036BE8288A0CBDEB888430252

Uniqueness

Uniqueness Score: -1.00%

Function 100018B6 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 100018C6
FreeLibrary.KERNEL32(?), ref: 100018D5

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindFreeLibraryNotification
String ID:
API String ID: 1131986616-0
Opcode ID: 16f8e41eb7a6581f6bf482029c550dc52cfba40eb3e37f85145dee9d4e48e252
Instruction ID: 81794de365c880ce6e281f49ed0d5a1814d96401d2491949040feac5c492e9f7
Opcode Fuzzy Hash: 16f8e41eb7a6581f6bf482029c550dc52cfba40eb3e37f85145dee9d4e48e252
Instruction Fuzzy Hash: 9AE0B636D05128ABCF219F95EC4459CBF71FF442B1F10426AE818626A0CB321911EE80

Uniqueness

Uniqueness Score: -1.00%

Function 019B00EC Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 019B06BC

Memory Dump Source

Source File: 00000000.00000002.4530281687.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 327da096ea73ca320297a0a107fb5585ac11044164c1f3375c415ada69cabe23
Instruction ID: d21ac567d113ee98c90796bdcc084094e79c045a8f40a13769fb4659749557a1
Opcode Fuzzy Hash: 327da096ea73ca320297a0a107fb5585ac11044164c1f3375c415ada69cabe23
Instruction Fuzzy Hash: 6B11FEB4800749CFDB20DF9AD585BDFBBF4EB48314F208459E519A7250C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 100079C8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,00000000), ref: 10007A09

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc1d1882f14aebed3f32e3673b590dbead7f911c5d3af9cb7dc9f39c0c15561b
Instruction ID: b45e33db619aa289bf55cbc080619a37e35f9bb6da0b9b0b382c7deb5700d25c
Opcode Fuzzy Hash: bc1d1882f14aebed3f32e3673b590dbead7f911c5d3af9cb7dc9f39c0c15561b
Instruction Fuzzy Hash: 6BF0B431F0412566FB51CA258C09B5F3798FFC37E0B118421EC0DA6199DA38EE1082E2

Uniqueness

Uniqueness Score: -1.00%

Function 10007949 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 1000797B

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 31d65b063271c2cc98795dfbe44263e87d1d95b4a8e39afae6e89f402eec65db
Instruction ID: 35a64d0d1ad1f75ade16a5bf0291917dc1a3227cb118155a425d993cb714a548
Opcode Fuzzy Hash: 31d65b063271c2cc98795dfbe44263e87d1d95b4a8e39afae6e89f402eec65db
Instruction Fuzzy Hash: 68E06D35A2466266FA62D7A58C04B6B7698FF422F1F224220ED4D96598CF69DC0082A2

Uniqueness

Uniqueness Score: -1.00%

Function 0138D5E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529098781.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22db52e6cad8702627119dc6356afef606b3bec8c49798b4045c016a062f71c
Instruction ID: e325f60c8761382b1b9246d8818a123ebf4da7c67cb04d9befbf83c59e31bcbc
Opcode Fuzzy Hash: a22db52e6cad8702627119dc6356afef606b3bec8c49798b4045c016a062f71c
Instruction Fuzzy Hash: B8212572500308EFDB05EF54D9C0B26BF65FB8832CF64856DE90D0B296C336D456CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0138D5E3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529098781.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 61cf3f757c38fe476d48be7951fa9647adc434efac35016c09af2df0941c556e
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 2311B176504344DFCB16DF54D9C4B16BF71FB84328F2485A9D8090B257C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0138D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529098781.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629816ac3e6e6520b30b273ad2264d99fd0437c7c0e076cffbfeb41c535cf9dd
Instruction ID: 449db23f10ba7616ec35c5b09b693d8280c36dc883775e530ae78c24b693e2c3
Opcode Fuzzy Hash: 629816ac3e6e6520b30b273ad2264d99fd0437c7c0e076cffbfeb41c535cf9dd
Instruction Fuzzy Hash: 09012BB1004348EAE7106F69DC80B67FF9CEF417A8F08C419ED090F6C6C2799846C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0138D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4529098781.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614f779f7cb202a6ad6f41c0ccf2757d8ed4a1237730f95e79c6939b789d4e37
Instruction ID: 3c57a66091ddde0fad4d07e6355a885ea5b18ea4301f8bc29165131944378693
Opcode Fuzzy Hash: 614f779f7cb202a6ad6f41c0ccf2757d8ed4a1237730f95e79c6939b789d4e37
Instruction Fuzzy Hash: E4F0C2B1004344AEEB109F19CC84B63FF98EF41768F18C45AED484E286C2799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001114E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 001114F0
LoadLibraryA.KERNEL32 ref: 00111506
GetProcAddress.KERNEL32 ref: 00111525
GetProcAddress.KERNEL32 ref: 00111537

Strings

libgcc_s_dw2-1.dll, xrefs: 001114E9, 001114FF
__deregister_frame_info, xrefs: 0011152C
__register_frame_info, xrefs: 0011151A

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: a9eea7043b3b4a1ae17a9f98d0d31ad3321e1c3d9e295eea419f592c362fdf00
Instruction ID: 84121d999e4205ff8af33e7ee6e82aedb56df250b3377bf7536d827feed46706
Opcode Fuzzy Hash: a9eea7043b3b4a1ae17a9f98d0d31ad3321e1c3d9e295eea419f592c362fdf00
Instruction Fuzzy Hash: 600171B19083049BC3447F78AB4935DFFF5AB45751F02443DE689A7600E7B45488CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 01311644 Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01311656
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 01311681
StrStrIA.SHLWAPI(?,1001B09C), ref: 01311693
CreateThread.KERNEL32(00000000,00000000,10001930,?,00000000,00000000), ref: 013116AA

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: Module$CreateFileHandleNameThread
String ID:
API String ID: 345888460-0
Opcode ID: bc22102a787501f48ea84cdce432fbd2a449c4f78da8322cd65b092844ce9337
Instruction ID: d474c75162cf6c955b5cffbcabdc44368e59c60d246ca7ef3e21c48ffcfe4a41
Opcode Fuzzy Hash: bc22102a787501f48ea84cdce432fbd2a449c4f78da8322cd65b092844ce9337
Instruction Fuzzy Hash: 6FF090F6900228BBFB109BB08D89FFB3B6CDB143A4F000054FF04D6085DAB59A808BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01315D1F Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,01312281), ref: 01315E17
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,01312281), ref: 01315E21
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,01312281), ref: 01315E2E

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1a684d01aa3d340310010d7e553d4f99adc8a98f39119f449de532147956bca4
Instruction ID: af1789c6db798ae63898f3b99aea87818718e39005966194bc5802cea99fa6fd
Opcode Fuzzy Hash: 1a684d01aa3d340310010d7e553d4f99adc8a98f39119f449de532147956bca4
Instruction Fuzzy Hash: 3A31D2749012299BCF25DF68DD887DDBBB8BF08314F5081EAE41CA7254EB709B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 10005D1B Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10005E13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10005E1D
UnhandledExceptionFilter.KERNEL32(1001AE00,?,?,?,?,?,00000000), ref: 10005E2A

