Edit tour

Windows Analysis Report
okmnji.exe

Overview

General Information

Sample name:	okmnji.exe
Analysis ID:	1466355
MD5:	e347528f615bfa2dda6da1cb9ff4901b
SHA1:	1a7d1934261dad94eb37a2f508207601bb6ce88e
SHA256:	5dc1d091ac91e8344257c3eb246e5d0b6edde1c54220e93546c71eef84beebb6
Tags:	exe
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries Google from non browser process on port 80

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

okmnji.exe (PID: 5284 cmdline: "C:\Users\user\Desktop\okmnji.exe" MD5: E347528F615BFA2DDA6DA1CB9FF4901B)

InstallUtil.exe (PID: 7336 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kannides.com", "Username": "reservations@kannides.com", "Password": "@Droushia1937!7391"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3286541234.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3286541234.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2534480616.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2526763060.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: okmnji.exe PID: 5284	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: okmnji.exe PID: 5284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: okmnji.exe PID: 5284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: okmnji.exe PID: 5284	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.okmnji.exe.6500000.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.okmnji.exe.6500000.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.okmnji.exe.3d1fd50.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.okmnji.exe.3d1fd50.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.okmnji.exe.3ed6072.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3ed6072.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3ed6072.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3236f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3246b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32567:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3266f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3416f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3c34e20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3c34e20.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3c34e20.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3236f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3246b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32567:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3266f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3c34e20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3c34e20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.okmnji.exe.3c34e20.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3c34e20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3416f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3e9a7a2.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3e9a7a2.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3e9a7a2.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3236f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3246b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32567:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3266f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3e5eec2.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3e5eec2.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3e5eec2.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3236f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3246b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32567:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3266f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3ed6072.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3ed6072.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.okmnji.exe.3ed6072.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3ed6072.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3416f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3e9a7a2.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3e9a7a2.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.okmnji.exe.3e9a7a2.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3e9a7a2.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3416f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fa3f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fab1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fb3b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fbcd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fc37:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fca9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fd3f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fdcf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.okmnji.exe.3e5eec2.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.okmnji.exe.3e5eec2.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.okmnji.exe.3e5eec2.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.okmnji.exe.3e5eec2.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3416f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fa4f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab31f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fac1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab391:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fb4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab41b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fbdd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab4ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fc47:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab517:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fcb9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab589:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fd4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab61f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 74.220.215.245, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7336, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49718

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: okmnji.exe

Avira: detected

Found malware configuration

Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kannides.com", "Username": "reservations@kannides.com", "Password": "@Droushia1937!7391"}

Multi AV Scanner detection for submitted file

Source: okmnji.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: okmnji.exe

Joe Sandbox ML: detected

Source: okmnji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\okmnji.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], 00000000h	0_2_010E4769
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_010EAEC0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_010EAF11

Networking

Queries Google from non browser process on port 80

Source: C:\Users\user\Desktop\okmnji.exe

HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 74.220.215.245:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 74.220.215.245:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.kannides.com

Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: okmnji.exe, 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, okmnji.exe, 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3285107224.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3286541234.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000003.00000002.3285107224.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingCY
Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.kannides.com
Source: okmnji.exe, 00000000.00000002.2542221820.00000000069B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: okmnji.exe, 00000000.00000002.2526763060.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3286541234.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: okmnji.exe	String found in binary or memory: http://www.google.com
Source: okmnji.exe, 00000000.00000002.2526763060.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: okmnji.exe, 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, okmnji.exe, 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: okmnji.exe, 00000000.00000002.2526763060.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, umlRMRbjNqD.cs	.Net Code: wM1
Source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, umlRMRbjNqD.cs	.Net Code: wM1
Source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, umlRMRbjNqD.cs	.Net Code: wM1
Source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, umlRMRbjNqD.cs	.Net Code: wM1

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.okmnji.exe.3ed6072.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3c34e20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3e9a7a2.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3e5eec2.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\okmnji.exe

Code function: 0_2_0DCF9CB0 CreateProcessAsUserW,

0_2_0DCF9CB0

Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010E4769	0_2_010E4769
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010E8819	0_2_010E8819
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010EAEC0	0_2_010EAEC0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010E7AD8	0_2_010E7AD8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_065C10AC	0_2_065C10AC
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_065CD498	0_2_065CD498
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_065CD4A8	0_2_065CD4A8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_065CAB24	0_2_065CAB24
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0696A6B0	0_2_0696A6B0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_06962388	0_2_06962388
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0696C2B0	0_2_0696C2B0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_06962362	0_2_06962362
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C0B13E	0_2_07C0B13E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C01408	0_2_07C01408
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C0C6D1	0_2_07C0C6D1
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C0C6E0	0_2_07C0C6E0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C61140	0_2_07C61140
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C6EC2D	0_2_07C6EC2D
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EC410	0_2_085EC410
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EA408	0_2_085EA408
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EB500	0_2_085EB500
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EAB30	0_2_085EAB30
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085E87F8	0_2_085E87F8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EE510	0_2_085EE510
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EE520	0_2_085EE520
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EE1A1	0_2_085EE1A1
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085ED2B8	0_2_085ED2B8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EDEB0	0_2_085EDEB0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085ED2A9	0_2_085ED2A9
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EDEA0	0_2_085EDEA0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EE758	0_2_085EE758
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EA350	0_2_085EA350
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EE749	0_2_085EE749
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EEB7A	0_2_085EEB7A
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085E97C8	0_2_085E97C8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085EC39A	0_2_085EC39A
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF28E0	0_2_0DCF28E0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF4048	0_2_0DCF4048
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF4BA0	0_2_0DCF4BA0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF4280	0_2_0DCF4280
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCFA248	0_2_0DCFA248
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF85E0	0_2_0DCF85E0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF68D8	0_2_0DCF68D8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF28D2	0_2_0DCF28D2
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF68E8	0_2_0DCF68E8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF80A9	0_2_0DCF80A9
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCFE0A8	0_2_0DCFE0A8
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF0040	0_2_0DCF0040
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF3878	0_2_0DCF3878
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF0023	0_2_0DCF0023
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF4038	0_2_0DCF4038
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2B80	0_2_0DCF2B80
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2B70	0_2_0DCF2B70
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCFEF28	0_2_0DCFEF28
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF7EA1	0_2_0DCF7EA1
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF7EB0	0_2_0DCF7EB0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF4270	0_2_0DCF4270
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF3200	0_2_0DCF3200
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF3210	0_2_0DCF3210
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C61127	0_2_07C61127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013CB374	3_2_013CB374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013C4AC0	3_2_013C4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013CAD08	3_2_013CAD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013CEC10	3_2_013CEC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013C3EA8	3_2_013C3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_013C41F0	3_2_013C41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_066FC080	3_2_066FC080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_066FAA5C	3_2_066FAA5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_067165C0	3_2_067165C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0671B200	3_2_0671B200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06715170	3_2_06715170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06717D48	3_2_06717D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06712AB8	3_2_06712AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06717668	3_2_06717668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_0671E378	3_2_0671E378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06710040	3_2_06710040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_067158C0	3_2_067158C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06710038	3_2_06710038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_06710007	3_2_06710007

Source: okmnji.exe, 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f64f60d-4c0a-4b99-b309-a48b4625b527.exe4 vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2534480616.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2526763060.0000000003117000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f64f60d-4c0a-4b99-b309-a48b4625b527.exe4 vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f64f60d-4c0a-4b99-b309-a48b4625b527.exe4 vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2524715666.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs okmnji.exe
Source: okmnji.exe, 00000000.00000002.2544669382.0000000008070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs okmnji.exe

Source: 0.2.okmnji.exe.3ed6072.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3c34e20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3e9a7a2.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3e5eec2.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\okmnji.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\okmnji.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: okmnji.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: okmnji.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: okmnji.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\okmnji.exe "C:\Users\user\Desktop\okmnji.exe"
Source: C:\Users\user\Desktop\okmnji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\okmnji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: okmnji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: okmnji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.okmnji.exe.6500000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.6500000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3d1fd50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3d1fd50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2526763060.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okmnji.exe PID: 5284, type: MEMORYSTR

.NET source code contains potential unpacker

Source: okmnji.exe, b0C1.cs

.Net Code: j9G5 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010EB0B0 push 0402BBC1h; ret	0_2_010EB145
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_010EB3A8 push eax; iretd	0_2_010EB3B9
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_06966320 push esp; retf	0_2_06966321
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_06966960 push eax; iretd	0_2_06966961
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C08B9E push FFFFFF8Bh; iretd	0_2_07C08BA3
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C6AB18 pushfd ; ret	0_2_07C6B181
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C6B0B4 pushfd ; ret	0_2_07C6B181
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_07C600BE push esp; retf	0_2_07C600C1
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085E44DF push es; ret	0_2_085E44F0
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085E73DA push 0000003Bh; ret	0_2_085E73DF
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_085E73FC push 0000003Bh; ret	0_2_085E740D
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2547 push es; iretd	0_2_0DCF254E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2487 push ss; iretd	0_2_0DCF248E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2443 push ds; iretd	0_2_0DCF2472
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF686D push edx; iretd	0_2_0DCF686E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF6807 push edi; iretd	0_2_0DCF680E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2427 push ss; iretd	0_2_0DCF243A
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF67C3 push ebp; iretd	0_2_0DCF67D6
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF67EF push esp; iretd	0_2_0DCF67F6
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF67E7 push ebp; iretd	0_2_0DCF67EE
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF67FF push esi; iretd	0_2_0DCF6806
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF678F push ebx; iretd	0_2_0DCF67A2
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF67BB push ebp; iretd	0_2_0DCF67C2
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF675B push esp; iretd	0_2_0DCF6762
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF6754 pushad ; iretd	0_2_0DCF675A
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF6773 push ebp; iretd	0_2_0DCF678E
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF7618 push eax; iretd	0_2_0DCF7621
Source: C:\Users\user\Desktop\okmnji.exe	Code function: 0_2_0DCF2637 push ds; iretd	0_2_0DCF263E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_066F8439 push cs; retf	3_2_066F843A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_066F8409 push cs; retf	3_2_066F840A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_066F84D9 push cs; retf	3_2_066F84DA

Source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, Kt2Pvv8tOe2.cs	High entropy of concatenated method names: 'G1IIdug', 'x9I6ks0KTp7', 'KyrReQQ', 'ufcnB51fJ8b', 'dpM5dUa', 'i2WUmSy2h', 'GVADvX', 'tSGoukfQ8m', 'o4nN', 'AZraw2mg8zr'
Source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, Kt2Pvv8tOe2.cs	High entropy of concatenated method names: 'G1IIdug', 'x9I6ks0KTp7', 'KyrReQQ', 'ufcnB51fJ8b', 'dpM5dUa', 'i2WUmSy2h', 'GVADvX', 'tSGoukfQ8m', 'o4nN', 'AZraw2mg8zr'
Source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, Kt2Pvv8tOe2.cs	High entropy of concatenated method names: 'G1IIdug', 'x9I6ks0KTp7', 'KyrReQQ', 'ufcnB51fJ8b', 'dpM5dUa', 'i2WUmSy2h', 'GVADvX', 'tSGoukfQ8m', 'o4nN', 'AZraw2mg8zr'
Source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, Kt2Pvv8tOe2.cs	High entropy of concatenated method names: 'G1IIdug', 'x9I6ks0KTp7', 'KyrReQQ', 'ufcnB51fJ8b', 'dpM5dUa', 'i2WUmSy2h', 'GVADvX', 'tSGoukfQ8m', 'o4nN', 'AZraw2mg8zr'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\okmnji.exe

File opened: C:\Users\user\Desktop\okmnji.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: okmnji.exe PID: 5284, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: okmnji.exe, 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, okmnji.exe, 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 4BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: 98E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: A8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: ACB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: BCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory allocated: CCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Window / User API: threadDelayed 1493	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Window / User API: threadDelayed 7963	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4724	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe TID: 7252	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe TID: 7332	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe TID: 3536	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe TID: 1772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7784	Thread sleep count: 655 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7784	Thread sleep count: 4724 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99665s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99539s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\okmnji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99539	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: InstallUtil.exe, 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: okmnji.exe, 00000000.00000002.2534480616.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, okmnji.exe, 00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: okmnji.exe, 00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: okmnji.exe, 00000000.00000002.2524882481.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\okmnji.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 3_2_013C70A8 CheckRemoteDebuggerPresent,

3_2_013C70A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\okmnji.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\okmnji.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\okmnji.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CA0008	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Users\user\Desktop\okmnji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\okmnji.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\okmnji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okmnji.exe PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7336, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okmnji.exe PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7336, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3c34e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3ed6072.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e9a7a2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.okmnji.exe.3e5eec2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okmnji.exe PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	531 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
okmnji.exe	29%	ReversingLabs	Win32.Trojan.Generic
okmnji.exe	100%	Avira	HEUR/AGEN.1311110
okmnji.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://mail.kannides.com	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hostingCY	0%	Avira URL Cloud	safe
http://www.google.com	0%	Avira URL Cloud	safe
http://www.google.com/	0%	Avira URL Cloud	safe
http://r11.i.lencr.org/0	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/gws/other-hp	0%	Avira URL Cloud	safe
http://purl.oen	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	216.58.212.164	true	false	unknown
ip-api.com	208.95.112.1	true	true	unknown
mail.kannides.com	74.220.215.245	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.google.com/	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	okmnji.exe, 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, okmnji.exe, 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://csp.withgoogle.com/csp/gws/other-hp	okmnji.exe, 00000000.00000002.2526763060.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hostingCY	InstallUtil.exe, 00000003.00000002.3285107224.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.kannides.com	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.google.com	okmnji.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	okmnji.exe, 00000000.00000002.2526763060.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3286541234.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.i.lencr.org/0	InstallUtil.exe, 00000003.00000002.3286541234.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3290939687.000000000611F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://purl.oen	okmnji.exe, 00000000.00000002.2542221820.00000000069B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
216.58.212.164	www.google.com	United States	15169	GOOGLEUS	false
74.220.215.245	mail.kannides.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466355
Start date and time:	2024-07-02 20:20:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	okmnji.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 177 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: okmnji.exe

Simulations

Behavior and APIs

Time	Type	Description
14:21:01	API Interceptor	48x Sleep call for process: okmnji.exe modified
14:21:45	API Interceptor	26x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	AWB DHL#40882993049403.pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ServerManager.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	AWB DHL#40882993049403.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://d3iazzw2aq.transsantos.com.br/Facebook.com/5MTE0XyUvddHaCu5rQ21ZpgdMMqDVaFyCyeBzYy3YKiKgHKLLWq8pXY9KiAVYP2BTqwZ9gFjZfUghzQcC9kyB1gfJmu2ebUNmRjGCzJ4RwcxVJWJH9pv78uuEjWKhL0iAz9Mdy7JQaLNFi8EE9y6Na3FjPUp0f1WwxQrJSD9xGypM2nuJy2GKkVGCcLwESgp7y7in7tvLSFZgMKGpr3cN35mAJQhiWpNZngRx-cG9jb25maXJtYXRpb25zQGxpcGFyaWZvb2RzLmNvbQ==	Get hash	malicious	Unknown	Browse	108.167.188.252
	https://link.mail.beehiiv.com/ls/click?upn=u001.I67xw9O-2FCIng4d3bGWl4wF1gb7u7ov5hHZyE-2Bbx9UTzw17nXfIKdJcwxuwzDNoy2zqPLSJo-2BNEQCUif7aqDwom-2FNyeTx4oiB0wLXwXnzsK4D0yrlxIKEkPM7Cj-2FHMmK1N5sLNWwmlbyGbHeuv6ehAEECnEs6fFQOqqwD-2FKToPwl8ZCnBHVdQ3QU8RWhloPcfXcxa_hzdxOAnI3B-2BYhj5tgQXSRCdoGEcuM88dXETG-2BahO6Uvd8cr2jZPTzAVk72oAubAHPgVJjhCdU6bjbXnflniNIkDzPhLxyvQL1dSWfR-2BUbH1DS3LUwJipSkZoP8d1ryYR0TIdt5CyNutkaFy6gLHYcR4kl-2Fz1ezOldYW2WX0ghZl4CCdgYPK2Cj3fM7MmBqLOIY-2B5u5WgDkBzfdFRbwHzvpAejc0JJJ7tYmz-2BUzjH-2BoYmk-2F0HGjFVUaYNWyGnhGX4EhZzw6qOcJEaxZhVjnDpWPL3U5gs5ZetaaeYkMX5whQyh7U-2B0b4Qj0LqFla1tJlWVR4EZMTu40FIJ9BSbWnjEcc9JxuCrqAu48-2BpVmjPzA43qg6bd2x0AWoed1RbQeWVzBT648qZJ7L-2FqgKPY6ysg2U7IBuGeVI7oxhhKCbXSZln5jVQGdCxXpADLZSMla5T1Id6eeDoJeYo7zr6VqE6vw-3D-3D#amVzc2ljYS5oQGViaXpjaGFyZ2UuY29t	Get hash	malicious	HTMLPhisher	Browse	69.49.230.170
	https://medgatetoday.com	Get hash	malicious	Unknown	Browse	162.214.81.24
	https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253APGI.medamax.com.ar/index.xml%23?email=b2xpdmVyLnNjaHVzdGVyQHZvc3Nsb2guY29t	Get hash	malicious	HTMLPhisher	Browse	50.116.75.46
	https://m.exactag.com/ai.aspx?tc=d9608989bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253ABOJ.jaick.co.ke/index.xml%23?email=YWxlYy5wZXRlcnNvbkB2b3NzbG9oLmNvbQ==	Get hash	malicious	Unknown	Browse	192.185.112.252
	Payment_Confirmation_Receipts.vbs	Get hash	malicious	GuLoader	Browse	192.185.112.252
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.185.112.252
	mirai.mips.elf	Get hash	malicious	Mirai	Browse	192.163.243.130
	https://acrobat.adobe.com/id/urn:aaid:sc:va6c2:4050cd23-db02-4b91-ab92-8d433723d20e	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CuPML-2Fk7hkFuRgQZCNn13gFjxpvaK7BszvLf1FNgQSAGEcVOyFo5OkKyCTWVX8CFkHH2058S5Ahgs6702chswQ27i8fTIQhwmMoXYoEJ6NorF1VpAe0oJx35gDOEfSC0fALEr8V3cxNwqqHdyN8bubmjrpvt-2BbFbnZ-2FstXl8vxTAGFM6mTwmzfEL-2B-2BGu2lufzB8M21afC0TTeqSa7QFFyNA-3D-3DHBPv_PfC-2BSFtj-2BSSQFBPv0NgAOXDpcsq6LADHKWdyLdLAzrKwVahhFR76hhions4TwBL9F6a4eQ738jeLIeY9r1OOXohTZTeZE0n2g2t6fycMpA0TJOA8sXK8mZcOXs-2BnNqbr4W7O00eI9WZrnuIrYT3RIDO-2BEHvZtO2YjJnjDLiBUb-2B7QOSPTNUmcSEPbCN9-2Bq0u5dYWTd9AfzNX553r2GVUOxBO0VYIry3r2htr0J03Czo-3D	Get hash	malicious	HTMLPhisher	Browse	108.179.252.159
TUT-ASUS	AWB DHL#40882993049403.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ServerManager.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	MicrosoftService.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\okmnji.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
MD5:	EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
SHA1:	B2A052ACB64FC7173E568E1520AA4D713C5E90A3
SHA-256:	50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
SHA-512:	D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.469810324773523
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	okmnji.exe
File size:	729'600 bytes
MD5:	e347528f615bfa2dda6da1cb9ff4901b
SHA1:	1a7d1934261dad94eb37a2f508207601bb6ce88e
SHA256:	5dc1d091ac91e8344257c3eb246e5d0b6edde1c54220e93546c71eef84beebb6
SHA512:	15c035c4665a72ff0f73a5afc9879d38f25c95388487dd5f858233eefdc177d0be305408c9f29e1aa07d461313daf1b140064d7edf40b06e59e09daa9cc58669
SSDEEP:	12288:Fd3LiIq/N5sK96VzkrSwgw1MnT14DKruT:r3LTqbsM6KX14IKruT
TLSH:	B2F4AF598D937116C8C703315FA31168AFA64D732E99A89A04431396FA3F3E7FC668D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...../Y.........."...P.............^8... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b385e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x592FDDA4 [Thu Jun 1 09:25:56 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3804	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1864	0xb1a00	6e96504103d463f6d8df8bfd46a66417	False	0.6167036857846587	data	6.477656730741677	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x3fc	0x400	0901f03638f57150e203cbb258f07013	False	0.4326171875	data	3.5114412347482262	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	26cd50136010b251e9334a9766fb7c18	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb4058	0x3a4	data			0.44206008583690987

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 20:20:55.564457893 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:55.569256067 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:55.569325924 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:55.570055008 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:55.574815989 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262607098 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262636900 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262655973 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262669086 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262681961 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262692928 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262706041 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262717009 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262729883 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262743950 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.262900114 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.262900114 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.262900114 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.267803907 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.267893076 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.267952919 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.353250980 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353277922 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353291035 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353418112 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.353452921 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353466988 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353477001 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.353598118 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.353598118 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.358272076 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.358289957 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.358300924 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.358417034 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.365437031 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.365475893 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.365489006 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.365531921 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.365531921 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.370903969 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.370937109 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.371011972 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.371032000 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.371042967 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.371257067 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.377408028 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.377424955 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.377439022 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.377540112 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.383443117 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.383480072 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.383501053 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.383510113 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.383521080 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.383563042 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.389832020 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.389849901 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.389862061 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.389885902 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.389905930 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.396015882 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.396110058 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.396121025 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.396132946 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.396158934 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.396187067 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.402537107 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.402709961 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.402872086 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.443893909 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.443922043 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.443934917 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.443945885 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.443959951 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.444035053 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.444175959 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.444228888 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.444919109 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.444931030 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.444941044 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.444993019 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.451066017 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.451106071 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.451138973 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.451141119 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.451150894 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.451184034 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.457688093 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.457703114 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.457712889 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.457788944 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.457788944 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:20:56.463794947 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.463850975 CEST	80	49704	216.58.212.164	192.168.2.5
Jul 2, 2024 20:20:56.463963032 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:21:45.241054058 CEST	49704	80	192.168.2.5	216.58.212.164
Jul 2, 2024 20:21:45.502789974 CEST	49717	80	192.168.2.5	208.95.112.1
Jul 2, 2024 20:21:45.508940935 CEST	80	49717	208.95.112.1	192.168.2.5
Jul 2, 2024 20:21:45.509017944 CEST	49717	80	192.168.2.5	208.95.112.1
Jul 2, 2024 20:21:45.509340048 CEST	49717	80	192.168.2.5	208.95.112.1
Jul 2, 2024 20:21:45.516736031 CEST	80	49717	208.95.112.1	192.168.2.5
Jul 2, 2024 20:21:45.994779110 CEST	80	49717	208.95.112.1	192.168.2.5
Jul 2, 2024 20:21:46.037487984 CEST	49717	80	192.168.2.5	208.95.112.1
Jul 2, 2024 20:21:46.968826056 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:46.973784924 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:46.973881006 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:47.664174080 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:47.666656971 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:47.673896074 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:47.990544081 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:47.991111040 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:47.996206999 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.150994062 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.155958891 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.161091089 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.329137087 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.329164982 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.329272985 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.329315901 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.345531940 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.351824045 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.503559113 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.518563986 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.526689053 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.681965113 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.683160067 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.690010071 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.843626022 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:48.843983889 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:48.848836899 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.032536030 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.032825947 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.037592888 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.190639973 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.191001892 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.195966959 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.425920010 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.426229000 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.431062937 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.584556103 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.585258961 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.585326910 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.585356951 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.585375071 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:21:49.590219975 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.590230942 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.590359926 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.590373993 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.745487928 CEST	587	49718	74.220.215.245	192.168.2.5
Jul 2, 2024 20:21:49.787528992 CEST	49718	587	192.168.2.5	74.220.215.245
Jul 2, 2024 20:22:36.690370083 CEST	49717	80	192.168.2.5	208.95.112.1
Jul 2, 2024 20:22:36.695785046 CEST	80	49717	208.95.112.1	192.168.2.5
Jul 2, 2024 20:22:36.695849895 CEST	49717	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 20:20:55.548248053 CEST	54879	53	192.168.2.5	1.1.1.1
Jul 2, 2024 20:20:55.558665037 CEST	53	54879	1.1.1.1	192.168.2.5
Jul 2, 2024 20:21:45.481205940 CEST	51646	53	192.168.2.5	1.1.1.1
Jul 2, 2024 20:21:45.489672899 CEST	53	51646	1.1.1.1	192.168.2.5
Jul 2, 2024 20:21:46.671829939 CEST	63438	53	192.168.2.5	1.1.1.1
Jul 2, 2024 20:21:46.967624903 CEST	53	63438	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 20:20:55.548248053 CEST	192.168.2.5	1.1.1.1	0x17e5	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 2, 2024 20:21:45.481205940 CEST	192.168.2.5	1.1.1.1	0x2509	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 2, 2024 20:21:46.671829939 CEST	192.168.2.5	1.1.1.1	0x412c	Standard query (0)	mail.kannides.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 20:20:55.558665037 CEST	1.1.1.1	192.168.2.5	0x17e5	No error (0)	www.google.com	216.58.212.164	A (IP address)	IN (0x0001)	false
Jul 2, 2024 20:21:45.489672899 CEST	1.1.1.1	192.168.2.5	0x2509	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 2, 2024 20:21:46.967624903 CEST	1.1.1.1	192.168.2.5	0x412c	No error (0)	mail.kannides.com	74.220.215.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	216.58.212.164	80	5284	C:\Users\user\Desktop\okmnji.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 20:20:55.570055008 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 2, 2024 20:20:56.262607098 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 18:20:56 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-DsRaV6Dobnm65vM1IMLHdw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6HwPoicR65guPHOC08qt1n-G6XCgUXfoUqfArgoSk8rGuySJLD2PxFU; expires=Sun, 29-Dec-2024 18:20:56 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=whdJySvpv2kaTk3xSDCFNDA_bWgHkKfCEc-AJjHKaMmGc6SyvlM0OSPjRL7HdmL4q5fXy0WLnFOD1VQ3PjCFFb00z86KZsVAtBewRF5kZbRrdp0QPv7Nu1oURvT4VcXK8maB5W3UU4uerpEdcGatDXxDZ-ltBaS_8O05MkRRPdQ; expires=Wed, 01-Jan-2025 18:20:56 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 35 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 Data Ascii: 4593<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google
Jul 2, 2024 20:20:56.262636900 CEST	1236	IN	Data Raw: 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d Data Ascii: has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x
Jul 2, 2024 20:20:56.262655973 CEST	1236	IN	Data Raw: 2c 33 33 34 2c 36 36 35 2c 33 30 34 2c 31 2c 34 2c 32 2c 38 34 30 2c 31 37 31 34 2c 35 38 31 2c 31 30 31 2c 34 35 32 2c 32 31 32 2c 31 34 2c 35 36 35 37 2c 34 35 2c 34 36 35 2c 33 38 30 2c 34 31 38 37 2c 33 32 35 2c 37 31 34 2c 32 37 37 2c 34 39 Data Ascii: ,334,665,304,1,4,2,840,1714,581,101,452,212,14,5657,45,465,380,4187,325,714,277,498,1,766,373,1491,4,431,279,7,12,623,123,4,1332,269,839,1,6,194,606,3,1,1231,1,39,668,47,202,2129,4,245,294,834,2410,247,3,186,30,836,126,1,6,675,1574,367,3,93,16
Jul 2, 2024 20:20:56.262669086 CEST	1236	IN	Data Raw: 62 7d 66 75 6e 63 74 69 6f 6e 20 72 28 61 29 7b 2f 5e 68 74 74 70 3a 2f 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c Data Ascii: b}function r(a){/^http:/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&
Jul 2, 2024 20:20:56.262681961 CEST	1236	IN	Data Raw: 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 76 61 72 20 Data Ascii: dAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};var d=[];google.fce=function(a,b,c,e){d.push([a,b,c,e])};google.qce=d;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",funct
Jul 2, 2024 20:20:56.262692928 CEST	1236	IN	Data Raw: 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f Data Ascii: tion:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:non
Jul 2, 2024 20:20:56.262706041 CEST	1236	IN	Data Raw: 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 Data Ascii: x;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;p
Jul 2, 2024 20:20:56.262717009 CEST	1236	IN	Data Raw: 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 Data Ascii: sl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gb
Jul 2, 2024 20:20:56.262729883 CEST	1236	IN	Data Raw: 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 Data Ascii: portant}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;hei
Jul 2, 2024 20:20:56.262743950 CEST	1236	IN	Data Raw: 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e Data Ascii: t-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bott
Jul 2, 2024 20:20:56.267803907 CEST	1236	IN	Data Raw: 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 Data Ascii: c{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{white-space:nowr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	208.95.112.1	80	7336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 20:21:45.509340048 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 2, 2024 20:21:45.994779110 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 18:21:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 2, 2024 20:21:47.664174080 CEST	587	49718	74.220.215.245	192.168.2.5	220-host2150.hostmonster.com ESMTP Exim 4.96.2 #2 Tue, 02 Jul 2024 12:21:47 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 2, 2024 20:21:47.666656971 CEST	49718	587	192.168.2.5	74.220.215.245	EHLO 910646
Jul 2, 2024 20:21:47.990544081 CEST	587	49718	74.220.215.245	192.168.2.5	250-host2150.hostmonster.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 2, 2024 20:21:47.991111040 CEST	49718	587	192.168.2.5	74.220.215.245	STARTTLS
Jul 2, 2024 20:21:48.150994062 CEST	587	49718	74.220.215.245	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	14:20:54
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\okmnji.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\okmnji.exe"
Imagebase:	0xbf0000
File size:	729'600 bytes
MD5 hash:	E347528F615BFA2DDA6DA1CB9FF4901B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2534480616.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2540057019.0000000006500000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2534480616.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2526763060.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2534480616.0000000003DC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:21:11
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xaf0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3286541234.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3286541234.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3286541234.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3283492117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.9%
Total number of Nodes:	174
Total number of Limit Nodes:	12

Executed Functions

Function 010E7AD8 Relevance: 15.9, Strings: 12, Instructions: 890COMMON

Download Yara Rule

Strings

Haq, xrefs: 010E7ECE
(o]q, xrefs: 010E8348
(o]q, xrefs: 010E833A
,aq, xrefs: 010E83C0
\U, xrefs: 010E7F31
,aq, xrefs: 010E83B2
\U, xrefs: 010E7EDF
(o]q, xrefs: 010E8002
\U, xrefs: 010E8031
\U, xrefs: 010E8093
(o]q, xrefs: 010E8665
\U, xrefs: 010E7F93

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq$\U$\U$\U$\U$\U
API String ID: 0-182141233
Opcode ID: 974e2c3861337da3d068ec0c586421b93d358bb4d68c0ef54f9beeab6c7331c6
Instruction ID: 317951cde362b6d16c12b2be245935d33e1a45ec46c18eb17ebee3417e086d4a
Opcode Fuzzy Hash: 974e2c3861337da3d068ec0c586421b93d358bb4d68c0ef54f9beeab6c7331c6
Instruction Fuzzy Hash: CD726E71A002098FDB55DFAAC848AAEBBF6FF88300F14C55AE545AB395DB30DD41CB91

Function 010E8819 Relevance: 12.2, Strings: 9, Instructions: 905COMMON

Download Yara Rule

Strings

(o]q, xrefs: 010E8D37
(o]q, xrefs: 010E8856
,aq, xrefs: 010E8CB8
(o]q, xrefs: 010E8D27
(o]q, xrefs: 010E8911
,aq, xrefs: 010E8CC8
(o]q, xrefs: 010E89DA
(o]q, xrefs: 010E893D
(o]q, xrefs: 010E8DE9

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-99275883
Opcode ID: c39ed467b1809a915a81b4c856d6cfe1c3514ed2cbedf64e578832c62b7e8acb
Instruction ID: 5ba0eda20dfc24549f6425b94f6b204d93d3c7a984baf8930aff88190b8570c9
Opcode Fuzzy Hash: c39ed467b1809a915a81b4c856d6cfe1c3514ed2cbedf64e578832c62b7e8acb
Instruction Fuzzy Hash: BE825B70A00209DFCB55CF6AC588AAEBBF2FF88314F15C599E5959B2A1D730ED41CB50

Function 0696A6B0 Relevance: 11.0, Strings: 8, Instructions: 976
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0696DFB9
Haq, xrefs: 0696DF5A
(aq, xrefs: 0696DCB5
Haq, xrefs: 0696E3DB
Haq, xrefs: 0696E178
Haq, xrefs: 0696E37C
Haq, xrefs: 0696E59A
PH]q, xrefs: 0696DC89

Memory Dump Source

Source File: 00000000.00000002.2541174694.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6960000_okmnji.jbxd

Similarity

API ID:
String ID: (aq$Haq$Haq$Haq$Haq$Haq$Haq$PH]q
API String ID: 0-1363861295
Opcode ID: 2b804070317b10ddf23925b764450fb60c040ba572e22a9407b4412e0c5c5acf
Instruction ID: 0a6a90f76c0bc7eeb302690f6e54e034955ebaf2cbe240f8ef605bc5872931d4
Opcode Fuzzy Hash: 2b804070317b10ddf23925b764450fb60c040ba572e22a9407b4412e0c5c5acf
Instruction Fuzzy Hash: 8372A030B002148FCB98EF79C854A6EBBA6EFC4310F248569E51ADB7A5CE34DD46C791

Function 010E4769 Relevance: 9.1, Strings: 7, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 010E499D
tP]q, xrefs: 010E4959
XX]q, xrefs: 010E4B45
Te]q, xrefs: 010E4AE4
tP]q, xrefs: 010E49B3
XX]q, xrefs: 010E4AB7
XX]q, xrefs: 010E4B35

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: Te]q$XX]q$XX]q$XX]q$tP]q$tP]q$tP]q
API String ID: 0-1395197572
Opcode ID: 16ff8a0fbda99fca57d0db78c7e37b1bfb4111c2dfe352066da5c5ba0929fcb0
Instruction ID: 182a2f1f0dcf306ef5b69a26ef40abcbb8a5a2b5886889b805798399cd6c9f2d
Opcode Fuzzy Hash: 16ff8a0fbda99fca57d0db78c7e37b1bfb4111c2dfe352066da5c5ba0929fcb0
Instruction Fuzzy Hash: 0CE1C274E00218CFDB54CFAAC988BADBBF2BF89300F1481A9D549AB365DB345985CF51

Function 07C61127 Relevance: 5.6, Instructions: 5649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c31d4ff9c1e0b75303f7867a4ff5b3c505eb20f52c69f34afe8c8b03a9b7be
Instruction ID: 40f1f06d74356513f42ee6e2a8c638ed7602ca9efc0fc811a0d3ef4518d7d43f
Opcode Fuzzy Hash: d3c31d4ff9c1e0b75303f7867a4ff5b3c505eb20f52c69f34afe8c8b03a9b7be
Instruction Fuzzy Hash: 70C31A70A116188FCB58EF39DA9966CBBB2FF89304F4048EDD448A7254EB345E85CF46

Function 07C61140 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850ce436d9b62df7a8de6c02e396fd6427afe7b20cde80d5850480e7497548b8
Instruction ID: 37a6af314ef1d09909aabe4951fa88f822304b017bca2022dc6d52124307811a
Opcode Fuzzy Hash: 850ce436d9b62df7a8de6c02e396fd6427afe7b20cde80d5850480e7497548b8
Instruction Fuzzy Hash: C2C31A70A116188FCB58EF39DA9966CBBB2FF89304F4048EDD448A7254EB345E85CF46

Function 07C01408 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2543936113.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c2eaab115ec9bf06b45a9beb0265105a12602d38d47bdce6f6d84c9356545c
Instruction ID: 31cf036db0958cf1e400f88c12f85d5784f7d1c6144a745ac03f759ce047bba0
Opcode Fuzzy Hash: d1c2eaab115ec9bf06b45a9beb0265105a12602d38d47bdce6f6d84c9356545c
Instruction Fuzzy Hash: 06B31870A116188FCB58EF38DA8966CBBF2FF88304F4185E9D488A7250EE345D95CF85

Function 07C0B13E Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 07C0B177
\U, xrefs: 07C0B5A1
\U, xrefs: 07C0B5C9

Memory Dump Source

Source File: 00000000.00000002.2543936113.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_okmnji.jbxd

Similarity

API ID:
String ID: Xaq$\U$\U
API String ID: 0-3027628935
Opcode ID: 1f2901ee439bcdf1cb3f6def1745cc54389edf303f1fe1f21bff84f5501ff78e
Instruction ID: f42f13205305f9640daea340a2a8ac7ee1aa4cb79026b9e7dbf614a0946295b6
Opcode Fuzzy Hash: 1f2901ee439bcdf1cb3f6def1745cc54389edf303f1fe1f21bff84f5501ff78e
Instruction Fuzzy Hash: 5AB184F0B00607CBDB28DF7A9C9423A77A6AB85B01F684D6AD486972D5CE30CD418BD5

Function 0DCF28E0 Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

Q!, xrefs: 0DCF2B3D
Q!, xrefs: 0DCF2B2F
$]q, xrefs: 0DCF2969

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID: Q!$Q!$$]q
API String ID: 0-625866615
Opcode ID: 5f1208c769cb54cbdad16fc4ca770f21839c0438324defc9d243e41b8501a966
Instruction ID: 5b2ff0283dcc92fd1230bee5b7dba95332deb45b237800da8f5aa9ae8608b3da
Opcode Fuzzy Hash: 5f1208c769cb54cbdad16fc4ca770f21839c0438324defc9d243e41b8501a966
Instruction Fuzzy Hash: EF71D474E04208DFDB44DFA5D5849EEBBF2BF88300F209429E516A7358DB349A46CF55

Function 085EA350 Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

Te]q, xrefs: 085EA5DA
Te]q, xrefs: 085EA471

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: dda73f408877ac125e7641b4493cda6db31dca5d7a85f317f3a51be9016d8d4e
Instruction ID: b2280bdfd428e1a126764e88d043ffb47825f3452480f86c7cb96559af3fabae
Opcode Fuzzy Hash: dda73f408877ac125e7641b4493cda6db31dca5d7a85f317f3a51be9016d8d4e
Instruction Fuzzy Hash: 13A19678E052588FCB09DFA9D884ADEFFB2BF89321F14806AD509AB315C7319845CF91

Function 0DCFA248 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

Q+(i, xrefs: 0DCFA387
Q+(i, xrefs: 0DCFA395

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID: Q+(i$Q+(i
API String ID: 0-3998099878
Opcode ID: 3b88598a624322850eb2dcc54fe537377b5fa63ef6c869d5cb045db489435737
Instruction ID: bc76d4da293f3c014d7e79509c459c02e95bf44f89e6610323845598a1820734
Opcode Fuzzy Hash: 3b88598a624322850eb2dcc54fe537377b5fa63ef6c869d5cb045db489435737
Instruction Fuzzy Hash: E78100B4E0521D8FCB85CFA5C5846EEFBB6BB88300F20942AD51ABB344D7349A41CF54