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 66f87eb88c692d446a3337f7b7ec48d5d389140ebfaa16b2e8f1496432da3c17
Instruction ID: fc5e82cea06a4a99fc7ea00731ad32e7b8d93e39b72e25cea1931271f3ce79ea
Opcode Fuzzy Hash: 66f87eb88c692d446a3337f7b7ec48d5d389140ebfaa16b2e8f1496432da3c17
Instruction Fuzzy Hash: 0931C474901228ABDB61DF24DD8978DBBB8FF08351F5041EAE41CA7261EB709B818F44

Uniqueness

Uniqueness Score: -1.00%

Function 013163A4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,013163A3,?,?,?,?,?,0131111D), ref: 013163C6
TerminateProcess.KERNEL32(00000000,?,013163A3,?,?,?,?,?,0131111D), ref: 013163CD
ExitProcess.KERNEL32 ref: 013163DF

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c8e25d0da1505143e5d01438894defa01178ea47247ecff4e357042dbf6ca453
Instruction ID: 17c23583ab96a2895188f5f0d1ae0f45e526131759353fe1e22c484e447e1efb
Opcode Fuzzy Hash: c8e25d0da1505143e5d01438894defa01178ea47247ecff4e357042dbf6ca453
Instruction Fuzzy Hash: 58E08C31000118AFEF162FA8DC49A6D3F6AFB00285F408418F8098653ACBB9DD81DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100063A0 Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,1000639F,1001B130,?,?,1001B130), ref: 100063C2
TerminateProcess.KERNEL32(00000000,?,1000639F,1001B130,?,?,1001B130), ref: 100063C9
ExitProcess.KERNEL32 ref: 100063DB

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c8e25d0da1505143e5d01438894defa01178ea47247ecff4e357042dbf6ca453
Instruction ID: d28d41af693122ef4a3fdc208c9b6ec548cec410dbcf845db7b88d7c1263fef1
Opcode Fuzzy Hash: c8e25d0da1505143e5d01438894defa01178ea47247ecff4e357042dbf6ca453
Instruction Fuzzy Hash: F9E0B635400158AFEB02AF64CC59A583FAAFF842D1B20941CF9099653ACB35ED92DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131DBF5 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0131DBF0,?,?,00000008,?,?,0131D888,00000000), ref: 0131DE22

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 565050bbb23ac4cc80e4e588e64591540a0f5e0c240284c510e70732ff30bb2c
Instruction ID: af20dbba6763a62981157966892c3431b8d1d800f1a3f2b824947f33bce3ccba
Opcode Fuzzy Hash: 565050bbb23ac4cc80e4e588e64591540a0f5e0c240284c510e70732ff30bb2c
Instruction Fuzzy Hash: F1B15E31210609DFEB19CF6CC48AB647BE0FF46369F258658E99ACF2A5C335E951CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1000DBF1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000DBEC,?,?,00000008,?,?,1000D884,00000000), ref: 1000DE1E

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 565050bbb23ac4cc80e4e588e64591540a0f5e0c240284c510e70732ff30bb2c
Instruction ID: d481fbd3fc588cfd4c975a4c04567ca6f41e5e978be349c8cc992988d3df1894
Opcode Fuzzy Hash: 565050bbb23ac4cc80e4e588e64591540a0f5e0c240284c510e70732ff30bb2c
Instruction Fuzzy Hash: BFB17C31610609CFE714DF28C486B597BE1FF453A4F25865AE89ACF2A9C335E982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01317E08 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d61cea230c33a8d3dfc710698f41e031b458c6bd3fcaeaa2bf3c8758886bf8
Instruction ID: f3a6d4392b6fdb5377f86e7683b9091ebe511185939d46e6330081a9665133c6
Opcode Fuzzy Hash: 66d61cea230c33a8d3dfc710698f41e031b458c6bd3fcaeaa2bf3c8758886bf8
Instruction Fuzzy Hash: 8B4193B5C0421DAFDB24DF6DCC88AAABBB9AF45304F1842DDE41DD3215DA359E848F60

Uniqueness

Uniqueness Score: -1.00%

Function 10007E04 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09267a21b81648f1661c6134b1866c23943eef4ef03b71b119c026507b8e51b5
Instruction ID: 42d0ada291b1fb750969f7353db6fac12aca534de81333c21600c26d88de16c3
Opcode Fuzzy Hash: 09267a21b81648f1661c6134b1866c23943eef4ef03b71b119c026507b8e51b5
Instruction Fuzzy Hash: 3341B2B5C0425DAEEB10DF68CC89AAABBB8FF45340F1442E9E44D93205DA359E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 01319332 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 01319332

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4aa2f3705dbdff619f11796f64f1a48fd6653a63d3d2bce8c1e7b9126c4ad97b
Instruction ID: ace803f740e3770d8527394ad06f469c5582c8735380affea44f9bd0810b6bf9
Opcode Fuzzy Hash: 4aa2f3705dbdff619f11796f64f1a48fd6653a63d3d2bce8c1e7b9126c4ad97b
Instruction Fuzzy Hash: 79A001706012A1DBE7808FB58A8965D3AA9BA8A7D17058669E445C6A64EB348860AA01

Uniqueness

Uniqueness Score: -1.00%

Function 013110B4 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a6966d67e9b7f41304b287a3a436391084888ed2587b932ee91a9a2a6b0f71
Instruction ID: 750fe7f7de570d4173e7f48e75ffab854895773ef541da39610b2c30dec2da69
Opcode Fuzzy Hash: f3a6966d67e9b7f41304b287a3a436391084888ed2587b932ee91a9a2a6b0f71
Instruction Fuzzy Hash: 1D714470A042C68FFB198F6DD8D06EEBBE6EB5A214F4481BCC65587352C631DA0AC710

Uniqueness

Uniqueness Score: -1.00%

Function 01310B11 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
Instruction ID: ee1a700896fa8527284fbe9d2cdec17d541f1cb94992c217bc716285c416e340
Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
Instruction Fuzzy Hash: D531AC76A0874B8FC318DF18C88092AF7E4FF8932CB09496DE99597316D334F9958B91

Uniqueness

Uniqueness Score: -1.00%

Function 0131E8D4 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: ce7cc56d8aa869158b5d5159ddfadb30e99a6aa0f8918d23805fdc192ec76cf5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 83113DBB20414243F6DF8A3ED4B41B7EF97EBC912872D437ADA814B75CD22BE1459600

Uniqueness

Uniqueness Score: -1.00%

Function 1000E8D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fc051c0c77b7d8f285d5e003e25149b07a31b881b68b3ed896d5cc6226ba84c5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8A112B776411C283FAC0C53ED4B45ABE3DAEBC63E1729437FD182AB65CD122ED459600

Uniqueness

Uniqueness Score: -1.00%

Function 0131799B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction ID: a430295b2997fb8212f5aaacf516d493cf18ccdfffc1819ddd857fb304484dfb
Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction Fuzzy Hash: 77E08C32A11228EBCF18DB9CC90498EF7ECEB46B08B150096B601E3110C270DE04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 10007997 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction ID: fb86bd9e20a4fcbbacb2d46d18a9ba708035e2cf5bc33393a4ad150118a82801
Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
Instruction Fuzzy Hash: 5DE0EC72D11228EBCB15DB99C944D8EF3ECFB45A90B114496B505E3115C274DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0131A051 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0131A095

Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A38B
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A39D
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A3AF
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A3C1
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A3D3
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A3E5
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A3F7
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A409
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A41B
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A42D
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A43F
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A451
Part of subcall function 0131A36E: _free.LIBCMT ref: 0131A463

_free.LIBCMT ref: 0131A08A

Part of subcall function 01317A29: HeapFree.KERNEL32(00000000,00000000,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?), ref: 01317A3F
Part of subcall function 01317A29: GetLastError.KERNEL32(?,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?,?), ref: 01317A51

_free.LIBCMT ref: 0131A0AC
_free.LIBCMT ref: 0131A0C1
_free.LIBCMT ref: 0131A0CC
_free.LIBCMT ref: 0131A0EE
_free.LIBCMT ref: 0131A101
_free.LIBCMT ref: 0131A10F
_free.LIBCMT ref: 0131A11A
_free.LIBCMT ref: 0131A152
_free.LIBCMT ref: 0131A159
_free.LIBCMT ref: 0131A176
_free.LIBCMT ref: 0131A18E

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e26546ba47295e784be89e24f599072f55e8abfdf4db8aba69f7d24a67a8c275
Instruction ID: 06cfd78570e04cf57e7fac6662f876a22c91d919c46ebe683610c7943824271d
Opcode Fuzzy Hash: e26546ba47295e784be89e24f599072f55e8abfdf4db8aba69f7d24a67a8c275
Instruction Fuzzy Hash: 5F31A3326013429FFB29AABCDC44B9B77E9EF04799F144429E449E7258DF71E990C720

Uniqueness

Uniqueness Score: -1.00%

Function 1000A04D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 1000A091

Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A387
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A399
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A3AB
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A3BD
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A3CF
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A3E1
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A3F3
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A405
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A417
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A429
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A43B
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A44D
Part of subcall function 1000A36A: _free.LIBCMT ref: 1000A45F

_free.LIBCMT ref: 1000A086

Part of subcall function 10007A25: HeapFree.KERNEL32(00000000,00000000,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?), ref: 10007A3B
Part of subcall function 10007A25: GetLastError.KERNEL32(?,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?,?), ref: 10007A4D

_free.LIBCMT ref: 1000A0A8
_free.LIBCMT ref: 1000A0BD
_free.LIBCMT ref: 1000A0C8
_free.LIBCMT ref: 1000A0EA
_free.LIBCMT ref: 1000A0FD
_free.LIBCMT ref: 1000A10B
_free.LIBCMT ref: 1000A116
_free.LIBCMT ref: 1000A14E
_free.LIBCMT ref: 1000A155
_free.LIBCMT ref: 1000A172
_free.LIBCMT ref: 1000A18A

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e26546ba47295e784be89e24f599072f55e8abfdf4db8aba69f7d24a67a8c275
Instruction ID: 23f9c27e7aae87b4a5cbaa185397e73bf3ee55d7d924a4122350e88dda3bc3c2
Opcode Fuzzy Hash: e26546ba47295e784be89e24f599072f55e8abfdf4db8aba69f7d24a67a8c275
Instruction Fuzzy Hash: 73316931A007059FFB21DA38D805B8A73E9FB823D0F114659E449D719AEF35BDD18621

Uniqueness

Uniqueness Score: -1.00%

Function 013116C4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 013116FB
GetModuleHandleA.KERNEL32(1001B0AC), ref: 01311719
K32GetModuleInformation.KERNEL32(00000000,00000000,?,0000000C), ref: 01311738
CreateFileA.KERNEL32(1001B0B8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01311766
CreateFileMappingW.KERNEL32(00000000,00000000,01000002,00000000,00000000,00000000), ref: 0131178B
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 013117AB
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 01311841
VirtualProtect.KERNEL32(?,?,?,?), ref: 0131189B
FreeLibrary.KERNEL32(?), ref: 013118D9

Strings

.text, xrefs: 013117F5

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: File$CreateModuleProtectVirtual$CurrentFreeHandleInformationLibraryMappingProcessView
String ID: .text
API String ID: 630715071-2719751843
Opcode ID: 42bf4af3205321ef4fb61f54ca1fbf8812ee01829e6fef69a317e5cde49720a9
Instruction ID: 253fded2439e2e9ee08806d15312ebac30817e9150b829de3e5e32ad47ff37a7
Opcode Fuzzy Hash: 42bf4af3205321ef4fb61f54ca1fbf8812ee01829e6fef69a317e5cde49720a9
Instruction Fuzzy Hash: 975168B1D01219EBEB21CFA8CD45BEEBFB5EF05724F208249EA24B72D0C7715A059B50

Uniqueness

Uniqueness Score: -1.00%

Function 00111AC0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00111AEF
vfprintf.MSVCRT ref: 00111B0F
abort.MSVCRT ref: 00111B14
VirtualQuery.KERNEL32 ref: 00111BAB

Strings

Address %p has no image-section, xrefs: 00111C6B
VirtualProtect failed with code 0x%x, xrefs: 00111C26
Mingw-w64 runtime failure:, xrefs: 00111AE8
VirtualQuery failed for %d bytes at address %p, xrefs: 00111C57

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 641f6bfa8b5dc898c443a64c0527c251d48452a80522cb6d977c6d9a81709e3c
Instruction ID: 68c39d40279de78a4d800b2eea39a39653129954668c5a41cf172ee56776baf9
Opcode Fuzzy Hash: 641f6bfa8b5dc898c443a64c0527c251d48452a80522cb6d977c6d9a81709e3c
Instruction Fuzzy Hash: 745161B19087009FC718EF29D98579AFBF0FF84354F45892CE6989B211E734E885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0131741D Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01317433

Part of subcall function 01317A29: HeapFree.KERNEL32(00000000,00000000,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?), ref: 01317A3F
Part of subcall function 01317A29: GetLastError.KERNEL32(?,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?,?), ref: 01317A51

_free.LIBCMT ref: 0131743F
_free.LIBCMT ref: 0131744A
_free.LIBCMT ref: 01317455
_free.LIBCMT ref: 01317460
_free.LIBCMT ref: 0131746B
_free.LIBCMT ref: 01317476
_free.LIBCMT ref: 01317481
_free.LIBCMT ref: 0131748C
_free.LIBCMT ref: 0131749A

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 444e1461b92e8379c93735419ce03fb5bf1cdfdc2681cae070e80e97769a2938
Instruction ID: f76b1b8706669b49c2ebfe86b38182c742c3ecb96076080fa093755c98c34ab8
Opcode Fuzzy Hash: 444e1461b92e8379c93735419ce03fb5bf1cdfdc2681cae070e80e97769a2938
Instruction Fuzzy Hash: 0921E77691010AEFDB05EFD9D880CDE7BB8BF18684F0451A6F515AB224DB31EB54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10007419 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000742F

Part of subcall function 10007A25: HeapFree.KERNEL32(00000000,00000000,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?), ref: 10007A3B
Part of subcall function 10007A25: GetLastError.KERNEL32(?,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?,?), ref: 10007A4D

_free.LIBCMT ref: 1000743B
_free.LIBCMT ref: 10007446
_free.LIBCMT ref: 10007451
_free.LIBCMT ref: 1000745C
_free.LIBCMT ref: 10007467
_free.LIBCMT ref: 10007472
_free.LIBCMT ref: 1000747D
_free.LIBCMT ref: 10007488
_free.LIBCMT ref: 10007496

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 444e1461b92e8379c93735419ce03fb5bf1cdfdc2681cae070e80e97769a2938
Instruction ID: e5657994adc7ed1a2cc246168dd0796c991dd7514e8393f5882922e176fde322
Opcode Fuzzy Hash: 444e1461b92e8379c93735419ce03fb5bf1cdfdc2681cae070e80e97769a2938
Instruction Fuzzy Hash: 9821BA7AD10108AFDB41DFA8D881DDE7BB8FF48280F0091A6F5199B126DB35EB55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00111FE0 Relevance: 12.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 0011201F
signal.MSVCRT ref: 00112066
signal.MSVCRT ref: 0011207F
signal.MSVCRT ref: 001120A6
signal.MSVCRT ref: 001120EA

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 743c39f8c13b48142a4904d914197be51146af2c4df5b4b0bf89c19cc4225565
Instruction ID: eb5a1b44638c410820af8cec604225f5435f48fcd04274b39d8fc25b4a45e223
Opcode Fuzzy Hash: 743c39f8c13b48142a4904d914197be51146af2c4df5b4b0bf89c19cc4225565
Instruction Fuzzy Hash: 3A3141B01082049AE72CAF78C5413EE76E0BB59364F214B29F5E4C72D1DB7AC8E59753

Uniqueness

Uniqueness Score: -1.00%

Function 0131A50D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0131A4D5: _free.LIBCMT ref: 0131A4FA

_free.LIBCMT ref: 0131A55B

Part of subcall function 01317A29: HeapFree.KERNEL32(00000000,00000000,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?), ref: 01317A3F
Part of subcall function 01317A29: GetLastError.KERNEL32(?,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?,?), ref: 01317A51

_free.LIBCMT ref: 0131A566
_free.LIBCMT ref: 0131A571
_free.LIBCMT ref: 0131A5C5
_free.LIBCMT ref: 0131A5D0
_free.LIBCMT ref: 0131A5DB
_free.LIBCMT ref: 0131A5E6

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 480fce83c62a8c88322a9145a6a51a6461a5144a693670f6f3967c9e7c736e28
Instruction ID: d692a8aad57a5d1ffe557976180d2c9476af4946bcda4d835e898e46e3207aa5
Opcode Fuzzy Hash: 480fce83c62a8c88322a9145a6a51a6461a5144a693670f6f3967c9e7c736e28
Instruction Fuzzy Hash: 3311B132581B4ABAE524FBF8CC09FCB779C9F28715F400814B299B7258DE28B6145681

Uniqueness

Uniqueness Score: -1.00%

Function 1000A509 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1000A4D1: _free.LIBCMT ref: 1000A4F6

_free.LIBCMT ref: 1000A557

Part of subcall function 10007A25: HeapFree.KERNEL32(00000000,00000000,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?), ref: 10007A3B
Part of subcall function 10007A25: GetLastError.KERNEL32(?,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?,?), ref: 10007A4D

_free.LIBCMT ref: 1000A562
_free.LIBCMT ref: 1000A56D
_free.LIBCMT ref: 1000A5C1
_free.LIBCMT ref: 1000A5CC
_free.LIBCMT ref: 1000A5D7
_free.LIBCMT ref: 1000A5E2

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 480fce83c62a8c88322a9145a6a51a6461a5144a693670f6f3967c9e7c736e28
Instruction ID: 6a08519c30dc542fe6de3a9ca7c5e370eea6b5a1d22980f46e9e482a9f3ecec5
Opcode Fuzzy Hash: 480fce83c62a8c88322a9145a6a51a6461a5144a693670f6f3967c9e7c736e28
Instruction Fuzzy Hash: 6A11B139E00B14BAF520E7B4CC0BFCB779CFF86380F404A18B69D66057DAA8B6905641

Uniqueness

Uniqueness Score: -1.00%

Function 0131B3A0 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 0131B3E8
__fassign.LIBCMT ref: 0131B5CD
__fassign.LIBCMT ref: 0131B5EA
WriteFile.KERNEL32(?,01319A41,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0131B632
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0131B672
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0131B71A

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 3130eea70465d9b11516ab5b052090fdbb9f79e2c8e3d351a7d1abefc53ad05a
Instruction ID: f305d31fb3a0335224cfe1eeef22b142f63d041fa5d99142b6402668bfd4918b
Opcode Fuzzy Hash: 3130eea70465d9b11516ab5b052090fdbb9f79e2c8e3d351a7d1abefc53ad05a
Instruction Fuzzy Hash: 87C1BC75D002989FDF19CFA8C8809EDFBB5AF48318F28816AE855F7349D6319906CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B39C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 1000B3E4
__fassign.LIBCMT ref: 1000B5C9
__fassign.LIBCMT ref: 1000B5E6
WriteFile.KERNEL32(?,10009A3D,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000B62E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1000B66E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000B716

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 7a952c2bc6f47714c73ebaa6f2af0fe67482dcd2af05cb134e4b3c42274bbe7f
Instruction ID: c2b63a17de41499b507ccd561170f38153bb6c8ffa4b1ecf6f2925608295950f
Opcode Fuzzy Hash: 7a952c2bc6f47714c73ebaa6f2af0fe67482dcd2af05cb134e4b3c42274bbe7f
Instruction Fuzzy Hash: 1CC19E75D046989FEB11CFE8C8809EDBBB5EF48344F28416AE855BB346D631AD42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01313B98 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,013133F6,013123BE,013126B1), ref: 01313BA6
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01313BB4
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01313BCD
SetLastError.KERNEL32(00000000,?,013133F6,013123BE,013126B1), ref: 01313C1F

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3e83183417763c9cfa2e44375187fee262c99798befa417dc6021065c52d0869
Instruction ID: 311351a07e010f910abd5d0c11ec774924346ecd936cf5b2886fe4c345b65178
Opcode Fuzzy Hash: 3e83183417763c9cfa2e44375187fee262c99798befa417dc6021065c52d0869
Instruction Fuzzy Hash: CB01AC332193326EFA1E7B7D6CC476B2A55FF056BDB20422EF524851E9FF618841A150

Uniqueness

Uniqueness Score: -1.00%

Function 10003B94 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,100033F2,100023BA,100026AD), ref: 10003BA2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003BB0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003BC9
SetLastError.KERNEL32(00000000,?,100033F2,100023BA,100026AD), ref: 10003C1B

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4f03ea6735c2e5eabf14a80d6b60370eeecb975f0264ee0372e0d35928224f4b
Instruction ID: 7ebccb4347339e10fa964b6b3c71b5ce2705e845a88eeb28b2357f110b4ae066
Opcode Fuzzy Hash: 4f03ea6735c2e5eabf14a80d6b60370eeecb975f0264ee0372e0d35928224f4b
Instruction Fuzzy Hash: E001D83A21A6726DF217FB749CC5E1B2B9CFB055F5B30C32AF510910EAEF219C026240

Uniqueness

Uniqueness Score: -1.00%

Function 01318295 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, xrefs: 0131829A