Function 085EA408 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

Te]q, xrefs: 085EA5DA
Te]q, xrefs: 085EA471

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: f513c95516be8dd8155c311e467425f07da372f650d775d2c13827df7c80bfb2
Instruction ID: bbce746550a343ab63e18ca7043e9d51c98eae6a5c9219e16c5a995516bc679c
Opcode Fuzzy Hash: f513c95516be8dd8155c311e467425f07da372f650d775d2c13827df7c80bfb2
Instruction Fuzzy Hash: 4E71A174E002198FDB08CFAAD994AEEBBB2FF88301F10852AE915AB354D7359945CF50

Function 0DCF28D2 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

Q!, xrefs: 0DCF2B3D
$]q, xrefs: 0DCF2969

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID: Q!$$]q
API String ID: 0-3702962963
Opcode ID: 091395a8fd6cac83c4748804905903f381d49179a5bc36e43573f03760bd600d
Instruction ID: 9522300d07eaec31b191cad33a6e546f7d02716ba5b7c791a5958dbba97113f7
Opcode Fuzzy Hash: 091395a8fd6cac83c4748804905903f381d49179a5bc36e43573f03760bd600d
Instruction Fuzzy Hash: 7771E574E04208DFDB44DFA5D584AAEBBF2BF88300F20842AE506A7358DB309A46CF51

Function 0DCF9CB0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0DCF9E1B

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 422a3b55e7f0cb6c415ed78b96a68b1f5477bad5179f077088433e42d7fba549
Instruction ID: 54c70dfbe44416aeffc004a069f1b628fef3ff23e92e6dfc967504842e001131
Opcode Fuzzy Hash: 422a3b55e7f0cb6c415ed78b96a68b1f5477bad5179f077088433e42d7fba549
Instruction Fuzzy Hash: DF5105B1900229DFDF64DF99C940BEDBBB5BF48310F1484AAE908B7250DB719A85CF90

Function 085E87F8 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

<, xrefs: 085E892D

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: d5d93d18774ec1107b1b26f3a27880cd7326c0f8347f42f0b850ec6dc305e54a
Instruction ID: 018b704e706eec75f6e16b9f999a50cb45ae55fbc641d0960a04141b97d0f165
Opcode Fuzzy Hash: d5d93d18774ec1107b1b26f3a27880cd7326c0f8347f42f0b850ec6dc305e54a
Instruction Fuzzy Hash: B3618375E00658CFDB58CFAAC9446DDBBF2BF89301F14C0AAD409AB225DB345A86CF50

Function 065C10AC Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2dddafbfea077f14da8c2381e4c8dc8c01fa7bec00e54b0f1d673af69369c6
Instruction ID: 3c605f6f4688a1805b8a53fe861d56724ef02e18f3fa6f794bd9b96115a38ed2
Opcode Fuzzy Hash: ce2dddafbfea077f14da8c2381e4c8dc8c01fa7bec00e54b0f1d673af69369c6
Instruction Fuzzy Hash: BFB23870A1022ACFDB58FF78D9886ADBBB2EB88304F4045A9D44DA3254DF785E85CF51

Function 06962388 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541174694.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6960000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215e59b2e5fa854fc7b35c6ee823d66be7e2d3e6c0244de0a650f4acb4b7ee58
Instruction ID: 12ad3e104ddd67e2f4ca89c3991598b4802de5e58733a7be940ae71d17a5c493
Opcode Fuzzy Hash: 215e59b2e5fa854fc7b35c6ee823d66be7e2d3e6c0244de0a650f4acb4b7ee58
Instruction Fuzzy Hash: 04526E34A003058FCB54DF68C944B99B7F2FF89314F2586A9D5586F3A1DB71AA86CF80

Function 06962362 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541174694.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6960000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b468e6a24288b8f6653e1dcb2d249b4c6c116ab07491c9be354826010edad0d9
Instruction ID: cabfc2a96763f721e136a9fd09b4679186a76ed0096e325c9cab5bc47b38c4b9
Opcode Fuzzy Hash: b468e6a24288b8f6653e1dcb2d249b4c6c116ab07491c9be354826010edad0d9
Instruction Fuzzy Hash: F2527F30A003458FCB54DF28C944B99B7F2FF85314F2586A9D5586F3A2DB71AA86CF81

Function 085EC39A Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b955bf9575db111691bc452f9c8b02c479a71e59e42d6d422efbc0a653cb58
Instruction ID: 1b2cc5c0239dc3356206b39ba1cde533bc43b6d01bcce2c8a68b2dadbbccd36d
Opcode Fuzzy Hash: 92b955bf9575db111691bc452f9c8b02c479a71e59e42d6d422efbc0a653cb58
Instruction Fuzzy Hash: 08D18074D0520ADFCB08CFA9C8808AEFBB2FF89312B14D559E415AB615D734E982CF90

Function 0DCF4BA0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7981b784863f7b04d2e3b099bfd47d40518bf3239c91b63f3ae482161a6f47
Instruction ID: 844ba648a8e23fad2a67e033dbda8cc98b1323e34ff3befc931dedcf4e8fa1a6
Opcode Fuzzy Hash: 3c7981b784863f7b04d2e3b099bfd47d40518bf3239c91b63f3ae482161a6f47
Instruction Fuzzy Hash: 51D11774A056698FCB69CF25C944BDDFBB6FB88340F10D6EAD50AA7214D7709A82CF40

Function 085EC410 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648b5e897e9a1cd08498dcb16ac0f723e50a688ac93367b7a556ab30646e650e
Instruction ID: 68d17873a46ef8daac9109bf3779e5b495aec53ef0b9192efad741318b180a6b
Opcode Fuzzy Hash: 648b5e897e9a1cd08498dcb16ac0f723e50a688ac93367b7a556ab30646e650e
Instruction Fuzzy Hash: D8C12B74D1520ADFCB08CF99C8808AEFBB2FF89302B60D559E415AB614D734E982CF94

Function 010EAEC0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4450a279b55c115772c7befeb1664f1f6c4952008099916c7a05fabf4d65fb5d
Instruction ID: bae7fb47c723af2cd18cd51e3aa937206a8db02e99c42fa2f1a2fe5fd269f6f0
Opcode Fuzzy Hash: 4450a279b55c115772c7befeb1664f1f6c4952008099916c7a05fabf4d65fb5d
Instruction Fuzzy Hash: 63612A75E01209CFDB04CFAAD488A9EBFF2BF89310F14946AE554A7391DB34A941CB50

Function 085EAB30 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ac7d410281b9b5c8fdcad7fff7477596b2885f0dc551dd228c0ac4666bdeaa
Instruction ID: 31a99cbb5bd09cab3d2eb1a4628829b97745e2cf22e21ca0cec344f1a8e39268
Opcode Fuzzy Hash: 37ac7d410281b9b5c8fdcad7fff7477596b2885f0dc551dd228c0ac4666bdeaa
Instruction Fuzzy Hash: 75513A74E052198FDB09CFAAD9406AEFBF2FF89301F24D46AE419A7254D7344A41CFA4

Function 0DCF4280 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b1cf5c60e55da6f8c36616af31d7faf0ce6f0ab31bd14840e371e951b0b175
Instruction ID: a4fe3a667f33c5ca609e15a71683adde10c8cec9450b0e2e7e43e02e0058d6ca
Opcode Fuzzy Hash: f9b1cf5c60e55da6f8c36616af31d7faf0ce6f0ab31bd14840e371e951b0b175
Instruction Fuzzy Hash: 49611474D0821DDFCB49DFE6D588AEEBBB6BB89300F108429E616A7240D7749A05CF50

Function 0DCF4270 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1b88068b637cb560cef1772ebca7569b020fc9b3db2d89a5e45e013ada1dfc
Instruction ID: 0ea31b69e29e7b1d573cf94c922ac424800dbd53eefedd84a847c5b42207b9bc
Opcode Fuzzy Hash: 8c1b88068b637cb560cef1772ebca7569b020fc9b3db2d89a5e45e013ada1dfc
Instruction Fuzzy Hash: 22512674D0921DDFCB59CFA5C448AEEBBB6BF89300F10846AE516A7250D7749A05CF50

Function 0DCF4048 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5b000aa0d74832ef3a56dfb0243ba1d07c3c395fa2d2325ea1082e6127f224
Instruction ID: 7fdd084f7f266eeac30a940881fc649948cb730d54229d13c9375e8495b7400c
Opcode Fuzzy Hash: fa5b000aa0d74832ef3a56dfb0243ba1d07c3c395fa2d2325ea1082e6127f224
Instruction Fuzzy Hash: E24128B4D0920E9BDB48CFA6D9415EFFBB5FB99300F10D82AE611B6214D73886418FA4

Function 0DCF4038 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6f4601d474f67bc1bab4d5cf83e31314da122aceb692ea348ac0724367eed8
Instruction ID: 97e5496c56df521f1dfb7fa32ea310b5a986a29d27c9879bd4ae426368431e72
Opcode Fuzzy Hash: 8f6f4601d474f67bc1bab4d5cf83e31314da122aceb692ea348ac0724367eed8
Instruction Fuzzy Hash: 72414874D0920A9FCB48CFA6D9405EFBBB6FF89310F10D82AE611A7250D7388641CFA1

Function 010EAF11 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cbc3662a00bf18c9cfa460aef241d78b107802d106353e9b7b6c2120796a44
Instruction ID: a9142c766dc05bd85910e5d8c5a0b54608bd9b0ac5efc9e187a23bfdeef14009
Opcode Fuzzy Hash: 66cbc3662a00bf18c9cfa460aef241d78b107802d106353e9b7b6c2120796a44
Instruction Fuzzy Hash: E341C1B5E012099FDB18CFAAD4446DEBBF2BF88310F14D46AE419A7294DB349941CF50

Function 085EB500 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2ee8cb36b06fa438527f4e7326a6329fc845b94c8ce7a452ef8bddac4e240b
Instruction ID: 6031b62a1745e73ee180136933f1f6389a954058514ed1719139ec5d7426f9f6
Opcode Fuzzy Hash: ba2ee8cb36b06fa438527f4e7326a6329fc845b94c8ce7a452ef8bddac4e240b
Instruction Fuzzy Hash: 36310971E016189BDB18CF9AD8447DEFBB3BFC9311F14C06AE409A6254EB75094ACF91

Function 010E6FA0 Relevance: 6.5, Strings: 5, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\U, xrefs: 010E71AA
Haq, xrefs: 010E7199
\U, xrefs: 010E724C
\U, xrefs: 010E71DD
Haq, xrefs: 010E71CC

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: Haq$Haq$\U$\U$\U
API String ID: 0-1662492326
Opcode ID: a77f51c1bf5d4e1679c6a5d712a18304765a07774a996f05a227d8a8fa025730
Instruction ID: 2c8276f97fed229a2528f60f62d8c1fc80abc5a2a96f2e02489a5387598b3646
Opcode Fuzzy Hash: a77f51c1bf5d4e1679c6a5d712a18304765a07774a996f05a227d8a8fa025730
Instruction Fuzzy Hash: E8A1D030B002059FDB55AF69D858B6E7BE6FB88340F248869F9469B381CB70CD51CBD1

Function 010E98F0 Relevance: 5.8, Strings: 4, Instructions: 819
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 010EA414
\U, xrefs: 010EA583
(o]q, xrefs: 010EA5F1
$]q, xrefs: 010EA437

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: (o]q$\U$$]q$$]q
API String ID: 0-3438573783
Opcode ID: ba3b982870b49c91579246fafb1d3eff9b0acf14efabd11c2ca41b43eaf02b4c
Instruction ID: 886fd7cdc9f1119feb04ffad5bddfdc920171d434e6996295d9d06fc9de90946
Opcode Fuzzy Hash: ba3b982870b49c91579246fafb1d3eff9b0acf14efabd11c2ca41b43eaf02b4c
Instruction Fuzzy Hash: EC727475A00218CFDB559BA4C994BAEBBB7FF88300F2080A9D10A6B3A5DF319D45DF51

Function 010E76B8 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

,aq, xrefs: 010E778E
,aq, xrefs: 010E7798

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: b0256f80af7c55753916241825cae004c184b74600dfad37c709ef3c8e43bd68
Instruction ID: 340bb9090786255b225ac8d3205ace0fc77924a9a8a33b82a1ea08c851ef7f74
Opcode Fuzzy Hash: b0256f80af7c55753916241825cae004c184b74600dfad37c709ef3c8e43bd68
Instruction Fuzzy Hash: 4581CE34A401068FDB48DF6EC98896EBBF2FF88300B2481A9D585E7365DB31E841CBD0

Function 010E72C0 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

\U, xrefs: 010E7443
\U, xrefs: 010E73DD

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: \U$\U
API String ID: 0-81487859
Opcode ID: 4937e7dfcec7aae8357fbfca5e74c4184395967244c821c7cf81a0b5699465e2
Instruction ID: c29aaa5e478bf5c331b47a7c07bab0bc25a9dda4c37bec21ab7e15858559c4de
Opcode Fuzzy Hash: 4937e7dfcec7aae8357fbfca5e74c4184395967244c821c7cf81a0b5699465e2
Instruction Fuzzy Hash: B161C0307042418FDB569B7A845863E7BE6AF88350F2489A9E986CB396DF74CC42C7D1

Function 065C8450 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 065C86A6

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b532bb1466aa86121cf6e9c7ea45d631323a381b048b048578713d92c792539c
Instruction ID: 85a4775fa0b800397f64f33f63ff8d0dc02ae2f6a71e8962071b41cbcac35821
Opcode Fuzzy Hash: b532bb1466aa86121cf6e9c7ea45d631323a381b048b048578713d92c792539c
Instruction Fuzzy Hash: 67713270A00B059FDBA4DF69D44079ABBF1FF88224F10892DD48A97A40EB75E945CF90

Function 07C69BA8 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

@, xrefs: 07C6A05C

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bd5738c2c26fed7b41d679e3be991f8528861dd9ae4fe9d2beddc8a56f86ce03
Instruction ID: 721dbd5ed9f53b8a8ae08e49aaadc21b51eb9b953d91e11a67f5108f40f05f2e
Opcode Fuzzy Hash: bd5738c2c26fed7b41d679e3be991f8528861dd9ae4fe9d2beddc8a56f86ce03
Instruction Fuzzy Hash: 51D1C270A142448FC704FF79E99966D7BB2EF89304F4188A9E449E7360DE389C49CB56

Function 085E9674 Relevance: 1.6, APIs: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 085E978B

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6ee16631bdf52bd580f74e1017c164d956c4fa1ac828a55deda1975c72747975
Instruction ID: 78d0e6eac2e654ba7e1e65265d683683a65e6fb185151d1f918747300ee5a7ec
Opcode Fuzzy Hash: 6ee16631bdf52bd580f74e1017c164d956c4fa1ac828a55deda1975c72747975
Instruction Fuzzy Hash: 0341AF395083A59ED712DF6DE8466DEFFE0AF46231F0444AED1889F642C2319089CBD2

Function 065CED44 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065CEE62

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cb6886bd2588aaa63aff7eac62c5798ac112cd0ab0c9558f575d4b15fad14674
Instruction ID: 218efc20cc108d50a0e4ea3ade4c7639041355de7411ef3ec417b2fdf8159454
Opcode Fuzzy Hash: cb6886bd2588aaa63aff7eac62c5798ac112cd0ab0c9558f575d4b15fad14674
Instruction Fuzzy Hash: FF51BDB1D10359DFDB14CFA9C885ADEBBB5BF48314F24852EE418AB250D7749885CF90

Function 065CED50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065CEE62

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 16156557b097dcd94c06357893760893ed66cc2381f0e849dab68219532a395b
Instruction ID: 758de21496e017f17e3a653e8b354d3b53ed383f0ee365f0373abf496e6a2f1b
Opcode Fuzzy Hash: 16156557b097dcd94c06357893760893ed66cc2381f0e849dab68219532a395b
Instruction Fuzzy Hash: 4941BDB1D00349AFDB14CF99C885ADEBBB5BF48354F24852AE818AB250D774A885CF90

Function 066C0C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066C0D31

Memory Dump Source

Source File: 00000000.00000002.2540467021.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66c0000_okmnji.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bac19413c0a649f294da33ecef64ec69aa77359ef9af73d248776743c6ead8aa
Instruction ID: 279517221ae744b3193d4a78ce245c945862fa371f100d5e55fc337a05a67f69
Opcode Fuzzy Hash: bac19413c0a649f294da33ecef64ec69aa77359ef9af73d248776743c6ead8aa
Instruction Fuzzy Hash: 7E4125B4A00705CFCB54CF89C448AAABBF5FB88324F24C49DD519AB321D371A941CFA0

Function 0DCFC1C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0DCFC258

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 861ae89816f536a2167d4ef4f198a4bd6a1c909748d88df6136031d744d4a4ee
Instruction ID: 01acd4e487d2380591880cf820812459bd61f6b8bab7fcdf658c9c74d8e9fe5e
Opcode Fuzzy Hash: 861ae89816f536a2167d4ef4f198a4bd6a1c909748d88df6136031d744d4a4ee
Instruction Fuzzy Hash: A02155B190034D9FCB10CFA9C985BEEBBF5FF48320F10842AE918A7240C7789944CBA4

Function 065CAD28 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065CADB7

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a8498a9acc928a5d94cb5b00b5ac1fdc3d707ff0f38e24d256623ce54e0bd82c
Instruction ID: 54649692c1006770c83489b4b170fc30b4279a53820d328a1db3818f3fba450e
Opcode Fuzzy Hash: a8498a9acc928a5d94cb5b00b5ac1fdc3d707ff0f38e24d256623ce54e0bd82c
Instruction Fuzzy Hash: A521E5B59002589FDB10CFAAD984ADEBFF8FB48324F14841AE954A3350D375A950CFA5

Function 0DCFC948 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0DCFC9C6

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 339e3cd2851cb4cb9463b1fc1bbc1e89c52d05c50401ba967e17bd00d036e6ff
Instruction ID: 2d311a7f3394e763be965e52bdac2b0533136a5554fc312809abc1c7b9acc790
Opcode Fuzzy Hash: 339e3cd2851cb4cb9463b1fc1bbc1e89c52d05c50401ba967e17bd00d036e6ff
Instruction Fuzzy Hash: 602149B1D003098FDB10DFAAC5857EEBBF4EF88324F10842AD559A7240C778AA45CFA5

Function 0DCFB780 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0DCFB7FE

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59edc13140fe8816e5457e4b6c69265e5078bd6001b3b7b1e6827b92c1b70a55
Instruction ID: b6074b8758f83a284c2eff3749d848ec2cedef0e174f06a8a5c8ca083370a989
Opcode Fuzzy Hash: 59edc13140fe8816e5457e4b6c69265e5078bd6001b3b7b1e6827b92c1b70a55
Instruction Fuzzy Hash: 772179B1D003088FCB10CFAAC484BEEBBF4EF88324F10842AD559A7240D7789944CFA0

Function 065CAD30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065CADB7

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 73fd95d7a66e9b6d9df2c7c520f07f84998836bd04425522d88f99d0e08294c9
Instruction ID: 60a38ee0ec979981315bde0f20a2e0545b4bd75606c3a679b73dab77d6dfea9d
Opcode Fuzzy Hash: 73fd95d7a66e9b6d9df2c7c520f07f84998836bd04425522d88f99d0e08294c9
Instruction Fuzzy Hash: 0A21E4B59002589FDB10CF9AD984ADEBFF4FB48324F14841AE954A3350D374A940CFA4

Function 0DCFC6C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0DCFC737

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7d860c11a5f189daa94f4e65b0e68cb193c8ef300bfc2f60911829bfbb58eb05
Instruction ID: 6b3592e9e468c19be8dce698071b914d222ade8ed47ec383059f0d5dde550b1a
Opcode Fuzzy Hash: 7d860c11a5f189daa94f4e65b0e68cb193c8ef300bfc2f60911829bfbb58eb05
Instruction Fuzzy Hash: A02115B19002499FDB10DFAAC984BEEBBF5EF48324F10842AD559A7250C778A945CFA1