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
API String ID: 0-3005402082
Opcode ID: f5272675ea7994c64460e9d8fde802c34aa565be461d8244888e465bbaeec55a
Instruction ID: dab773f95a62b8c474fc922c864ea2ea96949e5491725deb1cb1e6780404b341
Opcode Fuzzy Hash: f5272675ea7994c64460e9d8fde802c34aa565be461d8244888e465bbaeec55a
Instruction Fuzzy Hash: 8F21263520420ABFDB1AAF798C8096B775DEF5136C7084E54F918D3169E730EC0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 10008291 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, xrefs: 10008296

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
API String ID: 0-3005402082
Opcode ID: f5272675ea7994c64460e9d8fde802c34aa565be461d8244888e465bbaeec55a
Instruction ID: 5973c44a109389617354e6a105dc31dc08590b48bfdd6b3e0bf862e7db057c6e
Opcode Fuzzy Hash: f5272675ea7994c64460e9d8fde802c34aa565be461d8244888e465bbaeec55a
Instruction Fuzzy Hash: 8A21D17520465ABFFB10DF608C8091B77ADFF806E47158A24FAA487159EB31FF408760

Uniqueness

Uniqueness Score: -1.00%

Function 01316A7D Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01316AEB
_free.LIBCMT ref: 01316B0B
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01316B6C
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01316B7E
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01316B8B

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 9ea0d077f56d082f0244d58ff494a3ce0d5827ad2ecc96ab6cea9f4a433516e2
Instruction ID: 206821563c1e93771a4dbcac5b1f5fee80a73e1a7abe0bcda3a6a08a2055f285
Opcode Fuzzy Hash: 9ea0d077f56d082f0244d58ff494a3ce0d5827ad2ecc96ab6cea9f4a433516e2
Instruction Fuzzy Hash: 2541D5B2A002149FDB18DFADC881A5EB7F6EF88718F1584A8D615EB345D771ED02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10006A79 Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 10006AE7
_free.LIBCMT ref: 10006B07
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 10006B68
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 10006B7A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 10006B87

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 9ea0d077f56d082f0244d58ff494a3ce0d5827ad2ecc96ab6cea9f4a433516e2
Instruction ID: a71a9c86dbed923a9ac41e3d201ccc45f352d777cfe71cce0c5d600494963926
Opcode Fuzzy Hash: 9ea0d077f56d082f0244d58ff494a3ce0d5827ad2ecc96ab6cea9f4a433516e2
Instruction Fuzzy Hash: 4341B676B002109BEB10DFA8C881A5DB3F6EF89794B264469D645EB345D730ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0131A46C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0131A484

Part of subcall function 01317A29: HeapFree.KERNEL32(00000000,00000000,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?), ref: 01317A3F
Part of subcall function 01317A29: GetLastError.KERNEL32(?,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?,?), ref: 01317A51

_free.LIBCMT ref: 0131A496
_free.LIBCMT ref: 0131A4A8
_free.LIBCMT ref: 0131A4BA
_free.LIBCMT ref: 0131A4CC

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f04bf57bb100680fa17d3bcd6f03363407a82ab894c155684a2f6d4914dcf5fa
Instruction ID: 2fd176f06ba8e1312a1ed90ddf27b99da879c593d9e81af70bed606bd2c70817
Opcode Fuzzy Hash: f04bf57bb100680fa17d3bcd6f03363407a82ab894c155684a2f6d4914dcf5fa
Instruction Fuzzy Hash: 04F0AF33129221ABE228FB9CE8C5C463BD9FA047683599806F108E7688CA30FC904A14

Uniqueness

Uniqueness Score: -1.00%

Function 1000A468 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1000A480

Part of subcall function 10007A25: HeapFree.KERNEL32(00000000,00000000,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?), ref: 10007A3B
Part of subcall function 10007A25: GetLastError.KERNEL32(?,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?,?), ref: 10007A4D

_free.LIBCMT ref: 1000A492
_free.LIBCMT ref: 1000A4A4
_free.LIBCMT ref: 1000A4B6
_free.LIBCMT ref: 1000A4C8

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f04bf57bb100680fa17d3bcd6f03363407a82ab894c155684a2f6d4914dcf5fa
Instruction ID: 1168c823901e5db6dccbd42ca0d523f263c89a7ead570df68ec67f5f204cb02c
Opcode Fuzzy Hash: f04bf57bb100680fa17d3bcd6f03363407a82ab894c155684a2f6d4914dcf5fa
Instruction Fuzzy Hash: D6F04F35A182109BE690FB68E4C6C4A73F9FBC22E0350990AF00CD7589DB78FCC18660

Uniqueness

Uniqueness Score: -1.00%

Function 00111C80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00111D9E
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00111EA6
Unknown pseudo relocation protocol version %d., xrefs: 00111F5B

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 921d0947ba6dce7dae181637425a0a93554daf16c77189793c14bee657f12455
Instruction ID: fdaaea0af68e1a03d7bac672c2ffd7c7545edb6919ab18f04f6b21f5ab51851d
Opcode Fuzzy Hash: 921d0947ba6dce7dae181637425a0a93554daf16c77189793c14bee657f12455
Instruction Fuzzy Hash: 5091A171A046159BCB18DF68E9806EEFBF2FF88380F154529EE94A7354D330E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01317C19 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01317DB3

Strings

*?, xrefs: 01317C5C

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: a379ad0498d1bfa82fc73f87a6b09752013568341b8b413912cc90409a7bb23a
Instruction ID: 2bcb0ff05a985baaa00a994f8bcb2d9a684647a5164caaeab96e6c1c6c4f4ee3
Opcode Fuzzy Hash: a379ad0498d1bfa82fc73f87a6b09752013568341b8b413912cc90409a7bb23a
Instruction Fuzzy Hash: 4B612AB6E0021A9FDF19DFACC8805EDFBF5EF48354B28816AD815E7344D631AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10007C15 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10007DAF

Strings

*?, xrefs: 10007C58

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: a379ad0498d1bfa82fc73f87a6b09752013568341b8b413912cc90409a7bb23a
Instruction ID: 75d766dfcdc14df3a16d4d30c49d252bd365b8258aa7062e43023e3f720f993f
Opcode Fuzzy Hash: a379ad0498d1bfa82fc73f87a6b09752013568341b8b413912cc90409a7bb23a
Instruction Fuzzy Hash: 32614275D0021A9FEB14CFA8C8819EDFBF5FF48390B25816AE819E7344D775AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 01317B2D Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0131814F: _free.LIBCMT ref: 0131815D

Part of subcall function 01318D23: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,01319A41,0131BD28,0000FDE9,00000000,?,?,?,0131BAA1,0000FDE9,00000000,?), ref: 01318DCF

GetLastError.KERNEL32 ref: 01317B95
__dosmaperr.LIBCMT ref: 01317B9C
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 01317BDB
__dosmaperr.LIBCMT ref: 01317BE2

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2d13615152cd7a3aab0b518301b32f107b15c398a867bcdfab5a46094f6214a7
Instruction ID: f9cad1a35e177293875f63f7d529f3a515411a2eff9ca3dbbcfe4e2b47406ebb
Opcode Fuzzy Hash: 2d13615152cd7a3aab0b518301b32f107b15c398a867bcdfab5a46094f6214a7
Instruction Fuzzy Hash: 4A21F87160021AAFDB299FAD8C80C7BB79DFF5526C714C528FA2993554D730EC018750

Uniqueness

Uniqueness Score: -1.00%

Function 10007B29 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 1000814B: _free.LIBCMT ref: 10008159

Part of subcall function 10008D1F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,10009A3D,1000BD24,0000FDE9,00000000,?,?,?,1000BA9D,0000FDE9,00000000,?), ref: 10008DCB

GetLastError.KERNEL32 ref: 10007B91
__dosmaperr.LIBCMT ref: 10007B98
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10007BD7
__dosmaperr.LIBCMT ref: 10007BDE

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2d13615152cd7a3aab0b518301b32f107b15c398a867bcdfab5a46094f6214a7
Instruction ID: 8a0ea04460a933745a492a533750d66dc63a6fe5784d0a96b6a1d7f0933c2854
Opcode Fuzzy Hash: 2d13615152cd7a3aab0b518301b32f107b15c398a867bcdfab5a46094f6214a7
Instruction Fuzzy Hash: BD21D375A0425AAFFB10DF658C80E5BB7EEFF002E43108128F95C87149EB39ED0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 01318F50 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b149e3b77e4d7fa048a852574249fba67e2eca2367cb74996d17989fa0385528
Instruction ID: e648fbd354f8fd63d5873379ead900ad76e55137243e34b7deb194b8b8591a0a
Opcode Fuzzy Hash: b149e3b77e4d7fa048a852574249fba67e2eca2367cb74996d17989fa0385528
Instruction Fuzzy Hash: 33212B32A05231EBE726CB6C9C80B2B3759AF007ACF150254EB06A7699D770DD08C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 10008F4C Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b149e3b77e4d7fa048a852574249fba67e2eca2367cb74996d17989fa0385528
Instruction ID: b4c3b56f94c89cf6525db24b450891e45fc970c71f978cf6fce7a9cf5e64a853
Opcode Fuzzy Hash: b149e3b77e4d7fa048a852574249fba67e2eca2367cb74996d17989fa0385528
Instruction Fuzzy Hash: 8A219971A05237ABF721CB748C84A6E3696FF056E0F210134EE95A7199D630DE0097E0

Uniqueness

Uniqueness Score: -1.00%

Function 01317561 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,01315CCC,00000000,?,1001E428,?,0131111D,51715654), ref: 01317566
_free.LIBCMT ref: 013175C3
_free.LIBCMT ref: 013175F9
SetLastError.KERNEL32(00000000,1001D060,000000FF,?,1001E428,?,0131111D,51715654), ref: 01317604

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ca2045c2ede6909046ebb6de5faf6dc40db05544a127ee0c1fd41aee851efbec
Instruction ID: b42a14f78313f865f50c3622b02722f1fbf8b79ef3cb6e6635a332138486fd8a
Opcode Fuzzy Hash: ca2045c2ede6909046ebb6de5faf6dc40db05544a127ee0c1fd41aee851efbec
Instruction Fuzzy Hash: E611023220015B6AE61EB7BD8CC8F3B356E9BE51BCB2C0A38F220931D9DE71C8114310

Uniqueness

Uniqueness Score: -1.00%

Function 1000755D Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,?,10005F53,?,10001AD3,00000000), ref: 10007562
_free.LIBCMT ref: 100075BF
_free.LIBCMT ref: 100075F5
SetLastError.KERNEL32(00000000,1001D060,000000FF,?,10005F53,?,10001AD3,00000000), ref: 10007600

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 67db74bece170496939b8c5139b99638e393e73ad7f3f8c58c4bf650fb203522
Instruction ID: 028f4aea2d4eb734ad490660d2abce2a308b5f9f336b45f59c874a46201f0db1
Opcode Fuzzy Hash: 67db74bece170496939b8c5139b99638e393e73ad7f3f8c58c4bf650fb203522
Instruction Fuzzy Hash: 69112C36B049522AF601F3B44CC5FAE21ABFBC51F2B210624F52C931DADEB9DC115211

Uniqueness

Uniqueness Score: -1.00%

Function 013176B8 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(01312281,01312281,00000002,01315FDD,01317990,00000000,?,01313303,00000002,00000000,?,00000000,?,0131219A,01312281,00000004), ref: 013176BD
_free.LIBCMT ref: 0131771A
_free.LIBCMT ref: 01317750
SetLastError.KERNEL32(00000000,1001D060,000000FF,?,01313303,00000002,00000000,?,00000000,?,0131219A,01312281,00000004,00000000,00000000,00000000), ref: 0131775B

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 513d8dd2c5c0007f27d0cdc77bb2cc100b5bbab3944e918e7a67d286b7d82931
Instruction ID: 0f4b9e53eb2746b2955c3f0f52a6b6c89f52314d2336290aa66676f216156434
Opcode Fuzzy Hash: 513d8dd2c5c0007f27d0cdc77bb2cc100b5bbab3944e918e7a67d286b7d82931
Instruction Fuzzy Hash: BC11E5322041262AE61AB7BD4CC4F3A366AABD52FCF290639F525931D9DE31CC114320

Uniqueness

Uniqueness Score: -1.00%

Function 100076B4 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,10005FD9,1000798C,?,?,100022D3,?,?,1000195A), ref: 100076B9
_free.LIBCMT ref: 10007716
_free.LIBCMT ref: 1000774C
SetLastError.KERNEL32(00000000,1001D060,000000FF,?,?,?,10005FD9,1000798C,?,?,100022D3,?,?,1000195A), ref: 10007757

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 28f7ca06522628db5455a95b119d03fd96581a16a052025b7cfcaa84c6516755
Instruction ID: 745e41052fbaca32f42bb756e37683497573d5eee9d081bc88f04d8afc660264
Opcode Fuzzy Hash: 28f7ca06522628db5455a95b119d03fd96581a16a052025b7cfcaa84c6516755
Instruction Fuzzy Hash: 55110C36F045162AF611F7784CC5F5B22ABFBC11F5B210125F52D871EADE79DC165220

Uniqueness

Uniqueness Score: -1.00%

Function 00111001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0011106B
__p__fmode.MSVCRT ref: 00111070
__p__commode.MSVCRT ref: 0011107D

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 9890280a06709117213a87ccabd329a27772a8a403e4d2e18ac7fe7346a9f201
Instruction ID: 429bc8b1d6045199f41b36ba5dbe4ca4e4a96ce7254a634bd606d312d0b49d08
Opcode Fuzzy Hash: 9890280a06709117213a87ccabd329a27772a8a403e4d2e18ac7fe7346a9f201
Instruction Fuzzy Hash: 3C21E130E00242DBC71CEF20D9013E5B3E0FB48344F558578F2594BA16E77AA8CACB91

Uniqueness

Uniqueness Score: -1.00%

Function 01314350 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0131436A

Part of subcall function 013142B7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 013142E6
Part of subcall function 013142B7: ___AdjustPointer.LIBCMT ref: 01314301

_UnwindNestedFrames.LIBCMT ref: 0131437F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 01314390
CallCatchBlock.LIBVCRUNTIME ref: 013143B8