Function 0DCF27D0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0DCF284B

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9bd5dbb0841904dfc30f4ba27d7f551d5abc2ca94f2fc8268665207d39810eb8
Instruction ID: 589876cca3a30c9d8212cbc6b62f73df3b7012cbae0d663c8a4e3ceb0adcf1f9
Opcode Fuzzy Hash: 9bd5dbb0841904dfc30f4ba27d7f551d5abc2ca94f2fc8268665207d39810eb8
Instruction Fuzzy Hash: A421F4B69002499FCB10CF9AC484BDEFFF4EB48320F108429E958A7251D374A544CFA5

Function 07C090A0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 07C09110

Memory Dump Source

Source File: 00000000.00000002.2543936113.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_okmnji.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a0aa9cda05c1de49a00408b1992e38fd02856ae3702d50faf91ac6660f1b2b0e
Instruction ID: 5de86d6fb605d984392e8f6fa61e2b0e5a45d33e338205965f963b3dd8ace85b
Opcode Fuzzy Hash: a0aa9cda05c1de49a00408b1992e38fd02856ae3702d50faf91ac6660f1b2b0e
Instruction Fuzzy Hash: 631138B1D0066A9FCB14CF9AC54479EFBB4FB48320F10852AD858A7241D338A940CFE5

Function 085E9718 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 085E978B

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9a049a3642fa3c57f6a572eb4d8be221c75a368c0fa8be4e769c20ba14416633
Instruction ID: 7668efea5d8f702ac1378d879c7ec3d8d1f0eed692e39ffc3c68a4158b60ba81
Opcode Fuzzy Hash: 9a049a3642fa3c57f6a572eb4d8be221c75a368c0fa8be4e769c20ba14416633
Instruction Fuzzy Hash: CD21E4B59002499FCB10DF9AC884BDEFFF4FB48324F108429E958A7250D378A544CFA5

Function 0DCF27D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0DCF284B

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a747f7dcfffe52a90709f5f21caf756802fac6535c4d8e55dca7b4abb614c849
Instruction ID: 5e8d6ba112e470ff63e8b1e3b4c658d8e3b447ce76f862e6d2b3d6b970505346
Opcode Fuzzy Hash: a747f7dcfffe52a90709f5f21caf756802fac6535c4d8e55dca7b4abb614c849
Instruction Fuzzy Hash: A521B6B59002499FCB10DF9AC584BDEFFF4FB48324F108429E958A7651D374A544CFA5

Function 065C7808 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,065C8721,00000800,00000000,00000000), ref: 065C8932

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d011ee43e3a0cb06ac2b86f5fe94fb76e65fa10ff557740e71ddfa198d36ac09
Instruction ID: f3dc383e2f835dfcef86df2da1306bd359428de339c475e7c2072a466eedf3e5
Opcode Fuzzy Hash: d011ee43e3a0cb06ac2b86f5fe94fb76e65fa10ff557740e71ddfa198d36ac09
Instruction Fuzzy Hash: 371100B69002489FDB20CF9AC844AAEFBF4FB98320F10842EE459A7210C375A545CFA5

Function 065C88C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,065C8721,00000800,00000000,00000000), ref: 065C8932

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c7c20c8a09cbefdbc03361c85f5a9fe8d87b4d08fad440b0e73c2e2f753f5a35
Instruction ID: df4998af8f15a4115406fddc69b718400932a0135693544517f180f2d46ed243
Opcode Fuzzy Hash: c7c20c8a09cbefdbc03361c85f5a9fe8d87b4d08fad440b0e73c2e2f753f5a35
Instruction Fuzzy Hash: D01100B69002499FCB20CF9AC844A9EFBF4EB88324F10842ED859A7210C379A545CFA5

Function 0DCFBE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0DCFBEBE

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f25b3fd91a4b343bcc57b0b5ea708f3680b55b4d3e2f9e79796271df1c72ac0
Instruction ID: 251d17a0b269eb50f4f67545b3ff557546f4e08eafc714a127e108f8ddc7514b
Opcode Fuzzy Hash: 7f25b3fd91a4b343bcc57b0b5ea708f3680b55b4d3e2f9e79796271df1c72ac0
Instruction Fuzzy Hash: 3C1137B59002499FCB20DFAAC844BEFBFF5EF48324F208819E559A7250C775A944CFA1

Function 0DCFCBD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0DCFCC32

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 571e143654f99def1a81945b36db16680df39f6e240998c9b8e02efb70c56f2c
Instruction ID: 57648ca50c59aefdd7eab56d985c37bffbf7735e2b514ce9c89a7599fbba1f1f
Opcode Fuzzy Hash: 571e143654f99def1a81945b36db16680df39f6e240998c9b8e02efb70c56f2c
Instruction Fuzzy Hash: 811136B19003488FCB24DFAAC5457EEFFF5EB88324F208429D559A7250CB79A944CFA5

Function 0DCF7820 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0DCFD21D

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cbd832326c1fdf953a3a90d6eda3903f6af5cf58175283364b414efd5441ad3e
Instruction ID: 584278646b6bbab3c48d20c629547eea28d56ba3f420e310f5c48937295f2ad8
Opcode Fuzzy Hash: cbd832326c1fdf953a3a90d6eda3903f6af5cf58175283364b414efd5441ad3e
Instruction Fuzzy Hash: 4B11F5B58003499FCB20DF9AD484BDEBBF8EB48324F108459E559A7600D375A944CFA5

Function 065C8640 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 065C86A6

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f18bdcf0378153a16a2eb5e9cecade21f363b61ce707942e2790446b913fe1f5
Instruction ID: ae64c228be407f6a18e859c2b1c7a21652859ae5cf512055fec26ecaba8a0538
Opcode Fuzzy Hash: f18bdcf0378153a16a2eb5e9cecade21f363b61ce707942e2790446b913fe1f5
Instruction Fuzzy Hash: 551110B5C006498FCB20CF9AC844ADEFBF4EB88324F14842AD818B7210D375A585CFA5

Function 07C6BA08 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

4']q, xrefs: 07C6BB63

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 165a0c3646c3802bc51381d80934d0a44f99171449bced8cc4a48bb63c5425d1
Instruction ID: 0663d97242d6941488a5d4f9e33e1dc0acdee7e4d3b7c3f87a028e27ac60a610
Opcode Fuzzy Hash: 165a0c3646c3802bc51381d80934d0a44f99171449bced8cc4a48bb63c5425d1
Instruction Fuzzy Hash: 7791A0B4B141058FC704FFB9D9C966E7BB6EF88344F508868D449EB348EA389C4587A6

Function 010E93A0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

4']q, xrefs: 010E942B

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3b4b23c3c1885f73b54fc896d9576e18ffa9a0598e91e305cde5779d29cbe2ae
Instruction ID: 88a9542c32d14da6ef6d28445da8f733a34ff692dd1c44a42afe2238cc9f3833
Opcode Fuzzy Hash: 3b4b23c3c1885f73b54fc896d9576e18ffa9a0598e91e305cde5779d29cbe2ae
Instruction Fuzzy Hash: BA4147B46001198FCB15DF69D988AAE7BF5FB88314F1044AAE986CB3A1CB30DC50CB91

Function 07C60DD3 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

D, xrefs: 07C60E2A

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0b4ee066cb31a1d14a7f0425cb1a020e1cd43cafdd78200917af71d9176ec1a0
Instruction ID: bf8939f644172da20d68325b2138af33a0d93d0a49667f402975fa3e3338b935
Opcode Fuzzy Hash: 0b4ee066cb31a1d14a7f0425cb1a020e1cd43cafdd78200917af71d9176ec1a0
Instruction Fuzzy Hash: 8231769584E3C65FC7038B788DA46967F709E03214B1A06EBC4C1DB6F3E618094AC7A3

Function 010E96E8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4']q, xrefs: 010E9762

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 4234304ac3f1252f3bfa5bc0315daebc64e05d72d6d1762a7c7948d3af44772a
Instruction ID: 62b117ea93b96e731f419e5df28add330675bbcc055398e79a4b7c9a6e22fe28
Opcode Fuzzy Hash: 4234304ac3f1252f3bfa5bc0315daebc64e05d72d6d1762a7c7948d3af44772a
Instruction Fuzzy Hash: 7F21D3353441458FD744CE6B9848ABFBFEAFB89258F144866E9D1CB244DB71D848C760

Function 07C60EF0 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

43^q, xrefs: 07C60F1B

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID: 43^q
API String ID: 0-2065357395
Opcode ID: 83d8d371977f4f8ebc81dbb2f156985d594499532244c8f8f1b75d375db4c924
Instruction ID: 9734255f2cc419736c084f208cd8ee759c92cb068d596c070155632772dc3072
Opcode Fuzzy Hash: 83d8d371977f4f8ebc81dbb2f156985d594499532244c8f8f1b75d375db4c924
Instruction Fuzzy Hash: A2E06828B002540BC3089F36A80877E7A839BC8350F18C86FEC0ADF744DC7589144380

Function 07C6AB18 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591a2f7023e073608f03822cbd52deffe8f11ac81d960583e5e312b5a17d34bc
Instruction ID: abf07996f16efc82a09e0d312cf064f1686dd6f21567785d30c32edcd31569bc
Opcode Fuzzy Hash: 591a2f7023e073608f03822cbd52deffe8f11ac81d960583e5e312b5a17d34bc
Instruction Fuzzy Hash: 980204B0A182458FC705FBB8D99862E7FB2EF85204F554869D489F7381EA3C9C06C367

Function 07C69456 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e7a7056016894ccbae4f6368f1d051c43bdb4382604a981595089cfa8fd25a
Instruction ID: d73e618a0c955e78adf9ab0bc00b8c44d6326f5b0c822466f09a30678c2d94ae
Opcode Fuzzy Hash: 28e7a7056016894ccbae4f6368f1d051c43bdb4382604a981595089cfa8fd25a
Instruction Fuzzy Hash: 51E11270A142508FC705BB78D89926D7BF2EF8A308F4509ADD489E7391DB3CAC46C766

Function 07C6A110 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec0e60bf9c4b6c463529a6c3bdedeb74c9473b03e7997408445187b0d399ad1
Instruction ID: 7c47c25e712207abe2d68084f79244fded069deddfae31dd94d31c942f65820b
Opcode Fuzzy Hash: bec0e60bf9c4b6c463529a6c3bdedeb74c9473b03e7997408445187b0d399ad1
Instruction Fuzzy Hash: 56025E74E14215CFCB14AF79E98965DBBB1EF88740F118869D84AE3344EB389C45CFA2

Function 07C68840 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf85ac3e1ac0f303cb03b13c51d231428e4f6f094bde480e322b3bcd8c99ff33
Instruction ID: 5d2b643440742a884dffc2d5e7b7de16141d59ba878ecec51d26cdfe540bb0eb
Opcode Fuzzy Hash: cf85ac3e1ac0f303cb03b13c51d231428e4f6f094bde480e322b3bcd8c99ff33
Instruction Fuzzy Hash: 7AC1CF71A10616CFC704BBB9E98922DBBF2EF88744F414868D949E3344DE389C85C7A6

Function 07C6F767 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59690965108583ab5fdd0d17fd778778539ea3728b12ccd8db067dd086985768
Instruction ID: 9d24151e80e1e8d8ccaad14c449331cba2d86cab82a0a9f4c2bc20f140b41743
Opcode Fuzzy Hash: 59690965108583ab5fdd0d17fd778778539ea3728b12ccd8db067dd086985768
Instruction Fuzzy Hash: B7C1C370A146109FC304BB7DE99922E7BE6EFC8354F41896CE489D7350DE389C4ACB56

Function 07C69B97 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0118b947ee6c0cc379aac9648c418661a507f54c0b55037efd18b9d3c86a3cf0
Instruction ID: d98e010f366b94ecb215e5f29d51e9703ae6d7432777afdf1629df62580f3fbb
Opcode Fuzzy Hash: 0118b947ee6c0cc379aac9648c418661a507f54c0b55037efd18b9d3c86a3cf0
Instruction Fuzzy Hash: 2CC18F70E146058FC708FFB9E99966D7BB2EF88304F418869E449E7350DF389849CB56

Function 07C694C4 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639905e1d893249dc7cb07bf76726c432aacbe11fdf6677ee20f707f884e61dc
Instruction ID: a98d1512d9d72e7bf4a7faf4c4c0c7f098ad7aef6b57b82887c265d8befd8c0e
Opcode Fuzzy Hash: 639905e1d893249dc7cb07bf76726c432aacbe11fdf6677ee20f707f884e61dc
Instruction Fuzzy Hash: 55B1D170A146158FCB04BB79D99926D7BF2FF89308F41496CD089E7390EB38AC46CB56

Function 07C69507 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c16d14e8bca16f611026ebfcc185b187604259ed61ebd89c5a1a3a1e23b9b5
Instruction ID: 312413eb7410f4e2f4165e7ea7070762e11fc4fe76af9cd89ecc568ae51cee5b
Opcode Fuzzy Hash: 48c16d14e8bca16f611026ebfcc185b187604259ed61ebd89c5a1a3a1e23b9b5
Instruction Fuzzy Hash: E5B1CE70A106158FCB04BB79D99926D7BB2FF89308F41496CD48AE7350EB38AC46CB56

Function 07C687F7 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8efe94765e2502b73af22654913ee9be749afca09e0e1c2c2200aae9a70623
Instruction ID: 928cde2e0eb3ecf8933b9f90042333fc338a01782ec0edcf0fda5758a21f0ced
Opcode Fuzzy Hash: 0c8efe94765e2502b73af22654913ee9be749afca09e0e1c2c2200aae9a70623
Instruction Fuzzy Hash: 17A1EF71A04612CFC704BBB8E98922DBBF2EF88744F4448B9D945E7354DE389C85C792

Function 07C68831 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00f89e4d86f0a3ed28a1695b10b4246207d6bfc68dddbdbdbc6859d9a1f638a
Instruction ID: ca14d900ab9a97d4f7c1d79bb6e55b412712c5476faccf78a68505295011d1d0
Opcode Fuzzy Hash: b00f89e4d86f0a3ed28a1695b10b4246207d6bfc68dddbdbdbc6859d9a1f638a
Instruction Fuzzy Hash: 0891BE75A10615CFC704BBB8E98922DBBF2EF88744F4408B9D945E7344DE389C85C7A2

Function 07C6B6CC Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a0c9e262c2fe527b5399a7a8dc4a89a6899f2f1daf7cb8b7788f3a14543a4d
Instruction ID: 7aec22b3b933bc0459ea4333848f6649b2e7f347947c78fbd81a92aeebe65927
Opcode Fuzzy Hash: 01a0c9e262c2fe527b5399a7a8dc4a89a6899f2f1daf7cb8b7788f3a14543a4d
Instruction Fuzzy Hash: 1671E0B0B146158FC704FFB9E9C922EBBB5EF88304F414969D488E7244EE389C498796

Function 010E95A0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0085ce0c4cee5d091430327525a177579893abd25bcad4d865ed0ca687e4b5b3
Instruction ID: 108ad28d94a6c99b88c1d02cae21c19614ceee28554f551203d08f58e9dfb61b
Opcode Fuzzy Hash: 0085ce0c4cee5d091430327525a177579893abd25bcad4d865ed0ca687e4b5b3
Instruction Fuzzy Hash: 65518D317101018FDB54DF3EC89CA6EBBE6FF8925971544AAE586CB362EB21DC01CB50

Function 010EFBB0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c0f1b9a26dbfda8104f5a9b01c1f76bf9459d62ead2455c48dd03633b61d4e
Instruction ID: 3bdb2c7352cdb0185e66b57af3d0fe838ff55296594403360567e8cbd4f9c511
Opcode Fuzzy Hash: 62c0f1b9a26dbfda8104f5a9b01c1f76bf9459d62ead2455c48dd03633b61d4e
Instruction Fuzzy Hash: C1417E353006068FDBA4DF2EC988B6977E6AF85610F1584A9E9A9CB371DB30EC45CB50

Function 07C6B593 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de1d565fcbb9bf0dd50558561db7942a4fdb85487b19bd7a980e4d62d53db8b
Instruction ID: b619fc35a82176157ee1b894e33cd28b7be5ca496ecf45f30b6b6d4d461eca3e
Opcode Fuzzy Hash: 6de1d565fcbb9bf0dd50558561db7942a4fdb85487b19bd7a980e4d62d53db8b
Instruction Fuzzy Hash: C13137317093558FC312BBB8DC957AA7FB5EF86218F4445AAD449EB241CA3C9C0AC762

Function 010E6090 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6c6ffb3f6c8090782cdf3ddc489195d98cb613d085c8daf82ab6ea632ac3f3
Instruction ID: 9193cd5f482a5920cfacba8f0229ceabaf26a76f8eef7da8e1fb427ba815f937
Opcode Fuzzy Hash: 5f6c6ffb3f6c8090782cdf3ddc489195d98cb613d085c8daf82ab6ea632ac3f3
Instruction Fuzzy Hash: ED31D430700109EFDB469F69E84896E3BF2FB88350F148468F9599B355CB31C861DB51

Function 010E97CF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c502cde7ddfa212f418d3a28f13738036345ddf86380e914597149f0787189
Instruction ID: 2eeae68bca38eb1df9b6b2952e63ac4a31f7561d3a2c02782da60ebd8b8529a5
Opcode Fuzzy Hash: 85c502cde7ddfa212f418d3a28f13738036345ddf86380e914597149f0787189
Instruction Fuzzy Hash: 5121A371B001018FEBA61A2BC69C67D66DBDFC874CF244075D586CB3A6EA66CC42D741

Function 010E4F3C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e0e9017fdcb7d6336c1e62f4234de60c126e401ead33d317a97b4fa2da5d69
Instruction ID: 67c01731676bee4e549d6b004b4429e8257f317362a3030aa10bb2904d038167
Opcode Fuzzy Hash: e9e0e9017fdcb7d6336c1e62f4234de60c126e401ead33d317a97b4fa2da5d69
Instruction Fuzzy Hash: CE31083590C24ACFCB65DF6AC84C6ACBFF0DB45310F0845A9D195EB3A3C6718506CB51

Function 010E750F Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d776b10b59585f7f507a24ba01c9e6ec8daf0bbe12d63c5ccf103da9bf3bc40
Instruction ID: 7128f7b09a1069d35521d5f8eeaa2ba4fa805224442d5fa889ecef0103c7fe58
Opcode Fuzzy Hash: 9d776b10b59585f7f507a24ba01c9e6ec8daf0bbe12d63c5ccf103da9bf3bc40
Instruction Fuzzy Hash: D521D336700651CFD7569A2AC45892EB7E2EFC874071544B9D95ADB390DA70DC02CBC0

Function 00E7D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525126183.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5dd30c76fb74da8900930ec3c35751dd050ed6efbb13c491ea33c7edf05d21
Instruction ID: 6c0b65347dbf7eb45a1323b805f3182700412d2dcc87aa0fa1d20484a78ac5d2
Opcode Fuzzy Hash: ad5dd30c76fb74da8900930ec3c35751dd050ed6efbb13c491ea33c7edf05d21
Instruction Fuzzy Hash: 2021F1B1508200EFCB05DF14D9C0B26BF75FF94328F20C569E80D6A256D336E856D6A2

Function 07C6B5E0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2ac93ea745dfacd4c619b4ad852d5931343d3a97b8756b3429eeed5d713856
Instruction ID: 2d6d8139d68c9ad640eb98e051220c5a1258984bc792b4459aeb931a79dd1dff
Opcode Fuzzy Hash: db2ac93ea745dfacd4c619b4ad852d5931343d3a97b8756b3429eeed5d713856
Instruction Fuzzy Hash: 5411A271B141258BC714BBB9EC9572E77AAFBC8618F804939D40DE3344DE3CAC028796