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: edff6a3e03afdedac9693981a91b17a778d153779bc220ac19370dc36ccaea4f
Instruction ID: db1f6e692518b4710e3838a3ee1836f5f5d1e8b0c1cc604aa0cb51739e08dd0b
Opcode Fuzzy Hash: edff6a3e03afdedac9693981a91b17a778d153779bc220ac19370dc36ccaea4f
Instruction Fuzzy Hash: 2C012932100109BBDF165F99CD41EEB3F7AEF99798F044404FE48A6124C732E861EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000434C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 10004366

Part of subcall function 100042B3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 100042E2
Part of subcall function 100042B3: ___AdjustPointer.LIBCMT ref: 100042FD

_UnwindNestedFrames.LIBCMT ref: 1000437B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 1000438C
CallCatchBlock.LIBVCRUNTIME ref: 100043B4

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: edff6a3e03afdedac9693981a91b17a778d153779bc220ac19370dc36ccaea4f
Instruction ID: 13e522a11cfe9bb0f3bc65b8fd23c1ca840af45212fbea489e3d86782dc863f8
Opcode Fuzzy Hash: edff6a3e03afdedac9693981a91b17a778d153779bc220ac19370dc36ccaea4f
Instruction Fuzzy Hash: 96012976100149BBEF028E95CC42EEF7BAEEF89794F064004FE4866125C732E961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0131C7AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0131C20E,?,00000001,?,00000001,?,0131B777,?,?,00000001), ref: 0131C7C1
GetLastError.KERNEL32(?,0131C20E,?,00000001,?,00000001,?,0131B777,?,?,00000001,?,00000001,?,0131BCC3,01319A41), ref: 0131C7CD

Part of subcall function 0131C793: CloseHandle.KERNEL32(1001D860,0131C7DD,?,0131C20E,?,00000001,?,00000001,?,0131B777,?,?,00000001,?,00000001), ref: 0131C7A3

___initconout.LIBCMT ref: 0131C7DD

Part of subcall function 0131C755: CreateFileW.KERNEL32(10012ED8,40000000,00000003,00000000,00000003,00000000,00000000,0131C784,0131C1FB,00000001,?,0131B777,?,?,00000001,?), ref: 0131C768

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0131C20E,?,00000001,?,00000001,?,0131B777,?,?,00000001,?), ref: 0131C7F2

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3e8b5c4873023ce78c5e006788060d58dc10928f671adff8be74f67d3b61025a
Instruction ID: 82ee11210cebf7514a3a34c8405cb96a27e4d495a0ceb635daa27931f02e1e77
Opcode Fuzzy Hash: 3e8b5c4873023ce78c5e006788060d58dc10928f671adff8be74f67d3b61025a
Instruction Fuzzy Hash: 76F0303A040139BFDF227FA5CC48A993F76FB082B0B004014FF1996135DB72C820AB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7A6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,1000C20A,?,00000001,?,00000001,?,1000B773,?,?,00000001), ref: 1000C7BD
GetLastError.KERNEL32(?,1000C20A,?,00000001,?,00000001,?,1000B773,?,?,00000001,?,00000001,?,1000BCBF,10009A3D), ref: 1000C7C9

Part of subcall function 1000C78F: CloseHandle.KERNEL32(1001D860,1000C7D9,?,1000C20A,?,00000001,?,00000001,?,1000B773,?,?,00000001,?,00000001), ref: 1000C79F

___initconout.LIBCMT ref: 1000C7D9

Part of subcall function 1000C751: CreateFileW.KERNEL32(10012ED8,40000000,00000003,00000000,00000003,00000000,00000000,1000C780,1000C1F7,00000001,?,1000B773,?,?,00000001,?), ref: 1000C764

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,1000C20A,?,00000001,?,00000001,?,1000B773,?,?,00000001,?), ref: 1000C7EE

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3e8b5c4873023ce78c5e006788060d58dc10928f671adff8be74f67d3b61025a
Instruction ID: 74073595b79dbcfe4d645a5764d908114dcc060acbde7e8b16f5045f31ca4ebc
Opcode Fuzzy Hash: 3e8b5c4873023ce78c5e006788060d58dc10928f671adff8be74f67d3b61025a
Instruction Fuzzy Hash: DBF0A23A50416DBBEF126FD5CC44E9A3F66EB082F1B054014FB1C95525DB31D861EB94

Uniqueness

Uniqueness Score: -1.00%

Function 01316D9F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01316DA8

Part of subcall function 01317A29: HeapFree.KERNEL32(00000000,00000000,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?), ref: 01317A3F
Part of subcall function 01317A29: GetLastError.KERNEL32(?,?,0131A4FF,?,00000000,?,00000002,?,0131A526,?,00000007,?,?,0131A1E8,?,?), ref: 01317A51

_free.LIBCMT ref: 01316DBB
_free.LIBCMT ref: 01316DCC
_free.LIBCMT ref: 01316DDD

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b0c8f2609e1e4d19fe36947605b32938c7631f69fdd2cb405b6aa7a0151ab25
Instruction ID: 1f65e1e3cbb2fbedb9c7975f84c825ff4b1876836eec0ca303ae0aba496db097
Opcode Fuzzy Hash: 2b0c8f2609e1e4d19fe36947605b32938c7631f69fdd2cb405b6aa7a0151ab25
Instruction Fuzzy Hash: 17E0B6B6C202B29AF60AAFA99CC458DBA61E75CB54305C006E42423334C6B18FB2DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 10006D9B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10006DA4

Part of subcall function 10007A25: HeapFree.KERNEL32(00000000,00000000,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?), ref: 10007A3B
Part of subcall function 10007A25: GetLastError.KERNEL32(?,?,1000A4FB,?,00000000,?,?,?,1000A522,?,00000007,?,?,1000A1E4,?,?), ref: 10007A4D

_free.LIBCMT ref: 10006DB7
_free.LIBCMT ref: 10006DC8
_free.LIBCMT ref: 10006DD9

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b0c8f2609e1e4d19fe36947605b32938c7631f69fdd2cb405b6aa7a0151ab25
Instruction ID: 74161ce90208f91b247a55d149e76b9ac9a006f5e05c4def407a73229e26e147
Opcode Fuzzy Hash: 2b0c8f2609e1e4d19fe36947605b32938c7631f69fdd2cb405b6aa7a0151ab25
Instruction Fuzzy Hash: 5CE0BFB5D102B09AF6069F399CC958D7A61F78D750301C04AF42813236D6759FB3DF92

Uniqueness

Uniqueness Score: -1.00%

Function 01313474 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 013134A7
__IsNonwritableInCurrentImage.LIBCMT ref: 01313560

Strings

csm, xrefs: 0131354A

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 874856047c16bd33f7fc55a96c496f6d454f6ceb1e7d21065a126a07fa9bd22e
Instruction ID: 36dc7de6ba8c49763a64fadbad44996587fccfd7aeeba77cad673fab8dfcc451
Opcode Fuzzy Hash: 874856047c16bd33f7fc55a96c496f6d454f6ceb1e7d21065a126a07fa9bd22e
Instruction Fuzzy Hash: 6641B034A00219DBCF18DF6DC880AAEBFB5BF44728F0480A9E914AB359D731DA01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10003470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 100034A3
__IsNonwritableInCurrentImage.LIBCMT ref: 1000355C