Function 010E0848 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca75f06320d20d8def2d141bf40e00aa8e6d238b566b236f5028e0dd8fe962d
Instruction ID: 35ebdbe30ce6c06897bce43337b9e779f0a8dc77b58193683bd712b7462fc56e
Opcode Fuzzy Hash: 6ca75f06320d20d8def2d141bf40e00aa8e6d238b566b236f5028e0dd8fe962d
Instruction Fuzzy Hash: 45214C74E012088FDB08DFAAD5083EDBBF1BB89300F04E029E454B7294DB784645CFA4

Function 00E8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525156716.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0036cab1f47407dbfc6da37aca759b7cb0c0e762ebd70c855377fc9014de99
Instruction ID: 7f4b82b3c04be50a36b193d78095a8740b32ed0f4cfdfd53d5dc698d76253d79
Opcode Fuzzy Hash: ad0036cab1f47407dbfc6da37aca759b7cb0c0e762ebd70c855377fc9014de99
Instruction Fuzzy Hash: 5621F271608204DFDB15EF14D984B26BBA6EB84318F20C569D84E5B2D6C33AD847CB61

Function 00E8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525156716.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef065a2ce3254ec3fd77d09699e8fdc84b6c7801eae56d08f471f3f669a602f9
Instruction ID: 526c99fec3523ec695f4d87884f2fdd898f2d5271d870ce416d0a79aece0431e
Opcode Fuzzy Hash: ef065a2ce3254ec3fd77d09699e8fdc84b6c7801eae56d08f471f3f669a602f9
Instruction Fuzzy Hash: 8A210471548204EFDB05EF54D9C4B26BBA5FB84318F20C66DE80D6B2E6C336D846CB61

Function 010E4DC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6aa787f767cad6bbc22491fbaf261ad8ee562986f8833085e90b748ca2b5a2
Instruction ID: 6228153097d930d0bc054c41f8def577d9c0f3b66734d1ed350f9034fb658e3f
Opcode Fuzzy Hash: bb6aa787f767cad6bbc22491fbaf261ad8ee562986f8833085e90b748ca2b5a2
Instruction Fuzzy Hash: 0A21D3B0E042098FDB44CFAAD489AEDBBF1AF89310F149029E405B73A1DB749946CF54

Function 07C6B58F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f538d32637512b5c0e757e58900dc50a8f211475c1325fe7f805defad9039943
Instruction ID: a0157c4db2ba786ec8a7a249be11e6c7c3aa46d899b8beffdd977d309cfb48af
Opcode Fuzzy Hash: f538d32637512b5c0e757e58900dc50a8f211475c1325fe7f805defad9039943
Instruction Fuzzy Hash: 601191B1B141158BC704BBB9EC9A26EB7A6FF88218F904979D048E3340DA389C458386

Function 010E6082 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434bb4ca4237e30be03e66ae4058e299e4f321b53cf995a7310504a95ca1d2a9
Instruction ID: 1b5832c879fb39e87605761ad27f6c3c9777e56bc2387533f6e2bc609300525f
Opcode Fuzzy Hash: 434bb4ca4237e30be03e66ae4058e299e4f321b53cf995a7310504a95ca1d2a9
Instruction Fuzzy Hash: 74210F31604204DFDB46AF68E448B6E3BF1EB88314F1580B8F9599B386CB35C890CB90

Function 00E8D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525156716.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45e9e28ecf777f3e6a93da7dc2b85986a48199659e91dca95fe4f23abd286d
Instruction ID: 9f1958b7ef1593a634ace3860cbefd61bcee8255bb0a66aca2d82445187d6bf0
Opcode Fuzzy Hash: 6c45e9e28ecf777f3e6a93da7dc2b85986a48199659e91dca95fe4f23abd286d
Instruction Fuzzy Hash: B921417550D3808FDB12DF24D994715BF71EB46314F28C5DAD8498B6A7C33A980ACB62

Function 00E7D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525126183.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: abb8e264829355c4e70962805b059de8938594dc66db5a814f9e7b268337d3d1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2E11D376504280DFCB16CF10D9C4B16BF71FF94328F24C5A9D8495B656C336E85ACBA1

Function 07C686B1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20f85af13b675131e8ff8931205d24457b46093f8903c01e99b67eb5ed712ac
Instruction ID: e4645724b6a2c8a69926d74b53616f01e9f12c30897bc3b08c9b3aa1eacad82d
Opcode Fuzzy Hash: c20f85af13b675131e8ff8931205d24457b46093f8903c01e99b67eb5ed712ac
Instruction Fuzzy Hash: 3401D2B054E3955FC3035B74DC698AA3FB6AA0358035904DBE444CB1A2DB158855C7B2

Function 00E8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525156716.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 98b4a8714e6840d98da1656ba2c43468d8a0abe37d1518e1b564b3dcd771e679
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8F11BB75548280DFCB02DF54C9C4B15BBA1FB84318F24C6AAD84D5B2A6C33AD81ACB61

Function 010EFD68 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c9835d4956e86376ee5c596c484b67c43a5b68fa284ebf785bd6a063aac799
Instruction ID: b6e4a91d0495576964ed7a05eb08a9d7751447eefa2d00ebbc1bdee800780c68
Opcode Fuzzy Hash: 54c9835d4956e86376ee5c596c484b67c43a5b68fa284ebf785bd6a063aac799
Instruction Fuzzy Hash: 5911E931B006159FCF90EB69CC48F9D7BF2EF84720F1045A5E669DB291DB719945CB80

Function 00E7D80D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525126183.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e0887a91f1905a2460cf6df8070f57632d03c70779883b829a89097feba01a
Instruction ID: 1d8bc88552d7239d325383b2f081831d3063943d3197deb87074640ea035441b
Opcode Fuzzy Hash: b8e0887a91f1905a2460cf6df8070f57632d03c70779883b829a89097feba01a
Instruction Fuzzy Hash: 4B01A77150D3409AF7244B56CD84767BFA8EF45378F18C429ED0D6A296C379D840D6B2

Function 010EFE08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c105776d1626243711711a6618544d80f6dbe8fa80ed49e72bb1f9ae1cbe8d7f
Instruction ID: ad516092a1715ac4baad9c32d0b66ed2fd3d56438b68d35d68f07515e2040c42
Opcode Fuzzy Hash: c105776d1626243711711a6618544d80f6dbe8fa80ed49e72bb1f9ae1cbe8d7f
Instruction Fuzzy Hash: 0A017C70200706CFD764DF69D888B9ABBE4FF44724F108669E169CB3A2DB70E845CB90

Function 07C60E7E Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea9ce4a9c364f787076f2460d9a416a21981d9936f0a27b086f3bea66caa82c
Instruction ID: 0f52d7a5a3e921c7ba58fb3b92d48468a4157e59364cd81fa9e7c836e51a10fb
Opcode Fuzzy Hash: 2ea9ce4a9c364f787076f2460d9a416a21981d9936f0a27b086f3bea66caa82c
Instruction Fuzzy Hash: 2C01F2A1A0E3CA8FC303DBB4C9215997FB08F17244B0945DBC485EF1A3EA750E08C7A2

Function 010E4D40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae477388e8da413947a9e0ac3a4b9a91c14d5747837c8fea58edc27eb636b08
Instruction ID: c3b3a405248e679f75ee87944c5c5cccaf6f8a0d0a4dd1283ab0967abd26b4cd
Opcode Fuzzy Hash: 7ae477388e8da413947a9e0ac3a4b9a91c14d5747837c8fea58edc27eb636b08
Instruction Fuzzy Hash: CD01D3B4D09209DFDB40EFAAD5487EDBBF4FB08300F1088AAD419E3251E7755A44DB61

Function 010E4D31 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600afc547f00f5867236fb099bbef7cd2906ee778c502092700fcb64dbc3ba93
Instruction ID: fadc343e0c29256329c49d7e1be660fb7e04d8a683be3fb50393e90dcbb4b307
Opcode Fuzzy Hash: 600afc547f00f5867236fb099bbef7cd2906ee778c502092700fcb64dbc3ba93
Instruction Fuzzy Hash: 9A0104B1D05209DFDB80EFA9D1893EDBFF0EB59300F1084AAD419F3251E67A4A44CB51

Function 00E7D80C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525126183.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e33124bd3805cd9c7d3a129a2704ebd2647c6836ceb783a2ad5b97ac00f128e
Instruction ID: 5c8da8761d1ca45a9abcab7f163246bb6508e9f6f4b4481cc62b82cd91095424
Opcode Fuzzy Hash: 4e33124bd3805cd9c7d3a129a2704ebd2647c6836ceb783a2ad5b97ac00f128e
Instruction Fuzzy Hash: 2DF0C2B14083409AE7248B16CCC8B66FFA8EF51378F18C45AED0C5B296C3799840CA71

Function 07C6F510 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362cf38cff21a1c676ef0f76f700b98919d02816cf6081be1cbbcf3014ba689a
Instruction ID: 5f55bcded2ab6c7ee12c6eb7be05cc9b22ee2a66d3272d3eaa7811c354bcb643
Opcode Fuzzy Hash: 362cf38cff21a1c676ef0f76f700b98919d02816cf6081be1cbbcf3014ba689a
Instruction Fuzzy Hash: 4FF049B0E0431AAFDB08DFA9C885AAFBFF4AF08200F004569E514EB341D730C6068BE0

Function 07C6F6A7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0429d55c52775ab9788ef8e47c8d0944460ba81088b85b9ba7b4a4bafa810f7d
Instruction ID: 4b2e7e4df223ee32ab4c6dd781d9a70fe5fb32e6c5a23f1785f6608363747c63
Opcode Fuzzy Hash: 0429d55c52775ab9788ef8e47c8d0944460ba81088b85b9ba7b4a4bafa810f7d
Instruction Fuzzy Hash: 73F0A9B494420AAFD300EF6AC888ADEBBF4AF08200F108469E009E7221E77085068FA1

Function 07C6F520 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9944c2c9a80c0f9fc61fc31c12dfe7e3d70da4aae80812404da2309d55f167d
Instruction ID: d77dbcf344a67cfe04f15560de5e42d47e25acbd22d571abf1fc0bb9ac6fd50e
Opcode Fuzzy Hash: f9944c2c9a80c0f9fc61fc31c12dfe7e3d70da4aae80812404da2309d55f167d
Instruction Fuzzy Hash: 28F0DAB0D0430A9FDB44DFA9D885AAEBBF4BF48210F1045A9D918E7301D7709A408F90

Function 07C6F5B1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e435be5b5182de13839c5f888c16127ce7e00c523c855f3c59b299bafc1b66d
Instruction ID: 07bbd6c879c8b9a9e57357322efe7a06af5bf070dc5bfc680882ebc1d2d1c6d1
Opcode Fuzzy Hash: 5e435be5b5182de13839c5f888c16127ce7e00c523c855f3c59b299bafc1b66d
Instruction Fuzzy Hash: 55E0C27A14A3456F8702DEB0FC90C927FAC6B0121030485A3F004DB021E511DA78D7F2

Function 07C6F4B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3f0ddc68956e8dce483bd9f18d1706ee21adb9eb42d1f4641e146afbf69acb
Instruction ID: d803710f46c6f378a5cf5d760d0505e34e142756f05126e1091d36e6190fce2a
Opcode Fuzzy Hash: 0a3f0ddc68956e8dce483bd9f18d1706ee21adb9eb42d1f4641e146afbf69acb
Instruction Fuzzy Hash: CFE06DB0D41A079FD740DF78C989ADBBFF0BF08610F1585AAE01AE7621E77045408B80

Function 07C6F4C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9c780bace8ceac0dad9639c1467d1af31b480add5ace170bc7c17e6e48f34e
Instruction ID: 458c6a788424e63903031ab34983da5e9f60eaf4b2877fc59ac02338c20049ef
Opcode Fuzzy Hash: 5f9c780bace8ceac0dad9639c1467d1af31b480add5ace170bc7c17e6e48f34e
Instruction Fuzzy Hash: 2FE0B6B0D4020ADFD740EFB9D989A5EBBF1BF08600F21C5A9D419E7211EB749A058F91

Function 07C6F6B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835b6fe33a652b1bb7cd5bae6c4fa850958f9173e2a8edc58073bc3a6b93da9f
Instruction ID: 78cb9b5a57c8dbc113c70a9798c32ce68dfeb654a51792fe1403fd9e58bc2d3f
Opcode Fuzzy Hash: 835b6fe33a652b1bb7cd5bae6c4fa850958f9173e2a8edc58073bc3a6b93da9f
Instruction Fuzzy Hash: 28E0B6B0D44209DFD740EFAAC889A5EBBF1BF08200F5084A9D015E7221E77496018F91

Function 010E7957 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c66c6952f2475081e1cbf1f156d8ba08fe739df5d5ff2e337c6559ddaca5ac9
Instruction ID: bec42a8cf9b23b8f1c02c281d99f4efed6649e1b5d667f079d6db5083842501c
Opcode Fuzzy Hash: 6c66c6952f2475081e1cbf1f156d8ba08fe739df5d5ff2e337c6559ddaca5ac9
Instruction Fuzzy Hash: 60D05EB49813044FD741EB70E9CAEDD7BA2EB90304B60A660950A1762BDAB4984A8B00

Function 07C60EB8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e365508e53bbe4240dd3cfb3323e0d46a89a570311d18d40e0989294f246b0ad
Instruction ID: 569bd91550ebc3d546432065e34d269edb5b3e4236b7fe870eb87f3f489aea32
Opcode Fuzzy Hash: e365508e53bbe4240dd3cfb3323e0d46a89a570311d18d40e0989294f246b0ad
Instruction Fuzzy Hash: 95D012B0D0510CEFCB00DFB4D9519ADB7B5EB49244B5049E9D409E7600EB316F049B90

Function 010EA525 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac3cfe4708aab6e7b84e0ce207cf22667f662077d1ae819891f613f84c1a98b
Instruction ID: f06da9345e2f0e13828a70340840869c693ac7ced75eb9bdec264f3b19bc3fea
Opcode Fuzzy Hash: aac3cfe4708aab6e7b84e0ce207cf22667f662077d1ae819891f613f84c1a98b
Instruction Fuzzy Hash: 26D0173BB40008DFCB008F88E8408DDB7B6FB9C221B148016E911A3220C6319821DB90

Function 010E7968 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e696c179dd9a386f23fea4767636577cafbd9c560736848d707b56c63b26191
Instruction ID: c066c737a7535eda60f3d2ead3ad9d34ac116fe12bab1e8c24e6c771ba7ca8be
Opcode Fuzzy Hash: 3e696c179dd9a386f23fea4767636577cafbd9c560736848d707b56c63b26191
Instruction Fuzzy Hash: C7C022300403084EC280F330F900C14B7AAEA803087A0A520A00E0762EDF70A8884B80

Non-executed Functions

Function 0DCFEF28 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0DCFF1EB
PH]q, xrefs: 0DCFF113

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: bda9cd4601b794e50f41a54fc53caf619b31d910938b0714a7cbaa1be95a5161
Instruction ID: 86c33dfb9ef53f8bb4d57c8787db2fafbbab494b35580d19ee58ec2fe9f75969
Opcode Fuzzy Hash: bda9cd4601b794e50f41a54fc53caf619b31d910938b0714a7cbaa1be95a5161
Instruction Fuzzy Hash: 5CD1AE74A006098FDB58DF69C598AE9B7F1FF88701F2580A9E506AB371DB31ED44CB60

Function 085ED2B8 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

L~, xrefs: 085ED3A6

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: fb3adf21c16092e1b525245530c655aaadbaa6a7e756d31ad3b040866063bdf0
Instruction ID: 99d52ff53d2bf4eed8cd3a1cf09d1e36298e1dd83afc74f0b8260e90c69d37ae
Opcode Fuzzy Hash: fb3adf21c16092e1b525245530c655aaadbaa6a7e756d31ad3b040866063bdf0
Instruction Fuzzy Hash: A2910374E15219CFCB48CFA9C9849AEFBF1FF88315F24945AE415AB224D334AA42CF51

Function 085ED2A9 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

L~, xrefs: 085ED3A6

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: d14384e9b77dfb3f62a5083484e25e6c0688399a515397d98ad511130d692e5a
Instruction ID: 49a61d55f584fb1d0a0188557ce5b963451f8350fbf61066f70a0344b1bce8e9
Opcode Fuzzy Hash: d14384e9b77dfb3f62a5083484e25e6c0688399a515397d98ad511130d692e5a
Instruction Fuzzy Hash: 30910474E1521ACFCB48CFA9C98489EFBF1FF88311F14956AE415AB224D334AA42CF51

Function 07C6EC2D Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544195638.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c60000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dfe073ae9a553671f7019c1e183cd9e8b4ff1486b22f3b7a951def9343f8a0
Instruction ID: 2396d01f1405e618fdda118e7054abd4fbe4f61808ed864b51cbbd54851aab9b
Opcode Fuzzy Hash: 78dfe073ae9a553671f7019c1e183cd9e8b4ff1486b22f3b7a951def9343f8a0
Instruction Fuzzy Hash: 7E32CF70E042458FCB05EFB9D8945AEBFF2FF89204B15856ED049EB251DF389846CB92

Function 0DCFE0A8 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee14f5d2af82856379b87d97ca01e95f87ebc2d8fff20a0ca796902911a012c
Instruction ID: a33a8bb9a90b1dfd44eeef3fb7726c4a09a0041fcf60c1f269d72027dfd73717
Opcode Fuzzy Hash: 2ee14f5d2af82856379b87d97ca01e95f87ebc2d8fff20a0ca796902911a012c
Instruction Fuzzy Hash: A2E1AE317006098FDB99EB75C8507AE77EBAFC8700F15846DE25A8B7A0DB34EA05CB51

Function 0696C2B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541174694.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6960000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7a14d38c306d1366647f5fab70f4caddfc55323a3da78b545cd23bd183f375
Instruction ID: f374dcc46f3300ed5f07669637803a0f58d2e7f2fc0654e1a49cc152a8af4f04
Opcode Fuzzy Hash: 9f7a14d38c306d1366647f5fab70f4caddfc55323a3da78b545cd23bd183f375
Instruction Fuzzy Hash: 37A1A570B002559FDB48BBB9841477F6AABAFC4750F248578900DEB7D8CE389D4387A1

Function 065CD4A8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330e1f8b9330cc68a4e44c21833cb379a84c09b6450ae764d8efd539dcce891f
Instruction ID: 342cfc814770f4135771cbd4a4577c5d1b5eaf161a26c392cbfb931a7b3a15be
Opcode Fuzzy Hash: 330e1f8b9330cc68a4e44c21833cb379a84c09b6450ae764d8efd539dcce891f
Instruction Fuzzy Hash: AF12B6F0CC17459BD332CF29EA4C9893BB1BB41398FD04A09D2652B2E5DBB415AACF44

Function 07C0C6D1 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543936113.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea60af667c9fd6f6ba748d3fe26f75d084e8e49ffae2fe12493f1946caf1da5
Instruction ID: f03b82e10cbd326d3149f36b9633136a0c1495e0a750f17c5663f9123eee0863
Opcode Fuzzy Hash: aea60af667c9fd6f6ba748d3fe26f75d084e8e49ffae2fe12493f1946caf1da5
Instruction Fuzzy Hash: E4D10831D1075A8ACB01EBB4D950B9DF7B1EF95300F10D79AE40A77614EB706AC9CB91

Function 065CAB24 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e22c2db4d10e25a2b4fc65de5590a06f303469004655fd5ce4e5ab640cc7087
Instruction ID: ec7bd5146813680253a05904982ee59fbc94d20259700ecb11c5b0042079b4bc
Opcode Fuzzy Hash: 7e22c2db4d10e25a2b4fc65de5590a06f303469004655fd5ce4e5ab640cc7087
Instruction Fuzzy Hash: 32A17C32E1020A8FCF45DFA4C84499EBBB2FF85314B15856EE805AB265DB31E955CF90

Function 07C0C6E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543936113.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0607fbe633b6680ff8ada2b76ac9cc5e530abafef41080a933c83498b14de101
Instruction ID: 1474cbdf37c08cb3d1a16cee0dca2b7f161a83cfb1582e3843ab85e82d482af8
Opcode Fuzzy Hash: 0607fbe633b6680ff8ada2b76ac9cc5e530abafef41080a933c83498b14de101
Instruction Fuzzy Hash: 35D10931D1075A8ACB01EBB4D990A9DF3B1FF95300F10D79AE50A77614EB70AAC9CB91

Function 0DCF7EB0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b18550e1ba53e86a287f50a8596e5bef4d848bb61f2cf0de82f06be6d89005
Instruction ID: d83d52884585533a076f10f044269808a72464bf1f77103dd95d07fa26c8b379
Opcode Fuzzy Hash: 24b18550e1ba53e86a287f50a8596e5bef4d848bb61f2cf0de82f06be6d89005
Instruction Fuzzy Hash: A3A115B4E04218CFDB84CFA6D944AEDBBF6FF89340F14952AE60ABB254D7349901CB14

Function 065CD498 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2540309689.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc853f0a00dcd5fc7b7d747f5f6915002f7b27d4f80bc53da866d3dbfa80fc0
Instruction ID: 3da8dfb1f53697c5cc91e1e1a703e5cef755f268046737b55f954b409bd796a2
Opcode Fuzzy Hash: 4cc853f0a00dcd5fc7b7d747f5f6915002f7b27d4f80bc53da866d3dbfa80fc0
Instruction Fuzzy Hash: F3C15DB0CC17458FD722CF69EA485897BB1FF813A8F904B19D1616B2E0DBB455AACF40

Function 0DCF7EA1 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c687b71508cb5a0b9625ee71b41599719396dad49bbb2de4c796ca55d2cb972
Instruction ID: c0464464deb58877095cfab776af6f5f5daf233d8f3ca54c3efe68a91dd09370
Opcode Fuzzy Hash: 5c687b71508cb5a0b9625ee71b41599719396dad49bbb2de4c796ca55d2cb972
Instruction Fuzzy Hash: 22A1F4B4E05219CFDB48CFAAD944ADEBBF2FF89310F14952AD60ABB254D7349901CB14

Function 085EE749 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd33eaa899cc2afb788a2e78dca96a173c4a34597a35992ee96576eb42c2694
Instruction ID: 4c634dcc2f8f7716954f7ccc79bb8de6df62dd3d63b1e2f43b71694849faf193
Opcode Fuzzy Hash: 5dd33eaa899cc2afb788a2e78dca96a173c4a34597a35992ee96576eb42c2694
Instruction Fuzzy Hash: 5E712974E15209CFCB08CFA9C9818DEFBF2FF89210F24986AE405B7354E33499468B64

Function 085EE758 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ed8ea2910245378b5b9c4499d70b7edf5e8b5bc0eeafa2f3e78c75665d111d
Instruction ID: f3a1c866bb17f7cab2b55c795765e420f3c8691a3b3a60d5fc349aa4e722dbae
Opcode Fuzzy Hash: b8ed8ea2910245378b5b9c4499d70b7edf5e8b5bc0eeafa2f3e78c75665d111d
Instruction Fuzzy Hash: 10711874E15209DFCB08CFA9C9819DEFBF2FF89211F24986AE415B7354E3309A458B64

Function 085EE1A1 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac9b9c2385fda6d46ef01b891262c40fa45a5886ec3502046367be2546f1ff1
Instruction ID: 09462103db8fcfc3cc177b0fe730a0eed698c55020671b9db31a220af96783c8
Opcode Fuzzy Hash: 5ac9b9c2385fda6d46ef01b891262c40fa45a5886ec3502046367be2546f1ff1
Instruction Fuzzy Hash: 4E6138B0D15219DFCB08CF99C8815AEFBB2BF89341F14955AE415AB344D734AA82CF91

Function 085EDEB0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc03b39c9658492fa3574772fbfebcef4604637973d00af4a9f410b9ff4a275
Instruction ID: 3b4df8d9260082fe89a334646248e12183ec8dc910ecc3bd1f5db5211cf52c58
Opcode Fuzzy Hash: 8cc03b39c9658492fa3574772fbfebcef4604637973d00af4a9f410b9ff4a275
Instruction Fuzzy Hash: 2D7117B4E0121ACFCB08CF99D9849AEFBB2FF88311F149459E415A7314D334AA82CF94

Function 085EDEA0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396f381109d24d29d7044ad33c6a9ee5e110ecc57f0d8a612480a3f02646358a
Instruction ID: c45a67233e5505d3ba2befbc558ae5f62c7ca9d851eb1f3637c772c9967f3e08
Opcode Fuzzy Hash: 396f381109d24d29d7044ad33c6a9ee5e110ecc57f0d8a612480a3f02646358a
Instruction Fuzzy Hash: 656117B4E0521ACFCB08CF99D9859AEFBB2FF88311F149556E415A7314D334AA82CF91

Function 085EEB7A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfe796c8b6e5f93ab969aef0c9ea009b10ab7674cab6b0fc16ffbba862f22ec
Instruction ID: ade27b6cad81b07eab637f014bda0ad05376ea8a1970d8f27a2b2e376e908fad
Opcode Fuzzy Hash: 8dfe796c8b6e5f93ab969aef0c9ea009b10ab7674cab6b0fc16ffbba862f22ec
Instruction Fuzzy Hash: 7F410E70E016199FDB58CF6AD84069EFBF3BF89300F14D0AAD409AB255DB309A468F51

Function 085EE510 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341f4c6568771c39b69dae21f94516a6ab79c167f19d3734ac5da6e6a77abd9a
Instruction ID: 58c8989af6f42a00332f5026eee7f2e905764177d13fa8fac9b29a840ea170bc
Opcode Fuzzy Hash: 341f4c6568771c39b69dae21f94516a6ab79c167f19d3734ac5da6e6a77abd9a
Instruction Fuzzy Hash: 61413DB0E1560A9FCB48CFAAC9815AEFBF2FF89301F14D46AD415E7254E33496418FA4

Function 085EE520 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412117d24c40208949a3604261ae5b03a5a0957c634c3bc2be9b25cbf84a8841
Instruction ID: 73fe24eef42ab26ad59866a768b99980fff85d6e92f0a2407dff723086b2c7c8
Opcode Fuzzy Hash: 412117d24c40208949a3604261ae5b03a5a0957c634c3bc2be9b25cbf84a8841
Instruction Fuzzy Hash: 40410CB0E1460E9FCB48CFAAC9815AEFBF2FF89301F54D46AD415A7214E73496418F94

Function 0DCF0023 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f22fc852e96b3ef73849f5462ee898c9204be30d22232f912d19feaae344b82
Instruction ID: 9aaad3faca52ec343fb963ab16bda971247e7eb528b5fe784b3a0a0b6f1b9cd6
Opcode Fuzzy Hash: 4f22fc852e96b3ef73849f5462ee898c9204be30d22232f912d19feaae344b82
Instruction Fuzzy Hash: 36417C71E056588FEB59CF6B8D4479AFBF3AFC9300F18C1BA850CAA265DB3449468F11

Function 0DCF0040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a05d70543fa27e4bdc9918d94026d1cd1647a349af0bdd4f0082d8616d511bc
Instruction ID: 601381e52cba42a96c8e39da09b97f0dd12f60ed7b5c1b77761cd8dae864c492
Opcode Fuzzy Hash: 8a05d70543fa27e4bdc9918d94026d1cd1647a349af0bdd4f0082d8616d511bc
Instruction Fuzzy Hash: 8D413DB1E056188BEB68CF6B8D4479EFBF7BFC9300F14C1BA950CA6254EB344A458E51

Function 0DCF80A9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0779205a02ca86e0efda220702201bacc045b5a292b96e7bcb6f27cb0a9153
Instruction ID: 66dc58518a698c6aba61bdcbbee4c4738911d44f12565686789d3ba740cdd4af
Opcode Fuzzy Hash: 3c0779205a02ca86e0efda220702201bacc045b5a292b96e7bcb6f27cb0a9153
Instruction Fuzzy Hash: 6441F2B4E04219CFDB84CFA9D981ADEBBB2FF89310F14952AD206B7254D7349901CF28

Function 085E97C8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2545350290.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85e0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fd03936784eb1227d448563d5a6f35978d02b63d36a187b347557752b0ec01
Instruction ID: f7b7335aa89058318452c36a8dd5f7696ac237d2d5842661e0b110dad6ab97bf
Opcode Fuzzy Hash: e6fd03936784eb1227d448563d5a6f35978d02b63d36a187b347557752b0ec01
Instruction Fuzzy Hash: 5A31FD71E056189FEB58CFABD84069EFBF7AFC9300F04C0BAD519A6265EB3009458F61

Function 0DCF3210 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72f7f889cf017633ec336af31eca6bae73c657c0744647c195e204797ed5fc4
Instruction ID: ca5457375fb84d411c41f5e149129b0e13f39620820985a6da2fce87c511e62e
Opcode Fuzzy Hash: e72f7f889cf017633ec336af31eca6bae73c657c0744647c195e204797ed5fc4
Instruction Fuzzy Hash: 0C214771E116199BDB48CFAAD9406EEFBF7BFC8210F14C12AD508A7254DB305A018F51

Function 0DCF85E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f1cf772648b95acdded088a859824e895468df32d094781136a6e376f3ec16
Instruction ID: f58cd7dc982c1ab39e96e837d7e57678869a21187c58ed5a5f216b4641e01129
Opcode Fuzzy Hash: a9f1cf772648b95acdded088a859824e895468df32d094781136a6e376f3ec16
Instruction Fuzzy Hash: 6811F6B1E116198BDB48CFABD9446EEFBF7BFC8210F14C07AD518A7214DB305A028B91

Function 0DCF68E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56336a5e70891a12466d208cce3d44ddbc3036758c8e7331ddbc270af52bae5
Instruction ID: 02879deb81aa649ad9b5defa8cdeed2943f37c347dfe3ed59decb834f1a47951
Opcode Fuzzy Hash: d56336a5e70891a12466d208cce3d44ddbc3036758c8e7331ddbc270af52bae5
Instruction Fuzzy Hash: 1D110671E116199BDB48CFAAD9406EEFBF7AFC8210F14C03AD508A7214DB305A468F51

Function 0DCF3878 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e35bfa51f21fd281b8465ffa812f99068fe0ba54edd20a369f9d9d671ec8ce9
Instruction ID: 51617d76be080d60cdd054d2381587ffabf519e532040669f03dc51e4b5e54f9
Opcode Fuzzy Hash: 8e35bfa51f21fd281b8465ffa812f99068fe0ba54edd20a369f9d9d671ec8ce9
Instruction Fuzzy Hash: C311F971E116199BDB58CFABD9406EEFBF7EFC8210F14C06AD508A7314DA309A168F61

Function 0DCF2B80 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b05930bcfc88ff432c3a0a69447b1db8dc526c1c4f6eef4e8f871b7c31f74c1
Instruction ID: 8af75f0ee8b83d22bc9a42c9a5939084c1fef0d195c425bb13280aca688141a6
Opcode Fuzzy Hash: 1b05930bcfc88ff432c3a0a69447b1db8dc526c1c4f6eef4e8f871b7c31f74c1
Instruction Fuzzy Hash: 42112671E116199BDB58CFABE9406EEFBF7BBC9310F14C07AE508A7214DA305A028B54

Function 0DCF3200 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cc2b1e29541b229276a2e7fac39b7a0e365a9b16095e42c3b4c64c14320f7c
Instruction ID: 9bc2e9195184deb83f68724e1ce485e85b3bcd9cc869b4b86fbfe39542267a82
Opcode Fuzzy Hash: 61cc2b1e29541b229276a2e7fac39b7a0e365a9b16095e42c3b4c64c14320f7c
Instruction Fuzzy Hash: 102158B0E1165A9FDB48CFAAC9006DFFAF3AFC9210F14C16AD408A7265DB344A45CF61

Function 0DCF68D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d7e2426d1d80c99730bb9d820eac6e7e5d4a08c74493e9de8957b2df8851bd
Instruction ID: 482583f44789d544211bbd2d22e9ac4beec6623947a1fc9f55bd72f120507536
Opcode Fuzzy Hash: 76d7e2426d1d80c99730bb9d820eac6e7e5d4a08c74493e9de8957b2df8851bd
Instruction Fuzzy Hash: 19214770E156599BDB48CFAAC8406EEBBF3AFC9210F14C07AE408A7265DA304A46CF51

Function 0DCF2B70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546692266.000000000DCF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DCF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcf0000_okmnji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fafee64016625d767d7ffd2be53f0b8d85d0d275a5c56e514ad14ec6367b7c1
Instruction ID: d6e9780e1a013662f1e2cd68fcd418b619ec342ef7b97eb84d7ea597c2df03fc
Opcode Fuzzy Hash: 4fafee64016625d767d7ffd2be53f0b8d85d0d275a5c56e514ad14ec6367b7c1
Instruction Fuzzy Hash: EE213070E116599FDB58CFAAD9406EEFBF3AFC9300F18C06AD408A7255DA304A068B55

Function 010EAAE8 Relevance: 6.4, Strings: 5, Instructions: 197COMMON

Download Yara Rule

Strings

$]q, xrefs: 010EABF8
\U, xrefs: 010EAC90
\U, xrefs: 010EACB5
$]q, xrefs: 010EAC04
Haq, xrefs: 010EACA4

Memory Dump Source

Source File: 00000000.00000002.2525379171.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10e0000_okmnji.jbxd

Similarity

API ID:
String ID: Haq$\U$\U$$]q$$]q
API String ID: 0-43651402
Opcode ID: 466d4a9264a6c7a86a98d91e2c994aca72179abc1b672c8586840a6fd0b3d355
Instruction ID: 4b1817734643a3b2beba4932e0b7d62f0323427f6d2d8f17fcac6d6e3a949310
Opcode Fuzzy Hash: 466d4a9264a6c7a86a98d91e2c994aca72179abc1b672c8586840a6fd0b3d355
Instruction Fuzzy Hash: A851B231B40614CFDB496F3A946C57E3BE7AFC868071848AAE547CB3A5DF24CD118791

Analysis Process: InstallUtil.exePID: 7336, Parent PID: 5284COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3%
Total number of Nodes:	101
Total number of Limit Nodes:	13

Executed Functions

Function 06712AB8 Relevance: 8.4, Strings: 6, Instructions: 935COMMON

Download Yara Rule

Strings

$]q, xrefs: 0671377C
$]q, xrefs: 0671373B
$]q, xrefs: 0671372F
$]q, xrefs: 06713764
$]q, xrefs: 06713788
$]q, xrefs: 06713758

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 8055232f12e649e22331ef3b451af65236a1c16ae9ba18a3f5522b0e24694347
Instruction ID: d4f4c8d176a5230f0856f1b31cc59401768a92b296df699c2cb017632dc33f19
Opcode Fuzzy Hash: 8055232f12e649e22331ef3b451af65236a1c16ae9ba18a3f5522b0e24694347
Instruction Fuzzy Hash: FD825C30E00619CFCB64DF69C494AADB7B2FF85310F54C6AAD459AB255EB30ED85CB80

Function 0671B200 Relevance: 8.3, Strings: 6, Instructions: 768COMMON

Download Yara Rule

Strings

$]q, xrefs: 0671BBA5
$]q, xrefs: 0671BBE5
$]q, xrefs: 0671BB71
$]q, xrefs: 0671BBD9
$]q, xrefs: 0671BB7D
$]q, xrefs: 0671BBB1

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 67ea794b6b047d2c3ee17402913f8b90de16ab6aabafe947f0afa4901dbe80d1
Instruction ID: 96990c9efece85a66fd9e0e4c709bd36e91e509283ccd1bdc058cc2b6259c4dd
Opcode Fuzzy Hash: 67ea794b6b047d2c3ee17402913f8b90de16ab6aabafe947f0afa4901dbe80d1
Instruction Fuzzy Hash: 78526D30E002098FDB64DB6DD5947ADB7B2EB85B10F10892AE409EF395DB35DC86CB91

Function 06717D48 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 067182B4
$]q, xrefs: 067182C0

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 5b4e4e3a1bcdc248b95c14507ed6f3bc3ae935628442c64f6f8d5bce7bdf07e3
Instruction ID: 974cf145f1471ff6351e48b3175ab7444f7fcc2a1655bd3f939bfd663a337ed7
Opcode Fuzzy Hash: 5b4e4e3a1bcdc248b95c14507ed6f3bc3ae935628442c64f6f8d5bce7bdf07e3
Instruction Fuzzy Hash: E1028F30B002198FDB59DB69D4946AEB7E2FF84304F248529E40ADF395DB35ED86CB81

Function 06715170 Relevance: 1.8, Strings: 1, Instructions: 592COMMON

Download Yara Rule

Strings

$, xrefs: 06715840

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: a4451a34a9285f9b397b44673641363f1c39203927081e01d5475b9e2fe2f37d
Instruction ID: 517497c80b7d9a673da13d6ff97f39365c3210cfe4df93536d493565310246a9
Opcode Fuzzy Hash: a4451a34a9285f9b397b44673641363f1c39203927081e01d5475b9e2fe2f37d
Instruction Fuzzy Hash: B922B3B5E102158FEF68DBA9C4806AEB7F2EF84310F24856AD449AF344D735DD42CB91

Function 013C70A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 013C711F

Memory Dump Source

Source File: 00000003.00000002.3285554606.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13c0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3b199517d4dce9c4fbddde92a890cbd1427e559c3ccb0ae27b7a37617d09eb79
Instruction ID: 62828b2414a12c67d3ab811ec63d7e028c12a37668b5edf84f121bc4b2b6f835
Opcode Fuzzy Hash: 3b199517d4dce9c4fbddde92a890cbd1427e559c3ccb0ae27b7a37617d09eb79
Instruction Fuzzy Hash: 0B2159B1D00259CFCB10CF9AD444BEEFBF4AF48320F14846AE854A3250D778A944CFA0

Function 067165C0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff4596a329877f8c644ab6fcef86d4c1f99450766c8ab7beaf2b59538888bb1
Instruction ID: 87f358576e11fdd45a85169259b54ba1515f182cd46bd421345da7106fc60d78
Opcode Fuzzy Hash: cff4596a329877f8c644ab6fcef86d4c1f99450766c8ab7beaf2b59538888bb1
Instruction Fuzzy Hash: FA629C34E002148FDB54DB69D594AADBBF2EF84314F24856AE40AEF395DB35EC46CB80

Function 0671AC98 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0671ADB9
$]q, xrefs: 0671AE3B
$]q, xrefs: 0671AE0C
$]q, xrefs: 0671AE18
$]q, xrefs: 0671AE70
$]q, xrefs: 0671AE47
$]q, xrefs: 0671AE64
$]q, xrefs: 0671ADC5

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 9750e2eed6d7eeca2c7d728b82446df2ce5ae63c6bd9c5ff67b5f8c50d335555
Instruction ID: 7a767cf7ad87b0edcd7629954a0afed210c71053e9da24efb0494d94ff5e2d5b
Opcode Fuzzy Hash: 9750e2eed6d7eeca2c7d728b82446df2ce5ae63c6bd9c5ff67b5f8c50d335555
Instruction Fuzzy Hash: 38E16E30E102098FCB69DF69D5946AEB7B2EF84304F20862AE409EF355DB31DD46CB91

Function 066F348B Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066F350E
GetCurrentThread.KERNEL32 ref: 066F354B
GetCurrentProcess.KERNEL32 ref: 066F3588
GetCurrentThreadId.KERNEL32 ref: 066F35E1