Strings

csm, xrefs: 10003546

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 874856047c16bd33f7fc55a96c496f6d454f6ceb1e7d21065a126a07fa9bd22e
Instruction ID: ff9ebd3c1c81eb1899def5ed99c00ae477f6477e44b6034c33ad9c020c15aeb4
Opcode Fuzzy Hash: 874856047c16bd33f7fc55a96c496f6d454f6ceb1e7d21065a126a07fa9bd22e
Instruction Fuzzy Hash: 9341C278A006089BDB02DF68CC80A9F7BF9EF44394F11C155E915AB2AAD731EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013164B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, xrefs: 013164FA, 01316501, 01316537

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
API String ID: 0-3005402082
Opcode ID: 2472693c82e54f292de73cb85fe516634e050d81ff585f47dcf8ccd8f7f9a9b1
Instruction ID: 6585af1d002916337cb94f90c0675def2e0e793bea451c51ca5d48d010255124
Opcode Fuzzy Hash: 2472693c82e54f292de73cb85fe516634e050d81ff585f47dcf8ccd8f7f9a9b1
Instruction Fuzzy Hash: 4841C8B1A00255EFDB2ADFDDCC8199EBBFCEB99308F14405AE50597258D7B0CA50C750

Uniqueness

Uniqueness Score: -1.00%

Function 100064B3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, xrefs: 100064F6, 100064FD, 10006533

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
API String ID: 0-3005402082
Opcode ID: 2472693c82e54f292de73cb85fe516634e050d81ff585f47dcf8ccd8f7f9a9b1
Instruction ID: 2e73bdc33c76d4dd023edafdf97d182192ae4307d939274121133ae1da29e7d0
Opcode Fuzzy Hash: 2472693c82e54f292de73cb85fe516634e050d81ff585f47dcf8ccd8f7f9a9b1
Instruction Fuzzy Hash: B341A374E00655AFEB22CF998C8199EBBF9FB8D390F21006AF40497259D7B1DE40C790

Uniqueness

Uniqueness Score: -1.00%

Function 00111A30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00111A9E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00111A7F
Unknown error, xrefs: 00111A32

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 162008276de98e65594f5b657b4326e225cdab7d2b1cc1e821714e06093116cb
Instruction ID: d0cd5d6af3366aab12a000a657251f4ef066572b56992eca4849ca740a4e5915
Opcode Fuzzy Hash: 162008276de98e65594f5b657b4326e225cdab7d2b1cc1e821714e06093116cb
Instruction Fuzzy Hash: 2A0192B0418B45DBD304AF15E68855AFFF2FF89350F868898F5C446269CB32D8B8C746

Uniqueness

Uniqueness Score: -1.00%

Function 01312290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0131229C

Part of subcall function 01312213: std::exception::exception.LIBCONCRT ref: 01312220

__CxxThrowException@8.LIBVCRUNTIME ref: 013122AA

Part of subcall function 0131335B: RaiseException.KERNEL32(?,?,0131228F,00000000,00000000,?,?,?,?,?,?,0131228F,00000000,1001BAFC,?,00000000), ref: 013133BB

Strings

Unknown exception, xrefs: 013122B7

Memory Dump Source

Source File: 00000000.00000002.4528290767.0000000001310000.00000040.00001000.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1310000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: Unknown exception
API String ID: 1586462112-410509341
Opcode ID: 270a42b036f740911cf048f47e808695e1a2384dd15910c3e8e1676963722a71
Instruction ID: 746ac8ee2674563758fd1935231c4cd56c4f7a0a9aa386eb40fd190b35153650
Opcode Fuzzy Hash: 270a42b036f740911cf048f47e808695e1a2384dd15910c3e8e1676963722a71
Instruction Fuzzy Hash: B8D0A738D0010977CB08EAA8CC40DDD776CAF00104B904454B514C7549EB71D60687C1

Uniqueness

Uniqueness Score: -1.00%

Function 1000228C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10002298

Part of subcall function 1000220F: std::exception::exception.LIBCONCRT ref: 1000221C

__CxxThrowException@8.LIBVCRUNTIME ref: 100022A6

Part of subcall function 10003357: RaiseException.KERNEL32(?,?,?,10002A31,?,?,?,?,?,?,?,?,10002A31,0000000C,1001BBF4,0000000C), ref: 100033B7

Strings

Unknown exception, xrefs: 100022B3

Memory Dump Source

Source File: 00000000.00000002.4531328256.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10001000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: Unknown exception
API String ID: 1586462112-410509341
Opcode ID: 1497d7aab37bc32c0cfd94839d72483e237d148937bb315cc1f7f91bd02e2623
Instruction ID: 66a027f7a664b98449d705b15b83149621ebdc4aa7e795b7145d904884e3e54c
Opcode Fuzzy Hash: 1497d7aab37bc32c0cfd94839d72483e237d148937bb315cc1f7f91bd02e2623
Instruction Fuzzy Hash: D6D0A73890014977DB00DAE4CC81D8D77ACEF00180BC08054B614D650EEB75EA0587C1

Uniqueness

Uniqueness Score: -1.00%

Function 00112190 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0011235B,?,?,?,?,?,00111968), ref: 0011219E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,0011235B,?,?,?,?,?,00111968), ref: 001121C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0011235B,?,?,?,?,?,00111968), ref: 001121CC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0011235B,?,?,?,?,?,00111968), ref: 001121EC

Memory Dump Source

Source File: 00000000.00000002.4528074559.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.4528059831.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528091170.0000000000113000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528111874.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528124963.0000000000135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4528139880.0000000000138000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 00f2f5780abecd62710d9bf63ddd5a2ceb22fdf40f0eb18f1cc6ce4fc103b182
Instruction ID: 4b016c7e5b4645cae208cbae1414065cc74389b762b9f1b96738fdb10dc7c2f2
Opcode Fuzzy Hash: 00f2f5780abecd62710d9bf63ddd5a2ceb22fdf40f0eb18f1cc6ce4fc103b182
Instruction Fuzzy Hash: 29F0C2B6A006149BCB10BF78EEC865E7BA4EB04740F050438DE849B315E730B8D9CBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: PoshC2

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Function 0011116C Relevance: 19.7, APIs: 13, Instructions: 201
sleepstringCOMMON

Function 001116F9 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 80
memoryinjectionthreadCOMMON

Function 001113C1 Relevance: 12.1, APIs: 8, Instructions: 108
stringCOMMON

Function 001111A3 Relevance: 10.6, APIs: 7, Instructions: 114
sleepstringCOMMON

Function 00111160 Relevance: 9.1, APIs: 6, Instructions: 130
sleepstringCOMMON

Function 10001640 Relevance: 6.0, APIs: 4, Instructions: 38
threadCOMMON

Function 100016C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 163
filememoryCOMMON

Function 00111296 Relevance: 5.1, APIs: 4, Instructions: 79
stringCOMMON

Function 001113B3 Relevance: 5.1, APIs: 4, Instructions: 65
stringCOMMON

Function 1000680A Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Function 00111617 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 47
sleepCOMMON

Function 019B0518 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138
COMMON

Function 100093FF Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 10009BCA Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 100030BC Relevance: 3.0, APIs: 2, Instructions: 41
memoryCOMMON