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 838e5daf454f4a0dba263f844b7a7fca9660df482d36eeb0e5d2b32d4272422a
Instruction ID: d86f033032deb7d59b137c85f154d1fe3e4686894b733d62358bdd1b8640b5a3
Opcode Fuzzy Hash: 838e5daf454f4a0dba263f844b7a7fca9660df482d36eeb0e5d2b32d4272422a
Instruction Fuzzy Hash: A75145B0910309CFDB54CFA9D948B9EBBF1AF88314F20C469D159A73A0DB749984CFA5

Function 066F3490 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066F350E
GetCurrentThread.KERNEL32 ref: 066F354B
GetCurrentProcess.KERNEL32 ref: 066F3588
GetCurrentThreadId.KERNEL32 ref: 066F35E1

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ee80c991986a66fc2d5a402601c42973f8b26fc6c55490b698311f97358b81e8
Instruction ID: ed1deb2539bf5b2ae90463e81d4cfe094ca9c05fa50c02d287d151c08aa978d6
Opcode Fuzzy Hash: ee80c991986a66fc2d5a402601c42973f8b26fc6c55490b698311f97358b81e8
Instruction Fuzzy Hash: E15157B0910309CFDB54CFAAD548B9EBBF1AB88314F20C469D019A7360DB749984CFA5

Function 06719118 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0671915F
$]q, xrefs: 0671919A
$]q, xrefs: 0671916B
$]q, xrefs: 067191A6

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 2275b2e41aea28b4dd4512a60e35b5653371e29fc86ba2b5fa0fd7020df3eba9
Instruction ID: 348435f436ad0d3e8679bfb3c1279c405c63636398027e54098a70cf3f78c044
Opcode Fuzzy Hash: 2275b2e41aea28b4dd4512a60e35b5653371e29fc86ba2b5fa0fd7020df3eba9
Instruction Fuzzy Hash: A3915E30F0021A8FDB54DB79D8607AEB7F6BB85200F108566D90EEB349EF719D468B91

Function 0671CF18 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0671D317
$]q, xrefs: 0671D323
$]q, xrefs: 0671D30F

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: e3f0dde60d45ac280d004b98c70c126448958e75b894e99ebc3685632b74b17f
Instruction ID: f57d0476fe7d7590ee4da9b24619cf603d94970a75711f8b04d30040675c60c6
Opcode Fuzzy Hash: e3f0dde60d45ac280d004b98c70c126448958e75b894e99ebc3685632b74b17f
Instruction Fuzzy Hash: 0B624130A0021A8FCB65EF69D590A5DB7F2FF84304F119A69E0499F369DB71EC46CB81

Function 06714738 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Obq, xrefs: 067148EF
fbq, xrefs: 06714E45
XPbq, xrefs: 06714865

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 125743b9ce706ef580c26a2358c3616ae23a8a9ddddf5b2e119344d5df461acb
Instruction ID: d2ed69380821c22158efe7f4c15b3fc679c4a1789f4a0989a6d3d3b84f86ee58
Opcode Fuzzy Hash: 125743b9ce706ef580c26a2358c3616ae23a8a9ddddf5b2e119344d5df461acb
Instruction Fuzzy Hash: FB617330E102199FDF54DFA9C8547AEBBF6FB88700F20852AE109AF395DB758C458B90

Function 0671910A Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0671915F
$]q, xrefs: 0671919A

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 1117e11f9a3da90166a8cd9161ad2e4c97f982b07448f2b24c8aea4de41e30b1
Instruction ID: 9d671a4472fab9d35110b26643601a5f784c0b982dcdb442d64e5bb4c3161d77
Opcode Fuzzy Hash: 1117e11f9a3da90166a8cd9161ad2e4c97f982b07448f2b24c8aea4de41e30b1
Instruction Fuzzy Hash: BC513E30F001169FDB55DB79D8A0BAEB7F6BB84600F10852A950ADB389DE31DC47CB91

Function 066FB998 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066FBBFE

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ba3738b1ac27d22f282079b88f15cfe56b7090fbb3d7262ac4a9c97fefb5da2
Instruction ID: 25e274d40eeb0ce13f32ca1fb606ae02fdd72e823cf7f3c65d4487620c3c91e4
Opcode Fuzzy Hash: 3ba3738b1ac27d22f282079b88f15cfe56b7090fbb3d7262ac4a9c97fefb5da2
Instruction Fuzzy Hash: 45814270A10B058FD7A4DF2AD45479ABBF1FB88300F008A2ED58AD7B50DB74E849CB90

Function 066FDB87 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FDCA2

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e68c094ede49e91b573ef5ccdd23970ac11286e6e1263a04cb3dfaf4050add5a
Instruction ID: da549509fb2dde5febf44b1d990f1790d880a67c2ea442469f5746336f34d415
Opcode Fuzzy Hash: e68c094ede49e91b573ef5ccdd23970ac11286e6e1263a04cb3dfaf4050add5a
Instruction Fuzzy Hash: 6C51D0B1D103499FDB14CF99D884ADEBFB5BF48310F24852AE818AB250D7B5A981CF90

Function 066FDB90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066FDCA2

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c25ed34471b82d0e1fd6516376c39070dd3ebdaf545e770b5846cce033e7c221
Instruction ID: 8b51cb30dbdace0c26a03b2aec9abc6ddc6a6714f9f1b6d098c79bdc42d685a6
Opcode Fuzzy Hash: c25ed34471b82d0e1fd6516376c39070dd3ebdaf545e770b5846cce033e7c221
Instruction Fuzzy Hash: 1741CFB1D10309DFDB14CF99D884ADEBBB5FF48314F24812AE818AB210D7B5A885CF90

Function 013C70A0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 013C711F

Memory Dump Source

Source File: 00000003.00000002.3285554606.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13c0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8f51a2fab506c96714f2e973dff47258f586672f1ddc6a46203ec3273534d078
Instruction ID: f6980ae3a4d2207f46450130e234a629108042f0c1f114aefc284d273e5be26d
Opcode Fuzzy Hash: 8f51a2fab506c96714f2e973dff47258f586672f1ddc6a46203ec3273534d078
Instruction Fuzzy Hash: C1216BB5800259CFCB10CFAAD844BEEFBF4AF49324F14846EE854A7251D778A944CFA0

Function 066F36D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066F375F

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aa7be812b2007053217c62f00b3416861082157b2fdaaaf6202533030f5a7a11
Instruction ID: 9e72cc3f142e572f1cba9316bbfcfe243e5a3d85d990fc23f61fcb42e880991d
Opcode Fuzzy Hash: aa7be812b2007053217c62f00b3416861082157b2fdaaaf6202533030f5a7a11
Instruction Fuzzy Hash: 6B21E2B5D00218DFDB10CFA9D984AEEBBF4EB48320F14842AE918A7350D374A940CFA5

Function 066F36D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066F375F

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b0d497c6406d8553540acee1e01f063a5657e2df174b2ae4440351e641c22050
Instruction ID: 2e76183008337b08d7c7548953e029194057820e980bcab32e52a2024b32dfa6
Opcode Fuzzy Hash: b0d497c6406d8553540acee1e01f063a5657e2df174b2ae4440351e641c22050
Instruction Fuzzy Hash: 4521C4B5D00258DFDB10CFAAD984ADEBBF4EB48320F14841AE954A7350D374A944CFA5

Function 013CF167 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 013CF1E7

Memory Dump Source

Source File: 00000003.00000002.3285554606.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13c0000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ae477d712f24753134172266e31ea3dc57a75247024bdb5d1bb613b5ba3b5d64
Instruction ID: 8a8d379a923d83053c2d8bccdbb6aa1dada1477982f05b8d9be7a1c7993b5a6c
Opcode Fuzzy Hash: ae477d712f24753134172266e31ea3dc57a75247024bdb5d1bb613b5ba3b5d64
Instruction Fuzzy Hash: 362167B1C00259CFCB10CFA9D5457DEFBB4AF09320F14856AD418B7241D378A944CFA1

Function 066FBDF9 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066FBC79,00000800,00000000,00000000), ref: 066FBE6A

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 655cd99e65250934db389877f63d6766765d0384bfcbc6a82e47f793cbf2bec9
Instruction ID: 22cb7cc81c0597dbe07856dae536bc3603d500668aceece5223216a0d94cf1be
Opcode Fuzzy Hash: 655cd99e65250934db389877f63d6766765d0384bfcbc6a82e47f793cbf2bec9
Instruction Fuzzy Hash: 911112B6D042498FDB10CF9AD844ADEFBF4EB48320F10846EEA59A7250C3B5A545CFA5

Function 066FABB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,066FBC79,00000800,00000000,00000000), ref: 066FBE6A

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9fb4383718177c27dc0d515010334cd6a7df7008bd230e28cde9f80aa88372a6
Instruction ID: aeccf3b6bf9cf894a76f064ceddd22112a198813b8fa09ca3f84256862df11f6
Opcode Fuzzy Hash: 9fb4383718177c27dc0d515010334cd6a7df7008bd230e28cde9f80aa88372a6
Instruction Fuzzy Hash: 151103B6D042488FDB10CF9AD444A9EFBF5EB48350F10846AE619A7710C375A945CFA4

Function 013CF180 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 013CF1E7

Memory Dump Source

Source File: 00000003.00000002.3285554606.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13c0000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b3f5cc2ab5ce5ad77230a39599e5398f7ffcb931970f01ea815cb2733fa3aa05
Instruction ID: d0b148dffbd81b9068240a62c904620fe359f8f7ca1721c5820229ad937c0171
Opcode Fuzzy Hash: b3f5cc2ab5ce5ad77230a39599e5398f7ffcb931970f01ea815cb2733fa3aa05
Instruction Fuzzy Hash: 501123B1C006699FCB10CF9AD444BDEFBF4AF48324F10816AD818A7240D378A944CFA5

Function 066FBB98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066FBBFE

Memory Dump Source

Source File: 00000003.00000002.3291806958.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e3dc7eab03b5fa8d71d0513a081297c781e029b36690a4bbbd9a6df67f28c67c
Instruction ID: 14a3986083dc2e04d489192b00161c07407b174967c27273329d5fa250811d49
Opcode Fuzzy Hash: e3dc7eab03b5fa8d71d0513a081297c781e029b36690a4bbbd9a6df67f28c67c
Instruction Fuzzy Hash: 5D111DB6C002498FCB10CF9AD844BDEFBF4AB88324F10846AD928A7210C379A545CFA1

Function 06714728 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06714865

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: XPbq
API String ID: 0-864591470
Opcode ID: 61516fe466721f25c1d67704014839c1e2075dcb675688528dbf03b684c20c96
Instruction ID: 9a6b83798b5a7f35b37a2b958031389f0bf75b2f570e5d0937b46a5ed23b0409
Opcode Fuzzy Hash: 61516fe466721f25c1d67704014839c1e2075dcb675688528dbf03b684c20c96
Instruction Fuzzy Hash: 34416370F102199FDB55DFA9C8547AEBBF6BF88700F20852AE149AF395DB758C018B90

Function 0671DAA0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0671DBE9

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 5cd5cdea57ddbca1696bed2b55ffa25db10339d321884ae3755c9f6b211df790
Instruction ID: dd0322208d3730d88bfd9c356dc92904e32b98b3b88bcd6efc1ab7e5bb6ec232
Opcode Fuzzy Hash: 5cd5cdea57ddbca1696bed2b55ffa25db10339d321884ae3755c9f6b211df790
Instruction Fuzzy Hash: 4B417F70E1020ADFDB75DF69C5546AEBBF2BF85340F10892AE406EB244DB71E946CB81

Function 0671DA8D Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0671DBE9

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 9c4dbd3632cf419b70ffb1b078cc5059e10e3c1efc9ff0bd26449593babdf209
Instruction ID: 82fd128eec50a900c8ffac694203038fa49191a16b82c7dc1808abf1ed1ab789
Opcode Fuzzy Hash: 9c4dbd3632cf419b70ffb1b078cc5059e10e3c1efc9ff0bd26449593babdf209
Instruction Fuzzy Hash: B7419230E10345DFDB75DF69C4546AEBBB2BF45340F10862AE406EB244DB71D946CB81

Function 067121C7 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06712313

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: c8a9b87c914927bfe59a3cd30027b8ed6f548d4e9419fc87bc306d7021541875
Instruction ID: 5cef97cf720afeed99b6caddf5171267038fc8788105a8f8e506e12f061960a2
Opcode Fuzzy Hash: c8a9b87c914927bfe59a3cd30027b8ed6f548d4e9419fc87bc306d7021541875
Instruction Fuzzy Hash: 4331F430B102018FDB59DB78D5646BE7BE2AF89240F21452AD416DF346DF35CD86C791

Function 067121D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06712313

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 7448497579c63e2e8010f38ef9c54f4174bd8158d7942527ade5d6e2abc93f99
Instruction ID: 9aae9070e9625a088718d73a0ff48b29fba89e6539af7ffbfe07155064df4020
Opcode Fuzzy Hash: 7448497579c63e2e8010f38ef9c54f4174bd8158d7942527ade5d6e2abc93f99
Instruction Fuzzy Hash: BE31B030B102018FDB59EB78D46466F7BE6AB89240F21452AD406DB38ADE31DD86C791

Function 0671FEA8 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|, xrefs: 0671FF08

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 17118fa675cc1d52b3a259994a2eddc69e8ac83bed1ce1b14be8a135bb46c1e1
Instruction ID: e2f7f83401b4f39c7eda2cde2c1818974e11b76e9bde8aa1c089a4fa41319ac8
Opcode Fuzzy Hash: 17118fa675cc1d52b3a259994a2eddc69e8ac83bed1ce1b14be8a135bb46c1e1
Instruction Fuzzy Hash: 47117F71B002119FDB54DB788805B6DBBF1AF48714F14846AE50AE73A0DA799D018B80

Function 0671FEB8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0671FF08

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 8e7ec93f45acae275b7c5495e6e68bbc7d87ba63721472bd1a1554db0635521f
Instruction ID: 4d82618bd7a8436d32a08e7cf84e3f50d276666f09c57e55613dd92897e63c4b
Opcode Fuzzy Hash: 8e7ec93f45acae275b7c5495e6e68bbc7d87ba63721472bd1a1554db0635521f
Instruction Fuzzy Hash: B1115E74B002259FDB54EB788844B6EBBF5AF48714F10846AE51ADB3A0DA799D00CB90

Function 0671828F Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

$]q, xrefs: 067182B4

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 8d61d8ebb72bcba56f7ffa80fc67f65e21f470a76e0a36f2924354511bfd26da
Instruction ID: be7f57f8bbb67908976f4895d79389a489efbeeb1f4faf843f62fe07b12fcf35
Opcode Fuzzy Hash: 8d61d8ebb72bcba56f7ffa80fc67f65e21f470a76e0a36f2924354511bfd26da
Instruction Fuzzy Hash: 12F08235E00114CFDF66CB9DE9806BC77B4FB05311F184563D8069B150C7319946C792

Function 06714621 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 0671462D

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: 99ed63185bf42ed03ea2e6fe250e37cf737ecd1409539607b120d13e6831418f
Instruction ID: 5a322396304d29408fa8f39c5123b8084f4918b51ed45c709d4a3d1280906920
Opcode Fuzzy Hash: 99ed63185bf42ed03ea2e6fe250e37cf737ecd1409539607b120d13e6831418f
Instruction Fuzzy Hash: B0F0FE30A10229DFDB14DF94E869BAEBBB6FF84705F20411AE402AB294CB701C41CFC0

Function 0671C158 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25a9f06905efec29ab0cb9da1a88254546b97679b41411cf4385d67f8a8ba01
Instruction ID: 50977ed7130b78676094e5545ce8b713d565421663d3c39ed0d7e452101bf661
Opcode Fuzzy Hash: c25a9f06905efec29ab0cb9da1a88254546b97679b41411cf4385d67f8a8ba01
Instruction Fuzzy Hash: 16329034B402158FDF55DBADD890BADBBB2EB88314F108526E509EB395DB38DC42CB91

Function 0671B1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e0df810d446e0e4f45e87b731d5ee22bbdba57745f9e59f271ea14b9f4b79d
Instruction ID: 9c113a563efca1edb638f9570e35b35a2cb28f059e3cb4a2610476597423d76b
Opcode Fuzzy Hash: 67e0df810d446e0e4f45e87b731d5ee22bbdba57745f9e59f271ea14b9f4b79d
Instruction Fuzzy Hash: C4B1A730F001098FDF64DBADD5947BDB6B6FB49710F20892AE409EB395CA35DC858751

Function 06715DB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c711ebef7f8c60087f47d5560460c8619884e5d16e8c64bf2ad80b16cba862e
Instruction ID: 2ef997559fb82c8523922c84db5341929b1c4186324b75230635eb72e28eaa23
Opcode Fuzzy Hash: 9c711ebef7f8c60087f47d5560460c8619884e5d16e8c64bf2ad80b16cba862e
Instruction Fuzzy Hash: 8661B0B1F001214FDB54AA6EC88466FBADBAFD4220B25447AE80EDB364DE75DD0287D1

Function 06713E68 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3beb0b32128dfc86187ad9e695843e0b6afab7aa251171e4859d754cffb943
Instruction ID: c9bdc50d9d6e57955e093e6c98bc1ffecd6489844d62fe758fb27c417352ff45
Opcode Fuzzy Hash: 9d3beb0b32128dfc86187ad9e695843e0b6afab7aa251171e4859d754cffb943
Instruction Fuzzy Hash: 69815F30F002068FDF54DBA9C8547AEB7F6AB89314F118525E40AEB399EB35DC468B41

Function 06713E78 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2f636a62966007b3c9650e135eb39042b5d082b4fa8363ebf620cebf34f42b
Instruction ID: c06ea27c5e105e220d3979a99ae3aa0ee760ee247e62afbcfb992b73ed28f92f
Opcode Fuzzy Hash: 5a2f636a62966007b3c9650e135eb39042b5d082b4fa8363ebf620cebf34f42b
Instruction Fuzzy Hash: C1816F30F0020A8FDF54DFA9C45476EB7F6AB88310F108525E40AEB399EB34DC468B42

Function 06714188 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3b24d9ca836a417faa267cec8cd2841dee8fb871b0bd341f99fa65e233b172
Instruction ID: 9c2e82c3bc511a5afde9a3e61656733cb540a377e980eb862c63bbf3c1370769
Opcode Fuzzy Hash: 3f3b24d9ca836a417faa267cec8cd2841dee8fb871b0bd341f99fa65e233b172
Instruction Fuzzy Hash: FF914F30E106198FDF60DF68C890B9DB7B1FF99300F20859AD549BB255DB70A986CF51

Function 067141A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45aeb802bf7e153b94c05f3d5ed3e0808bd491157998e939a96f2c0a322e1f2
Instruction ID: 19ad979bafa00b663b011e03ad35f83a13ef54c4ae05e5885efa9a0190610f4a
Opcode Fuzzy Hash: e45aeb802bf7e153b94c05f3d5ed3e0808bd491157998e939a96f2c0a322e1f2
Instruction Fuzzy Hash: 62913D30E1021A8FDF60DF68C890B9DB7B1FF89310F208599D549BB255DB70AA86CF91

Function 0671EAE0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5de4c54541f09b52142d356453b0ce9636d0dfaa30058026f97abb26dd204c7
Instruction ID: 6a31352736fdb8a2f5ca70fb03fd371c81b34c77ea620a384d5465da9803f18e
Opcode Fuzzy Hash: d5de4c54541f09b52142d356453b0ce9636d0dfaa30058026f97abb26dd204c7
Instruction Fuzzy Hash: 6A711974A002099FDB54DFA9C994AADFBF6BF84300F24856AE449EB355DB30E846CB50

Function 0671EAF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d327fc745fa37c85f3616ae6453bfb9700a326b4b69b44bc9aa151c11bbb8ac
Instruction ID: ba12e8336c32a628cdb7e127802a9d31d01580314d6acd99ae3abd2d0c67bc51
Opcode Fuzzy Hash: 5d327fc745fa37c85f3616ae6453bfb9700a326b4b69b44bc9aa151c11bbb8ac
Instruction Fuzzy Hash: 4F710770A002099FDB54DFA9D994AADBBF6FF84300F24852AE449EB355DB30ED46CB50

Function 0671FC58 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e9669b2524c875aad93acb9ead3519ea3cac320c3897740b2d73069405a353
Instruction ID: 0a54d15ba9eba73052481d79293efde4795366d30cbc8ba54629d75042f8ab49
Opcode Fuzzy Hash: d7e9669b2524c875aad93acb9ead3519ea3cac320c3897740b2d73069405a353
Instruction Fuzzy Hash: 5651AE31E001099FDB24EF7CE4646BDBBF2FB84315F20896AE10ADB251DB399955CB81

Function 0671F5F8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cb7653d479211db8f54b866d219353f4d9879ea56a4a25727a5c30cb6923b4
Instruction ID: 8b7a892b1d340f4cc5064781e11c2f6e77600bd87a9d9255a45f460c731bfb2f
Opcode Fuzzy Hash: 45cb7653d479211db8f54b866d219353f4d9879ea56a4a25727a5c30cb6923b4
Instruction Fuzzy Hash: 3351D930B102188FEF74566CD85477E26DAE799310F60093BE00EDB3E9CA6ECC458392

Function 0671F608 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae95c6d1eec8f49cda63ba540fbb08d2fceaf47ccb4089a58704d024fca61c3
Instruction ID: e9a5cce540361fddda98d9c2506f8398f5c3dbe0d6177414285c8efecab4544b
Opcode Fuzzy Hash: 0ae95c6d1eec8f49cda63ba540fbb08d2fceaf47ccb4089a58704d024fca61c3
Instruction Fuzzy Hash: 9651C730B102188FEF74666DD85473E25DAE799350F60093BE00EDB3A9CA6ECC4543D2

Function 067144C0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6becdd312d661a87f409fac4b8c2ee47c8f839d8967e9479953638c5df1cfc
Instruction ID: db5180407813d76d7530b4129549cdbb181dc4dee865d562f5f556ca1b3e9a16
Opcode Fuzzy Hash: 5b6becdd312d661a87f409fac4b8c2ee47c8f839d8967e9479953638c5df1cfc
Instruction Fuzzy Hash: 0B519E70F101099FDB64DE69C894B6EBAE2FF84714F24846AE00AEF354DA35DC418B81

Function 0671A36A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e7f7e13ef8a144a13889e64a02fb560dbf6a82b003675bc3cc089bd9d91af8
Instruction ID: f921067049f079e804db33383e40c73e37efe30b259f5aa44189b5e827902090
Opcode Fuzzy Hash: 26e7f7e13ef8a144a13889e64a02fb560dbf6a82b003675bc3cc089bd9d91af8
Instruction Fuzzy Hash: 9D519435F002149FCB55EB79D844AADBBF2EF88314B108929E415EB354DB31ED46CB91

Function 06714FF0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90250fd3270eebd77e0b2ba7e1142ec8cd6d2d8c062800b5accacb45253d59e0
Instruction ID: 799de1d9477d0e0d5d0b62ee2e7d954c9b7e2730c943502c4e33fbd6016b630f
Opcode Fuzzy Hash: 90250fd3270eebd77e0b2ba7e1142ec8cd6d2d8c062800b5accacb45253d59e0
Instruction Fuzzy Hash: 82414DB1E106098FEF64CEADD8C0ABEF7B2FB84214F10492AD216DB650D731E8458B91

Function 067144B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8179173a6443df854d998dce6caaf70c5aa5b4e7c0732fd040289d15d59f0cf
Instruction ID: 83fb252b19264d1955557a73f4500486a51e408ac5c454c085298bfc22157ad5
Opcode Fuzzy Hash: d8179173a6443df854d998dce6caaf70c5aa5b4e7c0732fd040289d15d59f0cf
Instruction Fuzzy Hash: 30414170E101059FDB64DB68C494BADBBE2EF45304F25846AD40AEF354DA75DC82CB41

Function 0671D940 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a85924888f26b9d1d84fff9389f6279b55a46e2b8a9a844a2bcc80024d4fcd1
Instruction ID: d291a59695e4529c000851e4d9cd9d54af37f30b83f3a0139aefee24bb429c21
Opcode Fuzzy Hash: 9a85924888f26b9d1d84fff9389f6279b55a46e2b8a9a844a2bcc80024d4fcd1
Instruction Fuzzy Hash: 5E319230E1030A8FDF25DF69C99069EBBB2FF44300F10892AE445AB354EB70A946CB41

Function 0671208B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a424998f1861021e4a73fb7d16670bbf0ea49873e05722455803785d664e62f4
Instruction ID: 0f7bd1569004683320c337479cf3f496306416ede210bdf3396a7f1f5a7427bb
Opcode Fuzzy Hash: a424998f1861021e4a73fb7d16670bbf0ea49873e05722455803785d664e62f4
Instruction Fuzzy Hash: 8C31A231E102069FCB15CF69C8556AEBBF2BF89300F10C91AE916EB355DB71AD82CB41

Function 06712098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72e73191939b4329ad49e6e34a0386bfe7febdcc732f95f7aa3c39817fbb70b
Instruction ID: 37e75de0b139dd878c975b58dbe2b8fab77442aa5c85b3bab53b434dc6f5294d
Opcode Fuzzy Hash: c72e73191939b4329ad49e6e34a0386bfe7febdcc732f95f7aa3c39817fbb70b
Instruction Fuzzy Hash: FB316230E102059FDB15CF69C8546AEBBB2FF89300F10C91AE916EB355DB71AD86CB51

Function 06713A80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1859059d563d1d77dc9ca3b4c5a9927c449bdcf2b6b008a08c42a442eed67460
Instruction ID: 00d4ca2b5329bf9a9b42f9052673335cab39b3a1bc5d15d92e8dbba7bc6be159
Opcode Fuzzy Hash: 1859059d563d1d77dc9ca3b4c5a9927c449bdcf2b6b008a08c42a442eed67460
Instruction Fuzzy Hash: D9217C75E00625DFDB50DF6DD880AAEB7F5EB48620F108226E909EB344E735D901CB95

Function 06713A71 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53683bca665a674cf528950c59d598ed6641f168e2d960f31409a1d64d6c25e4
Instruction ID: 14ad03494f243951b8a7738bb9e8077234e67276437855b22df04a1cb469b662
Opcode Fuzzy Hash: 53683bca665a674cf528950c59d598ed6641f168e2d960f31409a1d64d6c25e4
Instruction Fuzzy Hash: 2921AC75F00625DFDB50DFADD881AADB7F5EB48320F108226E909EB385E734D8028B95

Function 010FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3284539419.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2a2e78b8e220b324dec19d6f634ffb6081e255437d4f4fa52f0e10d3310722
Instruction ID: b1e3265e5dbc2ad4c90f6bf09422cf8e149067c1c308351a388dee23db1c17ff
Opcode Fuzzy Hash: 8b2a2e78b8e220b324dec19d6f634ffb6081e255437d4f4fa52f0e10d3310722
Instruction Fuzzy Hash: 6F213771504200DFCB15DF98D9C1B2ABBA5FB84314F24C5ADEA894B656C336D447CB61

Function 06714FE1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b869f4340f79aa7a5d99713694af55b0ca7cada4750ea4b814f66b54bec326dc
Instruction ID: 76861ed11934fea0cb8f8f44db3db89d86d505906af9d2efcd9eeef2ee27d967
Opcode Fuzzy Hash: b869f4340f79aa7a5d99713694af55b0ca7cada4750ea4b814f66b54bec326dc
Instruction Fuzzy Hash: 72119372A107098FDB65CEE9DDC1AAFFBB2FB84300F10892AD1559B654D730A8458B90

Function 06713B90 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efeaa2bf47224c746d7d7b779adb6ede3da608e0cab58420f6b31cbe4edca9d1
Instruction ID: 253a09bf3661ef71d244bf3330caba959b440cf7c9b9784380cb2eca92cb1553
Opcode Fuzzy Hash: efeaa2bf47224c746d7d7b779adb6ede3da608e0cab58420f6b31cbe4edca9d1
Instruction Fuzzy Hash: EE11A531F140259FDF549A78D8546BE77AAEBC8720B00863AD40AEB384EE35DC068BD1

Function 0671ED61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128d4a098160f9c61ef001ae08086884f40c07e7dc84681accd661d0a3e6e270
Instruction ID: 6d0bbbcb078c7eb64783f9a53621add83d33dfeb1b2058103037e0f57699f4cc
Opcode Fuzzy Hash: 128d4a098160f9c61ef001ae08086884f40c07e7dc84681accd661d0a3e6e270
Instruction Fuzzy Hash: 6801D432B102104FCB56E67DD85473EBBE6EBC9710F24893AE54ACB385DE20DC028391

Function 010FD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3284539419.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3653c558af29a216cb60e21f756356115e93019f5d098890c4bb1311aeb21521
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F211BB75504280DFDB12CF58D5C4B15BFA2FB84314F28C6AEE9894BA56C33AD44ACB62

Function 06713DC7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983f07f345482471f4ae615eaa3286dbf572c13e0737c03ec95fdecbc470a696
Instruction ID: 4a432d93577fd891efd591fc818d94c23cd01cd36b310acbabe21a47b88f70ad
Opcode Fuzzy Hash: 983f07f345482471f4ae615eaa3286dbf572c13e0737c03ec95fdecbc470a696
Instruction Fuzzy Hash: 6C01D435B042110FDB25D56E985573EABE6DBC5720F25C83BE10ECB345DD61CC068781

Function 06713850 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e757b318cc272a4ac3684c30cd0ea242af66ff727515d7edf7eb55bf0fec1986
Instruction ID: ded65593cfa4de49890c1ff6729505c79bad7a81707aef43f5e610543282bf62
Opcode Fuzzy Hash: e757b318cc272a4ac3684c30cd0ea242af66ff727515d7edf7eb55bf0fec1986
Instruction Fuzzy Hash: E211B0B5D01259AFCB00DF9AD884ADEFFB4FB49320F10852AE918A7240C374A954CFA5

Function 0671A2C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94474327125492158cc716d82604d2cdca666f223e3d00e8e2c7da6572e14b0b
Instruction ID: 1643e27168e42ef0246da12675ceed5fac90a3d9902116b87c64e2ffcce55e72
Opcode Fuzzy Hash: 94474327125492158cc716d82604d2cdca666f223e3d00e8e2c7da6572e14b0b
Instruction Fuzzy Hash: 3401BC35F012104FCB11E63EE85472EBBE5DB85710F11882AE40ECB381EB25EC028781

Function 06713849 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508605d820750dfa518b2f3ab6aa4f1fe0882990a335df1dd15e711e277828ac
Instruction ID: c97d54f5dd462f2da07f8a9908a77c5a7b22779323b0d494458ca58875c56700
Opcode Fuzzy Hash: 508605d820750dfa518b2f3ab6aa4f1fe0882990a335df1dd15e711e277828ac
Instruction Fuzzy Hash: 9521CFB5D01219EFCB00CF9AD984ADEFBB4FB48320F10852AE918B7600C374A554CFA5

Function 06713DD8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5553707ad2007ca6749a5a34ac8bbdc51aa1f46ff44397837fd47d29803bc6e
Instruction ID: bd2fdb7c64e3461c669e78bf6e1948f5db8ca310d508abd24b45c7c7df84c55e
Opcode Fuzzy Hash: c5553707ad2007ca6749a5a34ac8bbdc51aa1f46ff44397837fd47d29803bc6e
Instruction Fuzzy Hash: D901AD35B102100FDB65956ED85473BABDACBC9720F20883BE00ECB344DE61DD068381

Function 06713B81 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89183befbc677023f8b1403f7d81b6e1e72cbb8cbd9d1f128b104c2d82d6cfb3
Instruction ID: 1bc10084ad934251ee62784acd3a50c787ac71462d7a69d79ac1bd4c5c843e0e
Opcode Fuzzy Hash: 89183befbc677023f8b1403f7d81b6e1e72cbb8cbd9d1f128b104c2d82d6cfb3
Instruction Fuzzy Hash: 19018432F100255BEF59AA69DC546BF72AAABC8720F00463AD11ADB2C4EF64CC0647D2

Function 0671ED70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8b6fa96c940d0ffb7679827c2481f1559ff4744678b754d510f879a0b0d313
Instruction ID: 20486ca9ca379f5dffdb1c04a76ae16da380f09b41cd578812aa6ce36328716e
Opcode Fuzzy Hash: 8a8b6fa96c940d0ffb7679827c2481f1559ff4744678b754d510f879a0b0d313
Instruction Fuzzy Hash: 51018131B105104FCB65962E985473E7ADAD7C9710F20883AF54ACB344DE11DC028381

Function 0671A2D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14f8b0701487be4522e343f1ec9eb27279fcda6113f07df4efd808e04ae71af
Instruction ID: 0fdeffb9706ae3ac189eb3dc78ba11db74c11aadd6c530a9fa26a77848539046
Opcode Fuzzy Hash: b14f8b0701487be4522e343f1ec9eb27279fcda6113f07df4efd808e04ae71af
Instruction Fuzzy Hash: 4B016D35F111144FCB61EA7EE85472AB7E5DB89714F10882AE40ECB384EA21EC028785

Function 06716440 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8bd61c1d400c54a6784a2db9f9c41e323f6d19fed7a5264625415303bc9378
Instruction ID: 772568076f86fade144b48fde8948080dd6ca6770c54e87ac90877d0985fac73
Opcode Fuzzy Hash: 7c8bd61c1d400c54a6784a2db9f9c41e323f6d19fed7a5264625415303bc9378
Instruction Fuzzy Hash: 3EE02071E14208AFDF50DE78CD5575E77BDD701204F1189A7D809CF242E13BCA024740

Function 06716450 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9048b2f1eab3b4c0b6f32dd9185db9c5cb012cd20a970a23a0198af6f9e12f5b
Instruction ID: 2830e78c2062d23cec68c0522860031d5dcb7971c01a4c6b62d1804a4e41456f
Opcode Fuzzy Hash: 9048b2f1eab3b4c0b6f32dd9185db9c5cb012cd20a970a23a0198af6f9e12f5b
Instruction Fuzzy Hash: C1E012B1E21108ABDF50DEB8C95576A77ADE701214F2088A6DD09CF241E677DB058780

Non-executed Functions

Function 06717668 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 067177A4
$]q, xrefs: 06717BF1
$]q, xrefs: 06717BCF
$]q, xrefs: 067177B0
$]q, xrefs: 0671777F
$]q, xrefs: 06717773
$]q, xrefs: 06717B3C
$]q, xrefs: 06717BDB
$]q, xrefs: 06717B30
$]q, xrefs: 06717BE5

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: ebfd7e476354cbcd4ea29c962971f7e8d83b75cfb85119cce63cfaa4762005a7
Instruction ID: 399c33c60d9de769be8467be5b9802bf5fa91d30d649c2ed2f634316ae6126be
Opcode Fuzzy Hash: ebfd7e476354cbcd4ea29c962971f7e8d83b75cfb85119cce63cfaa4762005a7
Instruction Fuzzy Hash: 4F120D30E00219CFDB68DF69C994AADB7F2BF84704F20856AD40AAB355DB319D85CF81

Function 0671A900 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0671AA7C
$]q, xrefs: 0671AA51
$]q, xrefs: 0671AAB2
$]q, xrefs: 0671A9F6
$]q, xrefs: 0671AABE
$]q, xrefs: 0671AA5D
$]q, xrefs: 0671AA02
$]q, xrefs: 0671AA88

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 8a3876b84c9e9ac9444b9e3c231e8a5ee94a6fac98e566d89c73a57865da89b0
Instruction ID: fbd2105a85360d23e327dc4de9ebf7bc9c66fce10a2fb4b7938eaec5c36b0a89
Opcode Fuzzy Hash: 8a3876b84c9e9ac9444b9e3c231e8a5ee94a6fac98e566d89c73a57865da89b0
Instruction Fuzzy Hash: 4D918030E01209DFDB68DF6DDA94B7EB7F2AF84704F10852AE445AB295DB349C45CB90

Function 06717068 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 0671757C
$]q, xrefs: 067173A4
$]q, xrefs: 06717570
$]q, xrefs: 06717504
$]q, xrefs: 067173B0
$]q, xrefs: 0671734A
.5uq, xrefs: 067170C3

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: aa92b9a85f8da663170aa480257229b67a36d4d8bad5e48ed7481fe27ff75d91
Instruction ID: cef2e4132127a8b9f6c15cde9fadff86c6b96b83357e176b8af11b17a9ac4851
Opcode Fuzzy Hash: aa92b9a85f8da663170aa480257229b67a36d4d8bad5e48ed7481fe27ff75d91
Instruction Fuzzy Hash: 55F11C34E00219CFDB59EFA9D594A6EB7F2BF84304F248569E4059B359DB31EC82CB90

Function 067183A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 067185FA
$]q, xrefs: 06718606
$]q, xrefs: 0671865F
$]q, xrefs: 0671866B

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d3b45f28bc9c2070a8e6d042503455747255fa60deb82c8f3f1feada61dd02f8
Instruction ID: a9db381447a2efc39c22c7ceb4473a90da23bc325b6eb9977da075c97601ac25
Opcode Fuzzy Hash: d3b45f28bc9c2070a8e6d042503455747255fa60deb82c8f3f1feada61dd02f8
Instruction Fuzzy Hash: 62B12B34E10209CFDB58DFA9D5946AEB7B2FF84304F24892AD4069B355DB35DC82CB81

Function 067187B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 06718843
LR]q, xrefs: 067188AB
$]q, xrefs: 06718837
LR]q, xrefs: 067188FA

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: cb68d791e6bd14a412917a76b539f85f6db882d49eb248beacfbac226ca94ec4
Instruction ID: a3040935cecdabf04dc503604e810f95237a30f94d9af3dbed240eee9f17832d
Opcode Fuzzy Hash: cb68d791e6bd14a412917a76b539f85f6db882d49eb248beacfbac226ca94ec4
Instruction Fuzzy Hash: FB51A130B102019FDB58DB6DD994A7AB7E2FF85304B14866AE4069F395DB31EC41CB91

Function 0671AC88 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$]q, xrefs: 0671ADB9
$]q, xrefs: 0671AE3B
$]q, xrefs: 0671AE0C
$]q, xrefs: 0671AE64

Memory Dump Source

Source File: 00000003.00000002.3291913346.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6710000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 69da97025835087e881fba1c8953631813b615dd81fcd9a74bb27a06868eb155
Instruction ID: 1b5d3a95c7790c52aa874d08b172ad454b18ce82047c0efb99a23754bfea81aa
Opcode Fuzzy Hash: 69da97025835087e881fba1c8953631813b615dd81fcd9a74bb27a06868eb155
Instruction Fuzzy Hash: 52517F34E112058FCFA9EB6CD5806BDB7B2EB84214F64862AE805DF359DB31DD45CB90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report okmnji.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\okmnji.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
okmnji.exe

Function 0696A6B0 Relevance: 11.0, Strings: 8, Instructions: 976
COMMON

Function 010E4769 Relevance: 9.1, Strings: 7, Instructions: 323
COMMON

Function 07C61127 Relevance: 5.6, Instructions: 5649
COMMON

Function 07C61140 Relevance: 5.6, Instructions: 5633
COMMON

Function 07C01408 Relevance: 5.2, Instructions: 5170
COMMON

Function 07C0B13E Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Function 010E6FA0 Relevance: 6.5, Strings: 5, Instructions: 296
COMMON

Function 010E98F0 Relevance: 5.8, Strings: 4, Instructions: 819
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre