Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Analysis ID:	1475143
MD5:	8aae495569f2eba4371a7666c6066c2e
SHA1:	bdb285e457e68fe05974e62671754277a3c22d5d
SHA256:	6664c76fa812ee8c12dfd4d5763a29d10b66b7f3beff780ff13e67dd667e575d
Tags:	exe
Infos:

Detection

DarkTortilla, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe (PID: 5044 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe" MD5: 8AAE495569F2EBA4371A7666C6066C2E)

InstallUtil.exe (PID: 2976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 3136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nnx.linkworldlogiticservices.online"], "Port": "9196", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7c65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7d02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7e17:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7913:$cnc4: POST / HTTP/1.1
00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1b42d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1b4ca:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1b5df:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1b0db:$cnc4: POST / HTTP/1.1
00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9f555:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9f5f2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9f707:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9f203:$cnc4: POST / HTTP/1.1
00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 2976	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: InstallUtil.exe PID: 3136	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.InstallUtil.exe.430000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.InstallUtil.exe.430000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7f02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8017:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b13:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6065:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6102:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6217:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d13:$cnc4: POST / HTTP/1.1
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4110770.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7f02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8017:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b13:$cnc4: POST / HTTP/1.1
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 3136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

Snort Signatures

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	07/17/24-16:42:27.466949
SID:	2853193
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	07/17/24-16:40:56.953871
SID:	2855924
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	07/17/24-16:44:05.044084
SID:	2852923
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 168.119.55.248 - Destination IP: 192.168.2.6

Timestamp:	07/17/24-16:44:05.188143
SID:	2852870
Source Port:	9196
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 168.119.55.248 - Destination IP: 192.168.2.6

Timestamp:	07/17/24-16:44:05.188143
SID:	2852874
Source Port:	9196
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	2024-07-17T16:44:05.044084+0200
SID:	2852923
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	2024-07-17T16:42:27.466949+0200
SID:	2853193
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO HUNTING Request for config.json - Source IP: 192.168.2.6 - Destination IP: 184.28.90.27

Timestamp:	2024-07-17T16:40:04.502873+0200
SID:	2840787
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 168.119.55.248 - Destination IP: 192.168.2.6

Timestamp:	2024-07-17T16:44:05.188143+0200
SID:	2852870
Source Port:	9196
Destination Port:	49723
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 168.119.55.248 - Destination IP: 192.168.2.6

Timestamp:	2024-07-17T16:44:05.188143+0200
SID:	2852874
Source Port:	9196
Destination Port:	49723
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 168.119.55.248

Timestamp:	2024-07-17T16:40:56.953871+0200
SID:	2855924
Source Port:	49723
Destination Port:	9196
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["nnx.linkworldlogiticservices.online"], "Port": "9196", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: nnx.linkworldlogiticservices.online
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: 9196
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: <123456789>
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: <Xwormmm>
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: XWorm V5.0
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: USB.exe
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: %AppData%
Source: 3.2.InstallUtil.exe.430000.0.unpack	String decryptor: diagaudio.exe

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: diagaudio.exe.4.dr
Source:	Binary string: InstallUtil.pdb source: diagaudio.exe.4.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49723 -> 168.119.55.248:9196
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 168.119.55.248:9196 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49723 -> 168.119.55.248:9196
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 168.119.55.248:9196 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49723 -> 168.119.55.248:9196

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: nnx.linkworldlogiticservices.online

Source: global traffic

TCP traffic: 192.168.2.6:49723 -> 168.119.55.248:9196

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nnx.linkworldlogiticservices.online

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473142144.00000000013E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: InstallUtil.exe, 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Code function: 0_2_079D98A8 CreateProcessAsUserW,

0_2_079D98A8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_01348385	0_2_01348385
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_01344E98	0_2_01344E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0134B2A0	0_2_0134B2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_01347418	0_2_01347418
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_01347A30	0_2_01347A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_01344E88	0_2_01344E88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0134B270	0_2_0134B270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0134BB4D	0_2_0134BB4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BA788	0_2_075BA788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BE7A8	0_2_075BE7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BC7A0	0_2_075BC7A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075B2E78	0_2_075B2E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BCEC9	0_2_075BCEC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BBB5F	0_2_075BBB5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BD89A	0_2_075BD89A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BD718	0_2_075BD718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BC786	0_2_075BC786
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BE7A4	0_2_075BE7A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BF650	0_2_075BF650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BF640	0_2_075BF640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075B2E45	0_2_075B2E45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BE6E2	0_2_075BE6E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BF45A	0_2_075BF45A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_075BEBE8	0_2_075BEBE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D87AD	0_2_079D87AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D4350	0_2_079D4350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D4A99	0_2_079D4A99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D7AA8	0_2_079D7AA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D9E40	0_2_079D9E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D28E0	0_2_079D28E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D4048	0_2_079D4048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D2B80	0_2_079D2B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079DF728	0_2_079DF728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D4340	0_2_079D4340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D2B72	0_2_079D2B72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D7A98	0_2_079D7A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D3210	0_2_079D3210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D3200	0_2_079D3200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D81D8	0_2_079D81D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D81D1	0_2_079D81D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079DEDC8	0_2_079DEDC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D7CA1	0_2_079D7CA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D68D9	0_2_079D68D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D28D2	0_2_079D28D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D68E8	0_2_079D68E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D0006	0_2_079D0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D4038	0_2_079D4038
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D0040	0_2_079D0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D3878	0_2_079D3878
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_079D3867	0_2_079D3867
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_07F134E8	0_2_07F134E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_07F1EC48	0_2_07F1EC48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_07F134D8	0_2_07F134D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_07F1D410	0_2_07F1D410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08313538	0_2_08313538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0831E328	0_2_0831E328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0831E317	0_2_0831E317
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08322AD0	0_2_08322AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832E830	0_2_0832E830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832E608	0_2_0832E608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832EC70	0_2_0832EC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832EC60	0_2_0832EC60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832E840	0_2_0832E840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832E288	0_2_0832E288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832DF98	0_2_0832DF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08329D85	0_2_08329D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832DF88	0_2_0832DF88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0832E5F8	0_2_0832E5F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08322ACF	0_2_08322ACF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02734460	4_2_02734460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02731320	4_2_02731320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02733848	4_2_02733848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02733E69	4_2_02733E69

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew_XClient.exe4 vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473856137.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew_XClient.exe4 vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000000.2094219575.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedxdiag.exeH vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2486523986.0000000007800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473142144.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Binary or memory string: OriginalFilenamedxdiag.exeH vs SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\amFkCzzuyT6seqQS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: diagaudio.lnk.4.dr

LNK file: ..\..\..\..\..\diagaudio.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: diagaudio.exe.4.dr
Source:	Binary string: InstallUtil.pdb source: diagaudio.exe.4.dr

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.57c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4138790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.4110770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.41887b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_07F1EC48 push eax; ret	0_2_07F1F651
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_0831071B push eax; retf	0_2_08310721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08320252 push 00000059h; ret	0_2_08320256
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Code function: 0_2_08329FC6 pushad ; ret	0_2_0832A003

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Static PE information: section name: .text entropy: 7.0677126968600845

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Wp54Ek.cs

High entropy of concatenated method names: 'y5JPn8', 'a5H6Bt', 'f3C7Eb', 'g8XWa9', 'i7Y1Lk', 't7DNy8', 'Wa03As', 'q5LYf2', 'i3A4Cp', 'Xf32Bs'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\diagaudio.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

File opened: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 8370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 9370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: 9540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: A540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: A8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6984			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2851			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 5920	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe TID: 4988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2832	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2832	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5564	Thread sleep count: 6984 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5564	Thread sleep count: 2851 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2485723159.000000000635A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "Vmcirb8bimipc/Y^
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000004.00000002.4554035801.0000000000A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 432000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 22A008	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 6E3008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: InstallUtil.exe, 00000004.00000002.4554035801.00000000009FF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3136, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.2.InstallUtil.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.30786f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe PID: 5044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3136, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 Input Capture	121 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	311 Process Injection	1 Access Token Manipulation	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DarkTortilla
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	100%	Avira	HEUR/AGEN.1306792
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\diagaudio.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
nnx.linkworldlogiticservices.online	0%	Avira URL Cloud	safe
http://go.mic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nnx.linkworldlogiticservices.online	168.119.55.248	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nnx.linkworldlogiticservices.online	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.mic	SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, 00000000.00000002.2473142144.00000000013E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
168.119.55.248	nnx.linkworldlogiticservices.online	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1475143
Start date and time:	2024-07-17 16:39:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 126 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Simulations

Behavior and APIs

Time	Type	Description
10:40:31	API Interceptor	6x Sleep call for process: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe modified
10:40:43	API Interceptor	7553704x Sleep call for process: InstallUtil.exe modified
16:40:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9sc	Get hash	malicious	Phisher	Browse	46.4.249.94
	ziprar.exe	Get hash	malicious	Unknown	Browse	5.161.211.130
	file.exe	Get hash	malicious	Vidar	Browse	95.216.182.106
	https://app.tnotice.com/ui/getEmail.ashx?k64=V1Zaa1VrOVZOVFpYYldoUFVrZDBObFJYTVZKa1JuQnhXWHBPV21GVVFYZFhWbVJhWld0NFdGTnRjRkJTTUZZd1ZHNXdRazFHY0hSV2JURmFZV3hLZEZkdGNHRmlSWEIwVm01U1VWWXhTbTlaYlRGellrZEtTRlpZVm1sU1JWVXhWRlZTUTFGWFJraFBWRUpwVmpCYWQxbHJUVEZqUjFKQ1VGUXdiVlZyTUROT2JWSnRaVmhrYkdOcVVURlBWRmsxVkRGQ1dGSldTa1JYUVQwOQ==	Get hash	malicious	Unknown	Browse	176.9.109.10
	ggtFWl8FYQ.exe	Get hash	malicious	RedLine	Browse	95.217.245.123
	9hXUU0a31z.exe	Get hash	malicious	RedLine	Browse	95.217.245.123
	RlBO4hbPpE.exe	Get hash	malicious	RedLine	Browse	95.217.245.123
	oPrVzXlMg6.exe	Get hash	malicious	RedLine	Browse	95.217.245.123
	CO3bOkbuK2.exe	Get hash	malicious	RedLine	Browse	95.217.245.123
	cO8s15scCK.exe	Get hash	malicious	RedLine	Browse	95.217.245.123

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\diagaudio.exe	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	F46VBJ6Yvy.exe	Get hash	malicious	AgentTesla	Browse
	@#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	order .exe	Get hash	malicious	AgentTesla	Browse
	06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	Mahsulot kodi va buyurtma miqdori.docx.exe	Get hash	malicious	AgentTesla	Browse
	#U597d#U601d#U4f73#U7ca7#U696d 0524 KAO - SH CY 1X40HQ(#U4ee3#U7528).scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	ISF (10+2) Form #U683c#U798f-3019 NASHVILLE.xls.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jul 17 13:40:38 2024, mtime=Wed Jul 17 13:40:38 2024, atime=Wed Jul 17 13:40:38 2024, length=42064, window=hide
Category:	dropped
Size (bytes):	779
Entropy (8bit):	5.08365306878482
Encrypted:	false
SSDEEP:	12:8cvodm/CI4Ipnu8ChBlXIsY//Zp0Le+LDnt8M/jAwFs+HPJm3COomV:8c/2QDklXUWe+tLAw+AJmypm
MD5:	E774A477DB4524756214502F357B2D65
SHA1:	3321762F2A4C2BA87AB2644B510EA04A60F6E551
SHA-256:	ED44EFD1BEB45A66AAE80E844C135DF55B2DE94EAFB5F93E9B549A980C0EC032
SHA-512:	51192CD9707A6F63113DE79A4B4118F030E6A8F14C664FA8C0089AD14124EF690F690355F521147C5F862B3D1167E746BDE1862CF944D810A52F9B1CDF00E699
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....JW.....JW.....JW...P.......................\|.:..DG..Yr?.D..U..k0.&...&.......$..S....,;-W...^!.JW.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X.t...........................^.A.p.p.D.a.t.a...B.V.1......X.t..Roaming.@......EW<2.X.t..../......................oa.R.o.a.m.i.n.g.....h.2.P....X.u .DIAGAU~1.EXE..L.......X.u.X.u..........................!...d.i.a.g.a.u.d.i.o...e.x.e.......^...............-.......]............o.S.....C:\Users\user\AppData\Roaming\diagaudio.exe........\.....\.....\.....\.....\.d.i.a.g.a.u.d.i.o...e.x.e.`.......X.......745773...........hT..CrF.f4... .0)..Jc...-...-$..hT..CrF.f4... .0)..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\diagaudio.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42064
Entropy (8bit):	6.19564898727408
Encrypted:	false
SSDEEP:	384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
SHA1:	F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
SHA-256:	AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
SHA-512:	9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse Filename: @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe, Detection: malicious, Browse Filename: SPECIFICATIONS.exe, Detection: malicious, Browse Filename: order .exe, Detection: malicious, Browse Filename: 06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exe, Detection: malicious, Browse Filename: Mahsulot kodi va buyurtma miqdori.docx.exe, Detection: malicious, Browse Filename: #U597d#U601d#U4f73#U7ca7#U696d 0524 KAO - SH CY 1X40HQ(#U4ee3#U7528).scr.exe, Detection: malicious, Browse Filename: ISF (10+2) Form #U683c#U798f-3019 NASHVILLE.xls.scr.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.051736371232691
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
File size:	392'192 bytes
MD5:	8aae495569f2eba4371a7666c6066c2e
SHA1:	bdb285e457e68fe05974e62671754277a3c22d5d
SHA256:	6664c76fa812ee8c12dfd4d5763a29d10b66b7f3beff780ff13e67dd667e575d
SHA512:	aaa784cc6c7ce321b229b22b141c4e02886fe1e7274e78608f17a5e4336aa7c3b3837f3b2fedaf2c55d7e945c6f767920941cc531559de179341e1d851b05fe6
SSDEEP:	6144:idF6sCOSqlT31ikgUS77g1UzvqPVdjtFKIdSM4LHCbvvw:YzSql31HgUS77gKzyPVhtFiMaHJ
TLSH:	1F84AC4E1BC9AA05C4BE367852B5102497F1F4CA2963F34F0AC465F67B737A19E423A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Zt>.........."...P.............>.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46133e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x3E745A2E [Sun Mar 16 11:04:14 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x612f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5f344	0x5f400	710d865f2ebdbd4350017522044510c1	False	0.690668061023622	data	7.0677126968600845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x3fc	0x400	1b94706196efd08ec48d82c3481813a9	False	0.4267578125	data	3.4818051772188543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	5b3f91862b5c7835f3809918c5a4cede	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x62058	0x3a4	data			0.4356223175965665

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/17/24-16:42:27.466949	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49723	9196	192.168.2.6	168.119.55.248
07/17/24-16:40:56.953871	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49723	9196	192.168.2.6	168.119.55.248
07/17/24-16:44:05.044084	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49723	9196	192.168.2.6	168.119.55.248
07/17/24-16:44:05.188143	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	9196	49723	168.119.55.248	192.168.2.6
07/17/24-16:44:05.188143	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	9196	49723	168.119.55.248	192.168.2.6

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-17T16:44:05.044084+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49723	9196	192.168.2.6	168.119.55.248
2024-07-17T16:42:27.466949+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49723	9196	192.168.2.6	168.119.55.248
2024-07-17T16:40:04.502873+0200	TCP	2840787	ETPRO HUNTING Request for config.json	49715	443	192.168.2.6	184.28.90.27
2024-07-17T16:44:05.188143+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	9196	49723	168.119.55.248	192.168.2.6
2024-07-17T16:44:05.188143+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	9196	49723	168.119.55.248	192.168.2.6
2024-07-17T16:40:56.953871+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49723	9196	192.168.2.6	168.119.55.248

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2024 16:40:44.304138899 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:40:44.309077978 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:40:44.309201002 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:40:44.399096012 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:40:44.404033899 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:40:56.953871012 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:40:56.962935925 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:40:57.345909119 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:40:57.360462904 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:40:57.365974903 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:05.343766928 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:05.388784885 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:09.514313936 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:09.826052904 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:09.850945950 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:09.850966930 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:10.217606068 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:10.219448090 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:10.224411964 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:22.077681065 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:22.082914114 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:22.529150009 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:22.532361031 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:22.537405968 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:34.639702082 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:34.649363995 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:34.859262943 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:34.861263990 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:34.866292953 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:35.451407909 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:35.497972965 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:44.420116901 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:44.426230907 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:44.783082962 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:44.785773039 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:44.790782928 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:50.732703924 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:50.738466978 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:50.988276005 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:50.991415977 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:51.094610929 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:51.138906956 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:51.143888950 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:51.651835918 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:51.657869101 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:51.663366079 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:56.545171022 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:56.550218105 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.076370001 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:57.302583933 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.305149078 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.305207014 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:57.310544014 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.506246090 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.507868052 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:57.513127089 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.576554060 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:57.583139896 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.813769102 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:41:57.823292971 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:41:57.828227043 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:03.889269114 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:03.903904915 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:04.135891914 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:04.139317036 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:04.171492100 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:05.569591999 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:05.638542891 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:06.081171036 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:06.081233978 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:06.081429958 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:06.081476927 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:09.532114029 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:09.539729118 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:11.166274071 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:11.166735888 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:11.167006016 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:11.167891979 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:11.168005943 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:11.168864965 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:11.182724953 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:22.092241049 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:22.159962893 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:22.683912992 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:22.689543962 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:22.700089931 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:24.357821941 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:24.368022919 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:24.373645067 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:24.378984928 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:24.576411009 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:24.581247091 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:24.592176914 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:24.597871065 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.224987984 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.228807926 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.229212999 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:25.229433060 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:25.235819101 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.411089897 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.420351982 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:25.456561089 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.515305996 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.523683071 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:25.528565884 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:25.528654099 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:25.533541918 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.310883045 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:27.357043982 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.466948986 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:27.471961021 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.682923079 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.686003923 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:27.692959070 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.807739973 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:27.810209036 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:27.822242975 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:35.157582998 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:35.204159975 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:39.857620955 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:39.867613077 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:40.172750950 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:40.175487995 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:40.181436062 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:43.779448032 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:43.784652948 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:44.075505972 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:44.077765942 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:44.092633963 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:45.702313900 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:45.707330942 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:46.079670906 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:46.081387043 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:46.086319923 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:58.263973951 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:58.295100927 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:58.850053072 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:42:58.854180098 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:42:58.859376907 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:05.252522945 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:05.312546015 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:10.828567028 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:10.839857101 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:11.426075935 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:11.427706003 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:11.434259892 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.045146942 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.051143885 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.107695103 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.112855911 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.318238020 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.319961071 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.325134993 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.532545090 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.534256935 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.539393902 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.576579094 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.581633091 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.592125893 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:12.597317934 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.920120955 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:12.938014030 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:13.248049021 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:13.499073982 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:13.505486965 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:13.505559921 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:13.514197111 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:13.514360905 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:13.514370918 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:13.514414072 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:13.514439106 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:13.543306112 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:18.467092037 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:18.472616911 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:18.661488056 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:18.663590908 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:18.669862032 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:27.763909101 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:27.793659925 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:27.793730021 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:27.810373068 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:28.119112015 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:28.121469975 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:28.126282930 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:28.343223095 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:28.345254898 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:28.417989016 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:34.954818010 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:34.998220921 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:38.592103004 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:38.597088099 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:38.956043005 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:38.969374895 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:38.974364042 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:40.357898951 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:40.363205910 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:40.918958902 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:40.920835972 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:40.928925037 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:42.108392954 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:42.113260031 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:42.478447914 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:42.480068922 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:42.484813929 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:47.389626980 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:47.394529104 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:47.758322001 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:47.796816111 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:47.801842928 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.498394966 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:48.503550053 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.545186043 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:48.552366972 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.560772896 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:48.565776110 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.576380014 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:48.588141918 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.775157928 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.779872894 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:48.786078930 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.990715981 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:48.998224020 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:49.003232002 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:49.206074953 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:49.207617998 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:49.213007927 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:49.509871006 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:49.511673927 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:49.516625881 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:53.889238119 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:53.894279003 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.082987070 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.086977005 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.092041016 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.354697943 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.365483046 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.592297077 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.626015902 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.685956001 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.693512917 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.717204094 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.722451925 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:54.732804060 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:54.747100115 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:55.098088980 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:55.102230072 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:55.107207060 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:55.249830008 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:55.252547979 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:55.257900000 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:43:55.257987976 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:43:55.262893915 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:00.114831924 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:44:00.120585918 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:01.071923018 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:01.075786114 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:44:01.083621979 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:04.592056036 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:44:04.600676060 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:05.043268919 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:05.044084072 CEST	49723	9196	192.168.2.6	168.119.55.248
Jul 17, 2024 16:44:05.049024105 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:05.188143015 CEST	9196	49723	168.119.55.248	192.168.2.6
Jul 17, 2024 16:44:05.232407093 CEST	49723	9196	192.168.2.6	168.119.55.248

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2024 16:40:44.282222033 CEST	61615	53	192.168.2.6	1.1.1.1
Jul 17, 2024 16:40:44.298877954 CEST	53	61615	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 17, 2024 16:40:44.282222033 CEST	192.168.2.6	1.1.1.1	0x9fdc	Standard query (0)	nnx.linkworldlogiticservices.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 17, 2024 16:40:44.298877954 CEST	1.1.1.1	192.168.2.6	0x9fdc	No error (0)	nnx.linkworldlogiticservices.online		168.119.55.248	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:39:56
Start date:	17/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe"
Imagebase:	0x870000
File size:	392'192 bytes
MD5 hash:	8AAE495569F2EBA4371A7666C6066C2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2482269120.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2484247029.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2482269120.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2473856137.000000000320E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2473856137.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:39:59
Start date:	17/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x60000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.2145809299.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:40:01
Start date:	17/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x510000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4559451531.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16%
Total number of Nodes:	119
Total number of Limit Nodes:	13

Executed Functions

Function 08322AD0 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c999b15aface4919dadb5dcdbd1c6950a30a3d77c81a311c468fbdfb2c330a4
Instruction ID: adab77af20675a787160c8f185930428ae6cdf6524c40d0d91f2323801342125
Opcode Fuzzy Hash: 4c999b15aface4919dadb5dcdbd1c6950a30a3d77c81a311c468fbdfb2c330a4
Instruction Fuzzy Hash: CEC30870E02218CBCB68FF38DA9966CBBB6EB89300F5044EDD449A7654EB355E85CF41

Function 08322ACF Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51045df037bf2b1aa48c94b3943e4efbadee1e8085d8fbb5145a6b49a10f4acb
Instruction ID: 79a70eae32581a2de08549da27bc39448ded336249aec6598f3bc64ec83417fa
Opcode Fuzzy Hash: 51045df037bf2b1aa48c94b3943e4efbadee1e8085d8fbb5145a6b49a10f4acb
Instruction Fuzzy Hash: 51C30870E02218CBCB68FF38DA9966CBBB6EB89300F5044EDD449A7654EB355E85CF41

Function 08313538 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2487453766.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352d31b02aeb7587c8ac49773c93df4ad8a27e56004c7040fb15684918279c8a
Instruction ID: 3f77eb34d2f86a712a1a532475cdbc3bfe7b0af1f1cd510f96338f5e1e8a73e7
Opcode Fuzzy Hash: 352d31b02aeb7587c8ac49773c93df4ad8a27e56004c7040fb15684918279c8a
Instruction Fuzzy Hash: 0DB30970A12218CBCB58EF78DA9966CBBF6FB88700F5085E9D449A7250EF345D84CF85

Function 079D9E40 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q+(i, xrefs: 079D9F8D
Q+(i, xrefs: 079D9F7F

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Q+(i$Q+(i
API String ID: 0-3998099878
Opcode ID: 225f2670444f7456769d0dfc2395d8d14c3a7e4d0fca1b94e02f505ad31fbec3
Instruction ID: f5440e00ed0e829e328661411fbf6915cdf22afb9497f90a56a5063e64cadd1e
Opcode Fuzzy Hash: 225f2670444f7456769d0dfc2395d8d14c3a7e4d0fca1b94e02f505ad31fbec3
Instruction Fuzzy Hash: 2F810EB0D15219CFCB04DFA5D5886EEFBB2FB8A314F20842AD416BB254DB745A42CF64

Function 079D28E0 Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q!, xrefs: 079D2B2F
Q!, xrefs: 079D2B3D

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Q!$Q!
API String ID: 0-2963764794
Opcode ID: e7d3e39340d97568b20cf165e47c78a56f128d8ccb50e126e5d18a973cf13736
Instruction ID: f13c75ea5feabf7a3aeff109d0e36a69a87d2423b5abee7bd76e434ba383feff
Opcode Fuzzy Hash: e7d3e39340d97568b20cf165e47c78a56f128d8ccb50e126e5d18a973cf13736
Instruction Fuzzy Hash: 9071F1B4E10209DFCB08CFA5D5885AEBBB2FF88310F20942AD80AAB355DB345985CF55

Function 075BD89A Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tI'5, xrefs: 075BD7C9
tI'5, xrefs: 075BD7E0

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: tI'5$tI'5
API String ID: 0-1618107
Opcode ID: f38a2fbab3b01fa041c1d4b00bc6ccd4afc8abcd51a2797edf2fcb56d1f5323c
Instruction ID: 88816c2fd95ae0569ac2512f16bce5f83b9b937ef7722274bf95e0daa3972ba1
Opcode Fuzzy Hash: f38a2fbab3b01fa041c1d4b00bc6ccd4afc8abcd51a2797edf2fcb56d1f5323c
Instruction Fuzzy Hash: E46125B5E00219CBDB14CFAAD8806EEFBB2FF89300F24856AE405BB254D7746945CF50

Function 079D98A8 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 079D9A13

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 29a5d4e8ab3f6b9f623d261d54270bc1359f3846e70c4b02db642f322d281462
Instruction ID: bc2c3a77a620046f171775d72cb8f7fc0911fdd14063b213eaef41d998e84995
Opcode Fuzzy Hash: 29a5d4e8ab3f6b9f623d261d54270bc1359f3846e70c4b02db642f322d281462
Instruction Fuzzy Hash: 9E51F5B190022ADFDB24DF99C940BDDBBB5FF48314F1480AAE909B7250DB75AA85CF50

Function 079D28D2 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

Q!, xrefs: 079D2B3D

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Q!
API String ID: 0-1344094416
Opcode ID: 2ce9ac8bc6424fc8024b06dd02c51bf800f0daaa1abbf1b8311cf706d8bdd2b8
Instruction ID: 8413ad96070a96154121830d873db9bcaf239b81c66c5cdb922088ff524d936c
Opcode Fuzzy Hash: 2ce9ac8bc6424fc8024b06dd02c51bf800f0daaa1abbf1b8311cf706d8bdd2b8
Instruction Fuzzy Hash: AB71E2B4E10209DFDB08CFA5E5885AEBBB2FF89311F20842ED806AB355DB345985CF55

Function 075BA788 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

<, xrefs: 075BA8BD

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: f833306029a04f7dbfa611a721869fd109d160c039e0934f7918fce4a710f50c
Instruction ID: 2c5b574c1444ed9f82f7d87e2d66ee5a54417d8eb70064e1e5c2eda5e1f3049f
Opcode Fuzzy Hash: f833306029a04f7dbfa611a721869fd109d160c039e0934f7918fce4a710f50c
Instruction Fuzzy Hash: C06184B5D01658CFDB58CFAAC9446DDBBF2AF89300F14C0AAD409AB325EB345A85CF50

Function 075B2E78 Relevance: 1.1, Instructions: 1084COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b483a454e7bb7c550398306e33718310fccc1520502ae8368ef42a0d58b1140c
Instruction ID: 25e28179dbee977452020f9ea9aeba5a39cab3d042c223593e6cfbfa2e329acd
Opcode Fuzzy Hash: b483a454e7bb7c550398306e33718310fccc1520502ae8368ef42a0d58b1140c
Instruction Fuzzy Hash: C972FF31A042158FC708EBB8D89866DBBF2FF89200F51896AD449EB265DF399C09DB41

Function 07F1EC48 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486965109.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3031cebbfb2339316ffcdf6a8cd8e9588a5434d05825895ff824ca1673d2a9
Instruction ID: 17f3cf30823a8cffd3291937f1f6895a3af398d7c00a998be979d3471e10b8b1
Opcode Fuzzy Hash: 9b3031cebbfb2339316ffcdf6a8cd8e9588a5434d05825895ff824ca1673d2a9
Instruction Fuzzy Hash: A552BC71B002158FDB58AB78C854B6E7BE2AFC8311F188569E51ADB3A1DF34DC06CB91

Function 01348385 Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d61f1031e00add7912f259078b1b1b2ffe7f8fe6dbca10546651cebd4e5e2
Instruction ID: e2905521523c88ec5dafeea2dd162903231a96fafbe1f195be1593602fd102aa
Opcode Fuzzy Hash: 3c0d61f1031e00add7912f259078b1b1b2ffe7f8fe6dbca10546651cebd4e5e2
Instruction Fuzzy Hash: F7625F30A01509DFDB15CFA8C984AAEBBF2FF88318F198599E5059B261D730FD41CB55

Function 07F134E8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486965109.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4137a8de5eafd58494c356f0a2dd8ffde735570ec82b6a728db9f50ef13e4f17
Instruction ID: 24195ccb65c65a1e8e40b25471bec1eacdde471bd34ed686233eae0e539a9ec4
Opcode Fuzzy Hash: 4137a8de5eafd58494c356f0a2dd8ffde735570ec82b6a728db9f50ef13e4f17
Instruction Fuzzy Hash: 13526E70A00356CFCB14DF68C844B99B7B2FF89314F2582A9D5586F3A1DBB1A986CF41

Function 07F134D8 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486965109.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8286f3d30f9bd75bb3bdd0388614835b925512b226ca3e84ef3e77edd5798984
Instruction ID: 601e577f05193843537d962f412f5aba1f554ce59512d1e37cb198dc67c21399
Opcode Fuzzy Hash: 8286f3d30f9bd75bb3bdd0388614835b925512b226ca3e84ef3e77edd5798984
Instruction Fuzzy Hash: B3526E70A00356CFCB14DF68C844B99B7B2FF85314F2582A9D5586F3A1DBB1A986CF81

Function 01347418 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923d16f3e727f20ece9a309543b7689dee7c3ff68bc3f5b8b6b605cfae2fcc69
Instruction ID: f4bb14b44ae8b5b507de8de9f217abc4673b09b02895bb8dd945c67a1fb816d0
Opcode Fuzzy Hash: 923d16f3e727f20ece9a309543b7689dee7c3ff68bc3f5b8b6b605cfae2fcc69
Instruction Fuzzy Hash: 07025C70A002198FDB19DFB9C854AAEBBF6BFC8304F148569E505EB395DB34AD41CB90

Function 01347A30 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84766dcc65a619f8288bbb2f5b46f42fce9d3d9f7cf80a982a6c88034b1207d7
Instruction ID: 1886deeaebf258d19b1398a2313a19cec3574c019e34118394452600a2b8a5c7
Opcode Fuzzy Hash: 84766dcc65a619f8288bbb2f5b46f42fce9d3d9f7cf80a982a6c88034b1207d7
Instruction Fuzzy Hash: 63027E31A00209DFDB25CFA8C984AAEBBF6FF89308F158569E515EB265D730ED41CB50

Function 075BE6E2 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafd75572b9cbc4fe9b13305154c620685642e0066e59706b0d7fdf52890c201
Instruction ID: 80d61bc5218c3f944a52ad9332b769ecce93173e8c3e14033fd161fc2432aa97
Opcode Fuzzy Hash: eafd75572b9cbc4fe9b13305154c620685642e0066e59706b0d7fdf52890c201
Instruction Fuzzy Hash: 98E1C0B5D0524ACFDB15CFA4E4864EEFBB1FF49320F28895AD406AB255C7309982CF94

Function 01344E98 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d4035135cc65cc4e51aa8afbf9339d2dfea32e2d3e4906b5d60fdfe1ccc417
Instruction ID: df036ff939e58acca6056e7e0096ce134667bbcfbc30a90c8493de2a39f91c8b
Opcode Fuzzy Hash: 09d4035135cc65cc4e51aa8afbf9339d2dfea32e2d3e4906b5d60fdfe1ccc417
Instruction Fuzzy Hash: 5DF10374E00258CFEB24CFA9C844B9DBBF2BF89304F1481AAD509AB265DB706D85CF51

Function 079D4A99 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af193a5c8c566a6fec0789824246a6c4a66614884a87139c7e80d24f401bd6f9
Instruction ID: b3cf3c4ad688c40c37b346b11688adeeff5f1a6c3f7ced5d00c2cc15afbf1c54
Opcode Fuzzy Hash: af193a5c8c566a6fec0789824246a6c4a66614884a87139c7e80d24f401bd6f9
Instruction Fuzzy Hash: 40D13670A142A9CFCB24CF65D94479DBBF2FB89340F10D9EAD40AAB224D7749E858F40

Function 075BE7A8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6aa079d683a1cfb63b09d3745937a997fb97384319c26031301e676c75ea9e
Instruction ID: 10bb053a4ff72664a7d2e7f76676475a05599b620a3df38493643af197a86e5a
Opcode Fuzzy Hash: 0a6aa079d683a1cfb63b09d3745937a997fb97384319c26031301e676c75ea9e
Instruction Fuzzy Hash: 93C159B0D0060ADFDB14CFA5D4899EEFBB2FF89310F248959D416AB255C734A982CF94

Function 075BE7A4 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a3f7d46207c5bc93528919b9319191adf598922ec9ac59755fb7eb22bbaae
Instruction ID: dcfbbf4d71177c3405bff9049df791f974c6fd0b4bcc21d4b5eccae10cbc70bc
Opcode Fuzzy Hash: c71a3f7d46207c5bc93528919b9319191adf598922ec9ac59755fb7eb22bbaae
Instruction Fuzzy Hash: 78C159B0E0020ADFDB14CFA5C4958EEFBB2FF89310F148959D416AB255C734A982CF94

Function 079D7AA8 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971ce995050440deb7265318e04b774161f5ae5838814a910df41b5ff53b0562
Instruction ID: 5faab5dac79c195bcdde8a584dcf7ae657c07eb9e553032de0c185d679078fd9
Opcode Fuzzy Hash: 971ce995050440deb7265318e04b774161f5ae5838814a910df41b5ff53b0562
Instruction Fuzzy Hash: 9EA126B0E15219CFCB08CFE5E994A9DBBF2FB8A314F10992AD50ABB214D7749D41CB14

Function 0134B270 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f59d3137e760136592604a17f49f371de5023a95caecfd4e75225d78dde4d33
Instruction ID: 0ab12ff36533c9683d56700563173790690b71ff004dbdcf446fe9bcb36d9a54
Opcode Fuzzy Hash: 3f59d3137e760136592604a17f49f371de5023a95caecfd4e75225d78dde4d33
Instruction Fuzzy Hash: 18B1B674E01258CFDB18DFA9C894A9DBBB2FF89305F2080A9D409AB365DB31AD45CF11

Function 079D7A98 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca846906dc5b06b941b4623940418e0c75644d06de82cde10b7d51b4e465bcf6
Instruction ID: 5fbc1c98fe3361ff8cca260c8c10efbf3b397096d56c75df21598eb8511c5dd6
Opcode Fuzzy Hash: ca846906dc5b06b941b4623940418e0c75644d06de82cde10b7d51b4e465bcf6
Instruction Fuzzy Hash: CDA113B4E11219CFDB08CFE5E984A9DBBF2FB89310F14992AD50ABB254D7349941CB18

Function 0134B2A0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc331e703cc1961192734f3988e9166d07d48a04a7edad1644045d2afb499535
Instruction ID: 78b2082fa4400c539e2f0ee84d368e2d56b8f3518acfdf7c69c29a1d1992cb10
Opcode Fuzzy Hash: cc331e703cc1961192734f3988e9166d07d48a04a7edad1644045d2afb499535
Instruction Fuzzy Hash: 80A1A874E00218CFDB18DFA9C894A9DBBB2FF89305F2081A9D409AB364DB31AD45DF50

Function 079D87AD Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33c539d62b631ccf7749d884ee293a9bf6b56c23a6b83f7bf19f249d22bc6d5
Instruction ID: a29370e26610f7cd39cc7857ff56174229d1527a43ecde9793b7e9b448fc5f18
Opcode Fuzzy Hash: e33c539d62b631ccf7749d884ee293a9bf6b56c23a6b83f7bf19f249d22bc6d5
Instruction Fuzzy Hash: 4C91F3B4E052288FDB14CFA5D988BDDBBB2FF89300F1481AAD409AB251DB744E85CF14

Function 075BC786 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d455266f8d105b51df3add343bc53c82e3b1dcec2c4cafe177b8ad252afaa04
Instruction ID: 3149118016c5d39ea604e9927e5f4be474f04b90ac6108b404e2fc32237fde9b
Opcode Fuzzy Hash: 8d455266f8d105b51df3add343bc53c82e3b1dcec2c4cafe177b8ad252afaa04
Instruction Fuzzy Hash: E981D2B4E012598FDB08CFAAD884AEEFBB2FF89300F14856AD415AB354D7345905CF64

Function 075BC7A0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cba854c2cb0cf4af1ad59634aa05a41537239d5d0d569e9dc51a74879d6e93
Instruction ID: 95f50f2fa015e71060c90138e9b285b2ae5335a48f01cf8d3a98fe07134bfbcc
Opcode Fuzzy Hash: 66cba854c2cb0cf4af1ad59634aa05a41537239d5d0d569e9dc51a74879d6e93
Instruction Fuzzy Hash: 5371A2B4E102198FDB08CFAAD944AEEFBB2FF89301F10852AD515AB354D7345945CF54

Function 079D4350 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9ca62d43ae76ea21370602342b0fec6ab7c502d3ecb041e329513771c1fa60
Instruction ID: 813c75edf06069e26ff38df3faedf504169ea34a5b21ad7ca76432eb16aa67c0
Opcode Fuzzy Hash: be9ca62d43ae76ea21370602342b0fec6ab7c502d3ecb041e329513771c1fa60
Instruction Fuzzy Hash: 146155B0D04259DFCB04DFA9D5896AEBBB1FF89314F10882ED812BB264D7B49A41CF54

Function 075BCEC9 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47f63e1e0a494b59e576dd6abfb34695d36caaca56612cb03952a20c97ad96b
Instruction ID: 956870e34d2c5e86f0b8b40190807c1386fdd8ccc391dcd81b8d694830ef8903
Opcode Fuzzy Hash: a47f63e1e0a494b59e576dd6abfb34695d36caaca56612cb03952a20c97ad96b
Instruction Fuzzy Hash: DD512DB0D142198FDB08CF9AD5506EEFBF2BF89301F24D4AAD415A7254D7349A42CF68

Function 079D4340 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed37506a72601774033bb8263debd6b884880c9be645cdb70e9051ef55025380
Instruction ID: 5af0b63845c613d934da68b8b27e3366f0314136e77f5093c52c2a5e8d62eacc
Opcode Fuzzy Hash: ed37506a72601774033bb8263debd6b884880c9be645cdb70e9051ef55025380
Instruction Fuzzy Hash: B55159B0D04299DFCB04CFA9D5496AEBBB1FF89314F10892ED812BB264D7B49A41CF54

Function 01344E88 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7f16fb6ea1f966741970f8de08180c636667e3ca0b0e1825c96ed5ea9cf04c
Instruction ID: f771f693924d5edfdf770bf018b913de1dbb049099a67f0cedcf5b59cfbce825
Opcode Fuzzy Hash: 0c7f16fb6ea1f966741970f8de08180c636667e3ca0b0e1825c96ed5ea9cf04c
Instruction Fuzzy Hash: 3251E074E00258CFEB19CFAAC844B9DBBF2BF88304F14C06AD808AB265DB715985CF11

Function 079D4038 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79824565e9451e031a693cabbdc84eeef5a58cb5f407cf5a94c94914008a41ec
Instruction ID: 4653af572b19089560bb34d35a5f49f8f6338388f8bf009b7cd3e16994ffee1c
Opcode Fuzzy Hash: 79824565e9451e031a693cabbdc84eeef5a58cb5f407cf5a94c94914008a41ec
Instruction Fuzzy Hash: E9417DB4D1525ADFCF04CFA6D4406AEFBB1FB9A304F14D82AD911A7260D3784A46CFA4

Function 079D4048 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bb15db15c314716b311468463d2555ca7b5939756ff79d2d59c37dd0922f94
Instruction ID: 8a9ad48dc6bdc23cad83d3199ba9f38f7eea7f967ca47800a18cde45982b64da
Opcode Fuzzy Hash: 59bb15db15c314716b311468463d2555ca7b5939756ff79d2d59c37dd0922f94
Instruction Fuzzy Hash: 66417AB0D1524ADBCF04CFA6D9415AEFBB5FF99304F14D82AD911B7220D7784A428FA4

Function 075BBB5F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c6c86b3a1066b8dd4fa519416541d1edcdace374906f9607422fcb2d595e75
Instruction ID: 708ae7ca73e20d997f2fbffa89f441636043aeb4e45fe1a728b920f962e25a22
Opcode Fuzzy Hash: 49c6c86b3a1066b8dd4fa519416541d1edcdace374906f9607422fcb2d595e75
Instruction Fuzzy Hash: 4131E8B1E056588FEB18CFABD8506DEFBB3AFC9200F04C0BAD509A7264DB344A458F51

Function 0832B548 Relevance: 2.1, Strings: 1, Instructions: 881
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0832B9FC

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9ea73763eab28288771c586540570253e49096fdee990cc7f226a200c7a5defe
Instruction ID: 1dae3671ddd002115758cf881a8396ea73eea30d0d407dfa166742dc336be880
Opcode Fuzzy Hash: 9ea73763eab28288771c586540570253e49096fdee990cc7f226a200c7a5defe
Instruction Fuzzy Hash: AC629E31E04219CFCB14AFB8E99966CBBB5FB88300F5148ADE446E7364EB349C55CB91

Function 0832BA45 Relevance: 1.8, Strings: 1, Instructions: 508
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0832B9FC

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 25641ba87bcc89192c605c55829b2c35d74f4933654cc1d4ac0d2d665dca0c75
Instruction ID: daf0e191882eaefc02471d501f53214c6eeb5b3e4cc5414ce13d2422d60cdd86
Opcode Fuzzy Hash: 25641ba87bcc89192c605c55829b2c35d74f4933654cc1d4ac0d2d665dca0c75
Instruction Fuzzy Hash: A212BE31E09254CFCB14AF78E96869C7BF1FB89300F0158AAD44AD7265EB384C56DB91

Function 079DC1C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079DC258

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c6108be6571efd6beaeadb2b467141590940a60df902365df4bfe2364f33ecea
Instruction ID: ca6692aed508a0753a985b733a57f15f5068e0fbc0be63cff937b1e65db6b567
Opcode Fuzzy Hash: c6108be6571efd6beaeadb2b467141590940a60df902365df4bfe2364f33ecea
Instruction Fuzzy Hash: 962126B19003499FDB10CFAAC885BDEBBF5FF48314F108429EA19A7240D7789954CBA4

Function 079DD140 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079DD1BE

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f09e904e6e9742cdd432071fceb388f23ea542e3f779cfc96216c6e0203d6229
Instruction ID: 96b44fc46d0d840a617eea9f1845177ac7c041a686d3b232c305f49f8af046ee
Opcode Fuzzy Hash: f09e904e6e9742cdd432071fceb388f23ea542e3f779cfc96216c6e0203d6229
Instruction Fuzzy Hash: 9F2129B19003099FDB14DFAAC4857EEBBF4EF88324F14842AD519A7240DB78A945CFA5

Function 079DB378 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 079DB3F6

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c6106410717556d07dfc4c4890bdc8722ea287c4324374d6a99ad082b2275587
Instruction ID: 4624b64874a70f7ba8a4da5281eae8078288e3e56420033e905aef50cfbedfb3
Opcode Fuzzy Hash: c6106410717556d07dfc4c4890bdc8722ea287c4324374d6a99ad082b2275587
Instruction Fuzzy Hash: F22138B19003098FDB10DFAAC4857EEBBF4EF88324F148429D519A7240CBB89944CFA5

Function 079DC970 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 079DC9E7

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3bbe59af2b3b24b753f9ba52a73452f2c8ba6ff65ed97c3f3c4e7a2fb9e33efa
Instruction ID: 462f60f36dd0c7e82c3e5d7c2ffb8c1888a55f977b673760be0c17de588ac0c7
Opcode Fuzzy Hash: 3bbe59af2b3b24b753f9ba52a73452f2c8ba6ff65ed97c3f3c4e7a2fb9e33efa
Instruction Fuzzy Hash: 362149B28003499FDB10DFAAC441BEEBBF5FF48320F108429E519A7240DB789940CFA1

Function 079D27D0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 079D284B

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f48015b79c68383fdf305c0257a390d0a3c1cea4c7fe7dc76af4c634e316e13f
Instruction ID: 56e8f6ec4f8583205e719362a455e2d88651573e584d9474abc3836d7b01315b
Opcode Fuzzy Hash: f48015b79c68383fdf305c0257a390d0a3c1cea4c7fe7dc76af4c634e316e13f
Instruction Fuzzy Hash: B221F4B59002499FDB10CF9AC584BDEFBF4BF48320F108429E959A7651D378A944CFA1

Function 075BBAA9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075BBB23

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1d5f3c08d68fa78cbcfd99508b90b469a87abaaf6dccd016a4068da32b333857
Instruction ID: 919c9647c03ae641dee219aff40a1ad3bdcaa1c94898097fa2473e0bf83a355c
Opcode Fuzzy Hash: 1d5f3c08d68fa78cbcfd99508b90b469a87abaaf6dccd016a4068da32b333857
Instruction Fuzzy Hash: 352127B59002499FCB10CF9AD484BDEFFF4BF48320F108429E559A7250C3B49944CFA5

Function 0831B1D0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0831B240

Memory Dump Source

Source File: 00000000.00000002.2487453766.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8310000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3819df4eb2b2cc4f424c68204c5ba54e4483c237428ba507812ffee35ea1b78b
Instruction ID: 68e21c85ce45bcafdd70922bcbdfcca5f996f0dcf99301d4d247c1799cec1b4d
Opcode Fuzzy Hash: 3819df4eb2b2cc4f424c68204c5ba54e4483c237428ba507812ffee35ea1b78b
Instruction Fuzzy Hash: D41147B1C0065A9FCB14CF9AD4447DEFBF4BF48720F10812AD918A7240D778A954CFA5

Function 079D27D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 079D284B

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dc5c8930fd71f03dbbd99a21d73131508b6934080409736ee482608a8ea63662
Instruction ID: 2c8fdaac33cdb1d65d80c3bfb447cb980746323f2ce26e070ed431ebacb9fea2
Opcode Fuzzy Hash: dc5c8930fd71f03dbbd99a21d73131508b6934080409736ee482608a8ea63662
Instruction Fuzzy Hash: 4721D3B59002499FDB10DF9AC584BDEFBF8FF48324F108429E958A7251D378A944CFA5

Function 075BBAB0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075BBB23

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 15903074c1296aaa02b67eae5d9d7f84b7234981b82f7441ef4c228359eafbb0
Instruction ID: b88c8b4946bb152b8f21fa9bba187662fb95c347f2ab22b7046561d6734129e0
Opcode Fuzzy Hash: 15903074c1296aaa02b67eae5d9d7f84b7234981b82f7441ef4c228359eafbb0
Instruction Fuzzy Hash: 7E21E7B59002499FDB10DF9AC584BDEFBF4FF48320F108429E558A7250D778A944CFA5

Function 079DBE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079DBEBE

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c04282ee9351790c6b1cd971a9736121080f87dc18deda2a685e6dcc27a6b5d6
Instruction ID: bb463c6c9c2d8316f93421501fc80ca8fe51b4ca6409488c635ad00e01ce27ed
Opcode Fuzzy Hash: c04282ee9351790c6b1cd971a9736121080f87dc18deda2a685e6dcc27a6b5d6
Instruction Fuzzy Hash: A71159B18003499FDB10DFAAC844BDFBBF5AF88324F108419E515A7250C7759950CBA0

Function 079DD3C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 079DD42A

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bd5e0b2b64f8ff589248fb9fc1111086af786105294d2f1449d0d14489765331
Instruction ID: b9d16dd5390df23db883f538ea6bf07f3185b3febefa6735d90e2fbe5be3c315
Opcode Fuzzy Hash: bd5e0b2b64f8ff589248fb9fc1111086af786105294d2f1449d0d14489765331
Instruction Fuzzy Hash: B6113AB19003498FDB20DFAAC44579EFBF5AF88724F24841AD519A7240CB75A944CB95

Function 079DFD90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 079DFDE8

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4b46cdf5acc23e4806850fe285cf8946fe1e545109cfd89e5f6bcce332011de8
Instruction ID: 6a43dabdbe39ef0794b09e4b200d93ee5465ba94192cf37d8c2c811ea2c7f47a
Opcode Fuzzy Hash: 4b46cdf5acc23e4806850fe285cf8946fe1e545109cfd89e5f6bcce332011de8
Instruction Fuzzy Hash: 0D1133B180034ACFCB10DF9AC545BDEBBF4EF48320F20841AD569A7240D778A944CFA5

Function 079DBA20 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 079DDA15

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 13b23f5cb4bab870136738d10f84ac8f657fee00e86db382da9775d098b5451b
Instruction ID: fcda56cc544c80fe3d75c4659dc6b31c9a162fb699ec28bbbd1655fe6abe9823
Opcode Fuzzy Hash: 13b23f5cb4bab870136738d10f84ac8f657fee00e86db382da9775d098b5451b
Instruction Fuzzy Hash: 0D11F5B5904349DFDB10DF9AC945BDEBBF8EB48324F20841AE519A7200D3B5A944CFA1

Function 01349230 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c3fb5c690c98845230e55276640c05f24d6f7727c19b5f4757f5321dc14f96
Instruction ID: 742c2454bf6911a33bd85adb7db830e0028a141390c7b73888c0165624bb04fb
Opcode Fuzzy Hash: 65c3fb5c690c98845230e55276640c05f24d6f7727c19b5f4757f5321dc14f96
Instruction Fuzzy Hash: 8B722070A00219CFEB149BE4CC60B9EBBB6FB88304F1080A9D61A6B395DF359D81DF51

Function 08320E99 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b13aeb9b39c2b1062df66ed248dede3a7faedeb4f3604ee9f089e28c7d0c3e4
Instruction ID: 48c7dfa7d3ae48867853ddf1b5cb87b133084dca67923b28456a0acf1b1791c7
Opcode Fuzzy Hash: 5b13aeb9b39c2b1062df66ed248dede3a7faedeb4f3604ee9f089e28c7d0c3e4
Instruction Fuzzy Hash: AB227B70E10215CBCB48BBB8D598A5DBBF6FB88300F90846DE449E7355DE34AC89DB91

Function 08320EA8 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1f2b208f052f77976f2e154522511333a38c4a653d06164009ee8ce099bbfc
Instruction ID: ea3854da49c217068a74bdba997769e1f85c543af7275fb2b8c8852efbda820f
Opcode Fuzzy Hash: 8d1f2b208f052f77976f2e154522511333a38c4a653d06164009ee8ce099bbfc
Instruction Fuzzy Hash: 68126B71B10215CBCB48BBB8D598A5DBBF6FB88300F90846DE449E7354DE34AC89DB91

Function 0134ACC1 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38885f6b53cb535890637688488230f7bdee301042100927a81eece733a14806
Instruction ID: 0b58d79f5da92fd9bb8d66ae842d3d149b221620b0cdcc6ac1c43beff6316948
Opcode Fuzzy Hash: 38885f6b53cb535890637688488230f7bdee301042100927a81eece733a14806
Instruction Fuzzy Hash: 43F1AE30344201CFEB299B3DC85873DBAEAAF85649F1444AAE113CB7B9DB65EC81C751

Function 0832ADF6 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c749de5cff015798d37cef9dc94888736c462dac0a7129d2c35ecf43d84ecf68
Instruction ID: 08c73810627eb34c146aafdd46be7fa4347ec52ac69ba26c34ca23b77c6b838e
Opcode Fuzzy Hash: c749de5cff015798d37cef9dc94888736c462dac0a7129d2c35ecf43d84ecf68
Instruction Fuzzy Hash: 88E11330A04265CFCB05BBB8D85862D7BB6FF8A310F4545ADD445DB3A6DB389C09C791

Function 013468F8 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a6f1627f7bed23ed1aabb6b3414432679691199649067fe897f3076200174b
Instruction ID: a00809ecc07605cd70ce218180b38d2c9c3a3880ad50425edae04e20fc1f746e
Opcode Fuzzy Hash: 48a6f1627f7bed23ed1aabb6b3414432679691199649067fe897f3076200174b
Instruction Fuzzy Hash: 0CE1DCB07002159FDB29AF68CC55B7E3AE6BBC9744F148429E506CB391CB74EC81CB91

Function 08320620 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93688b3ec070453524da95b3c7f6cc3eb0cddeda412529ac55065ef1d54012a8
Instruction ID: 370b3bd035338a66e3354567c38b47b5cdb4ca7cb686d01b2b264e74eccc2ca8
Opcode Fuzzy Hash: 93688b3ec070453524da95b3c7f6cc3eb0cddeda412529ac55065ef1d54012a8
Instruction Fuzzy Hash: C2D1D171B102158BCB08BBB8D8A966E7BB6FFC9200F41496DD446E7395DF388C09C7A1

Function 0832A1E0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93de186f0f0a66f3b877f617233b1280ba3c727f6294f40211f0166297da2fc1
Instruction ID: eea771b69b9a7356e94571e2b611ead15f799da77c99459809b72233d64a2f07
Opcode Fuzzy Hash: 93de186f0f0a66f3b877f617233b1280ba3c727f6294f40211f0166297da2fc1
Instruction Fuzzy Hash: 31C1A031B10226CBCB08BBB8E99962DBBF6EB88200F45496DD845E7354DF399C49C7D1

Function 0832B537 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418d11c0bc0dbdca576358571a2cef46c73a2485854e592f9bfa663f71ea23f6
Instruction ID: c235fd9e49c34d07fe1dc174767ddf0d78086495c6040a6300eae3b3274bbec3
Opcode Fuzzy Hash: 418d11c0bc0dbdca576358571a2cef46c73a2485854e592f9bfa663f71ea23f6
Instruction Fuzzy Hash: 5FC18F31E10209CFC708BBB9E59962DBBB6FF88210F51886DE446D7365DE359849CB90

Function 0832AE64 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62532cefd6677029a9fa3bfabb0034c987e21119819728bafe8541742f594099
Instruction ID: a68047113076afe92debb33ced7689faa18e783cf65a6a492b5218c7b2d10209
Opcode Fuzzy Hash: 62532cefd6677029a9fa3bfabb0034c987e21119819728bafe8541742f594099
Instruction Fuzzy Hash: D0B1E030A00215CFCB08BBB8E89866DBBB6FF89310F51456DD446EB3A5DB389C59C791

Function 0832AEA7 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e68782895e108566ca76f9125bae8e88a6a338353fe6aa3da4df045816fc42
Instruction ID: 34d553b7a367ff41a93f05f381241e40f436874993ae3fdde257112c36687c48
Opcode Fuzzy Hash: 37e68782895e108566ca76f9125bae8e88a6a338353fe6aa3da4df045816fc42
Instruction Fuzzy Hash: CBB1BD31A00215CFCB08BBB8E99862DBBB6FF89310F41496DD446EB365DB38AC55C790

Function 0832A197 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b744b5ca47b313b8f84b8b681266cb5d86a8eac54ca8af7895af9e24125789
Instruction ID: 44f77db9dbc5ae4cfb9ecd25aa66b53931350a2ad869092a0194959fb45054e9
Opcode Fuzzy Hash: e5b744b5ca47b313b8f84b8b681266cb5d86a8eac54ca8af7895af9e24125789
Instruction Fuzzy Hash: 71A1C131A00226CFC704BBB8E99962D7BF6EF89200F4548ADD846D7395DF399849C791

Function 0832A1D1 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd9b793acb5b1b71f5934d010b159fc70c5a9d98b26ac7b603763df38290f5f
Instruction ID: c476de744ac99e12962c3dcef1ceb053ded665cb97d3d550a5c91fd3c1f9d5ae
Opcode Fuzzy Hash: cdd9b793acb5b1b71f5934d010b159fc70c5a9d98b26ac7b603763df38290f5f
Instruction Fuzzy Hash: 76A1AF31A00225CFCB04BBB8E99962DBBF6EB89200F45486DD846E7395DF399849C7D0

Function 0134CDA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e119d8ae0a5370086ba3bcc39b8840062bbaf9052246b52a56cee8d3c45266d
Instruction ID: 91715012a5e47a424c3eccee06385c17b0156c272d6ae778deb39c12f9053bd5
Opcode Fuzzy Hash: 7e119d8ae0a5370086ba3bcc39b8840062bbaf9052246b52a56cee8d3c45266d
Instruction Fuzzy Hash: 8DA1DE317012059FCB12CF68C880AAEBBFAEF89314F148466E944DB366D731EC45CBA1

Function 0832D3A8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e788d2e13fa54c016c2ff88b884155bbde4fb11ebb4575b1d998c3cfbb5586
Instruction ID: ecdb90033f4544ce9bb70d08d381540d3ca56f91296a38a581b2e71f0d2cd829
Opcode Fuzzy Hash: 52e788d2e13fa54c016c2ff88b884155bbde4fb11ebb4575b1d998c3cfbb5586
Instruction Fuzzy Hash: 05918E31B1411ACBC704FFBCE958A6E7BBAFB88200F90886DD445E7258DB399C05D7A1

Function 01346FE8 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15cc68a7a83f0c1124fb174bb53ef9441cf88e8ba2358a62fea0df66707eb9c
Instruction ID: e60729f266274bc11704b455ed3fe9143a09b5a47e15b8ce893893158fcabba9
Opcode Fuzzy Hash: e15cc68a7a83f0c1124fb174bb53ef9441cf88e8ba2358a62fea0df66707eb9c
Instruction Fuzzy Hash: 96819034B0010ACFDB18CFADC884AAABBF6FF89218B158569E515DB765D731F841CB90

Function 0832D06C Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdc5bd378dae0fe7712feedc675accbe7141f0d35ee9fc9e605423bb7beedcc
Instruction ID: b0083c5f7b08ee83902369a5e380dc9bb7a71a7c15879c3aae0ef62bd15b5c38
Opcode Fuzzy Hash: 5fdc5bd378dae0fe7712feedc675accbe7141f0d35ee9fc9e605423bb7beedcc
Instruction Fuzzy Hash: 0571D031B1021ACBCB04FBB8E999A2EBBB9FB88700F41496DD545E7255DE349C58C3D1

Function 01348EF0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99a3b8ed20789af10eae4bd57b7e303f4158111ffe83b4a3368d93f629ad6d
Instruction ID: 75248f0085b0850e2eefc9aceb63d00927a7783c431741ecc54520ba6672677f
Opcode Fuzzy Hash: fd99a3b8ed20789af10eae4bd57b7e303f4158111ffe83b4a3368d93f629ad6d
Instruction Fuzzy Hash: 917180313041599FDB14DF7DD894A6B7BEABF8920C70584A9EA06CB262EB31FC45CB50

Function 01344B43 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04db130ce4697ac01d501b9718fb11513ea3ac8fde79022af3f3354584bae662
Instruction ID: 1e1bbc871a4170bea97f39dcf129b41997161a3e730dc966eb55614f16b05b02
Opcode Fuzzy Hash: 04db130ce4697ac01d501b9718fb11513ea3ac8fde79022af3f3354584bae662
Instruction Fuzzy Hash: EC91D074D04228CFDB24DFA9C844BEDBBF6BB89305F1480A9D459AB262DB746D85CF10

Function 0134C238 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1407062eda3f037e204058bd65b90cc546befdaa01c6a7639475ba09577c7fb7
Instruction ID: 083d105cd23f73ccfba8729dc2cd7b36965d7d9803b41654d99da77579a42360
Opcode Fuzzy Hash: 1407062eda3f037e204058bd65b90cc546befdaa01c6a7639475ba09577c7fb7
Instruction Fuzzy Hash: 33716830701205CFDB25DF6DC894A7E7BE5AF89608B4910AAE906DB372DB74EC41CB91

Function 0134AA1C Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba7edb7d5b8ef0564d0ec2b62bc64f4abac6444e2305d104977d5c0a3403d52
Instruction ID: beb9d91c73452cc073232123b08f061acc23ec75ee10a34aa52900efa6ac236a
Opcode Fuzzy Hash: eba7edb7d5b8ef0564d0ec2b62bc64f4abac6444e2305d104977d5c0a3403d52
Instruction Fuzzy Hash: EC4123717443459FEB169F68CD10BAE3BE2FF86308F01486AE586DB291DB799C01CB52

Function 0134A800 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864f982b40515ca8e7d69c9098b2693363ff3abc089005a767117f48f54ad5ef
Instruction ID: 33de3a09fa3f0412fde4ec62ddf57d323f3146e71c0af5698d4abc770c3cd523
Opcode Fuzzy Hash: 864f982b40515ca8e7d69c9098b2693363ff3abc089005a767117f48f54ad5ef
Instruction Fuzzy Hash: F241D23574424AAFDB069F68D854AAA7FF6FF48214B044069F906DB261CB31EC62CB90

Function 013457F0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9942c6025851c43fd26655cd42a8ec9c572af0cc28e61d952b6c06c445e44c19
Instruction ID: 5e1aca38611761d5210e8d0b864f298858b2648902b472f77eb53ad2b83de9de
Opcode Fuzzy Hash: 9942c6025851c43fd26655cd42a8ec9c572af0cc28e61d952b6c06c445e44c19
Instruction Fuzzy Hash: 7E41D2B4E05208DFDB04CFA9D484AEEBBFAFF89304F109069D515A7264DB356A45CF50

Function 01348CF0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68eb4b1d967775d214421930f30df4b44dce13e5d4a0802dc24abf1246f17620
Instruction ID: 86a42f16abe00bb9ea3a4e0641977704804e66a565e64dc93a9130a85694ec5a
Opcode Fuzzy Hash: 68eb4b1d967775d214421930f30df4b44dce13e5d4a0802dc24abf1246f17620
Instruction Fuzzy Hash: F8413875600119DFCB15DFA9D858AAA7BB5FF89318F1000A5EA46CB3B1CB30ED51CB90

Function 08321867 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa636c1e8823fcdebcfd43df8cbe32f5382bf65aa4dc701370e219f78aebf6b
Instruction ID: cd05981f8d60c6ef16a3397b4060d0cfb013a2ec570b219b276a89ac0dc58e7e
Opcode Fuzzy Hash: 7aa636c1e8823fcdebcfd43df8cbe32f5382bf65aa4dc701370e219f78aebf6b
Instruction Fuzzy Hash: 4131A131B042158FC708BBB8E49892E7BFAFFC9210B51486EE446DB3A5DE359C09C791

Function 013457E0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7a8a2b6ad4da9cd8f7d9e8387a16d2dbe7e4b5c72d799dad3947fb3dcc005b
Instruction ID: eb03860f3d712c1314e4c7a82628e6ebff920da1a75307f67455d62f34867a10
Opcode Fuzzy Hash: cc7a8a2b6ad4da9cd8f7d9e8387a16d2dbe7e4b5c72d799dad3947fb3dcc005b
Instruction Fuzzy Hash: 1641C1B4E05208DFDB08CFA9C884AADBBF6FF89304F14906AD515AB361DB35A945CF50

Function 01344560 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf84f579dcdc1cf7d4e3adb02a4be01a7ea3d48f7b4763104a599f0036429d6
Instruction ID: 62dbd9365a57b6d667542a66e4707f13bf4be4438943f4817a8e2a1016d567a2
Opcode Fuzzy Hash: 6cf84f579dcdc1cf7d4e3adb02a4be01a7ea3d48f7b4763104a599f0036429d6
Instruction Fuzzy Hash: 83314BB4D00259CFEF08DFE8C5487AEBBF0AB08318F104579D515A7291D3B96A84CFA1

Function 013459C0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a853fad0ada521434318e47d1590b21b929a70d412ce7a26a712385d2be46c6
Instruction ID: 9ef2f4a3627e4c4e2a0e51d84f93221f2b41d155d71fba91d65d3460ca21876b
Opcode Fuzzy Hash: 8a853fad0ada521434318e47d1590b21b929a70d412ce7a26a712385d2be46c6
Instruction Fuzzy Hash: C0314135B0021ADFDB169F68DC949AE3BAAFB89318F008024F9169B354CB75DC61DB91

Function 08320067 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4278ee9d0bc71f195d55ad65a0668dc984316d3462dd274ad2dc6bc9765a4c53
Instruction ID: 9a2c470fe8bb14717026dec28c9f1f0428dbfc4c540112551a67c88a9e805c81
Opcode Fuzzy Hash: 4278ee9d0bc71f195d55ad65a0668dc984316d3462dd274ad2dc6bc9765a4c53
Instruction Fuzzy Hash: 4F417F34900B09DFCB15EFA9C89469DFBB1FF89310F14C65ED4496B261EB70A985CB90

Function 08321880 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0d03e16365fb39742728f1f7b95b9f44c20642ef6a28c0b5dcf38a1072404f
Instruction ID: 8fa7fdf4e1278f55938b7e2906ad59c4678e22f9b6664bf6c38f282ce7d6813e
Opcode Fuzzy Hash: 5f0d03e16365fb39742728f1f7b95b9f44c20642ef6a28c0b5dcf38a1072404f
Instruction Fuzzy Hash: 6121A071B101168FC708BBBDE998A2EB7EAFFC8650B51486DE406D7354DF359C098391

Function 08320257 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85d1cd8f919ba1d292a4c92325bcaa393669ad4aecd4c84a0271a95c2f3cd4f
Instruction ID: 37d72d72bf22585f35a5ec57a43a92edbe75b22f2d8638d0f24274ff74e657b0
Opcode Fuzzy Hash: e85d1cd8f919ba1d292a4c92325bcaa393669ad4aecd4c84a0271a95c2f3cd4f
Instruction Fuzzy Hash: C5313470D04258DFDB28DFAAC488B9EBBF1BF88714F24841AE545AB240C7B46845CF61

Function 01349111 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9087dcf63260e99c722b274a98cb88d71186792129f806127c33a7ec99d4b577
Instruction ID: 252563b9ade45a07f1428001868db801472e5894ac2da7543129a6c92ef9e2ad
Opcode Fuzzy Hash: 9087dcf63260e99c722b274a98cb88d71186792129f806127c33a7ec99d4b577
Instruction Fuzzy Hash: 8621C4313042454BEB261B398C5877F7ADAAFCD54C718407DD902CB766EA25DC51E781

Function 01349120 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b8a6fddbd6fb713a6040373744b784e1ecb337422828bbe463df749ef426ed
Instruction ID: b93039e0c2be30840410c13ceddbf45c66289f79160a267ca8eb696aa17ab739
Opcode Fuzzy Hash: e5b8a6fddbd6fb713a6040373744b784e1ecb337422828bbe463df749ef426ed
Instruction Fuzzy Hash: 4421A4313042154BEB291A298C5877F3ADBEFCD65DF144039D502CB795EE66DC51E381

Function 0832CF70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d123c41abdc6ec09d0b2cd0bc8ec3a807e10dc4ffbe43710188f59125b1cbbc
Instruction ID: e81cc66f97aff212132d02e72325d88870c4e386bf7ac38fbda7072ecfe6e464
Opcode Fuzzy Hash: 9d123c41abdc6ec09d0b2cd0bc8ec3a807e10dc4ffbe43710188f59125b1cbbc
Instruction Fuzzy Hash: D521D332B042268BD304EBB8E995A2E77BAEB89214F41896ED409D7354DE359C05C391

Function 08320284 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb0f1c3d4af91997355dd43be6f2a1602574463656a3549be06c933074d60c5
Instruction ID: 48828d60e5539d07bc897342d44e26eb55145cc203bd22200be9576c069c86bf
Opcode Fuzzy Hash: 2bb0f1c3d4af91997355dd43be6f2a1602574463656a3549be06c933074d60c5
Instruction Fuzzy Hash: B13102B0C05258DFDB24CFAAC598B8EBFF4AF48714F24845AE544BB250C7B55845CFA1

Function 013468D8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f0f47266e948d182a3d3dc78c2811fc015340580c088377477fabb47af07c3
Instruction ID: 3280ea22878b83d2427535e54869e97cbd523a1ede2382a6096fe6923e604eaa
Opcode Fuzzy Hash: e7f0f47266e948d182a3d3dc78c2811fc015340580c088377477fabb47af07c3
Instruction Fuzzy Hash: FB2145B5608215CFCB15DF68D845699BFF1EF82318F0881AAD406CB252D770ED55CB91

Function 01346E40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2e630c688052af6edc622ea1da7ee9bcc2d8b0c7a556080b4c3d24f59d787
Instruction ID: 01315c65b00f46478c4332856b7478deabb55c416c9cc2f761cc5ca6853ea2d1
Opcode Fuzzy Hash: 04e2e630c688052af6edc622ea1da7ee9bcc2d8b0c7a556080b4c3d24f59d787
Instruction Fuzzy Hash: 202100717006128FC7399F28D86452A7BE6BF867587054179E80ADB3A4CF31EC418BC0

Function 0832CF80 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448f003af0c19e7010314127508cb7ce75079d3ef2ad492334a1cff550a7b9d9
Instruction ID: 67ec998cb1f3244076fb31b5e5ad8764a50500abb706cec0dc9e4fb32bee3111
Opcode Fuzzy Hash: 448f003af0c19e7010314127508cb7ce75079d3ef2ad492334a1cff550a7b9d9
Instruction Fuzzy Hash: 1511D232B101268BD704BBBCE999B2E77AAFBC8214F81892DD409D3354DE399C05C391

Function 011ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472745194.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f76dcfba9799e94fad1c62c3f33c16f1f6457188a5fb792794d9fa75b01a38
Instruction ID: f9c3825fe6e7c1c6380d176cb3bb6be3fb1befbc427d593fb218ad0c8b432c2d
Opcode Fuzzy Hash: b3f76dcfba9799e94fad1c62c3f33c16f1f6457188a5fb792794d9fa75b01a38
Instruction Fuzzy Hash: 0D210075604600EFDF19DF94E988B26BFA1FB84314F28C56DE90A0B252C77AD446CA62

Function 011ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472745194.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a8b10f4f47e7b5d9d3862b63069a3f1678439ec80132af1c19d17e1ec56202
Instruction ID: 0a4792fae1f0a67de27d35923aaca07a4fdb00b3c78ae87218ce14ef1f9f8fcc
Opcode Fuzzy Hash: d7a8b10f4f47e7b5d9d3862b63069a3f1678439ec80132af1c19d17e1ec56202
Instruction Fuzzy Hash: 5E213475504601EFDF09DFD4E9C8B26BBA1FB84324F20C56DE90A4B292C376D406CA62

Function 083202A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a65dcd3d0edf7310b8a53b0fe5d77c9c3ce0333364c296f7123191f81a06d95
Instruction ID: 03d92cb05111aff0214b41d97ccb6622b926cd7a95411108e7ef504867414dd8
Opcode Fuzzy Hash: 7a65dcd3d0edf7310b8a53b0fe5d77c9c3ce0333364c296f7123191f81a06d95
Instruction Fuzzy Hash: ED31F2B0C01218DFDB24CF9AC598B8EBBF5BF88714F24801AE544BB250C7B5A845CFA5

Function 0134CA19 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4dd72425a2754d84aa83bd1d0039d6bc35ae14f8e032736d917fc283cea05e
Instruction ID: c94d990a1a7aa988884c8b77433ac517ab750deeb167baa009eee0f75f77b546
Opcode Fuzzy Hash: 1d4dd72425a2754d84aa83bd1d0039d6bc35ae14f8e032736d917fc283cea05e
Instruction Fuzzy Hash: B0214C71E0125CDFEB15DFA9D850AEEBFB6AF48304F14902AE851E6254DB30E940DF60

Function 0134FEB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81af7ab86956ed6a2130e7d37facc553e9ba2529326265abf330d8bc51ff14d8
Instruction ID: 7cdca08c99d17c2e84e9a545b23d3c825753f56a0a5ef34594aacbfeae1aa160
Opcode Fuzzy Hash: 81af7ab86956ed6a2130e7d37facc553e9ba2529326265abf330d8bc51ff14d8
Instruction Fuzzy Hash: 1611BF343002245BE704AB29C42576F76D7EBC8B0CF204029E706CB7E5CDB5EC055791

Function 011ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472745194.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328fd6043ad0ede52296deecaf1699060d9917d038c093fc624d699ea8e8fd45
Instruction ID: a95e40e19d333c4019d5b4898418d1f157c1b803189d618bc00aec6252e680b6
Opcode Fuzzy Hash: 328fd6043ad0ede52296deecaf1699060d9917d038c093fc624d699ea8e8fd45
Instruction Fuzzy Hash: A42192755097808FCB07CF64D994715BFB1EB46214F28C5DAD8498F6A7C33AD80ACB62

Function 0134E789 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6702b80369c2ef9b389e0ba55a1d0ac818f52adecec7132e2ac1fa804ca9e5b
Instruction ID: 7fcfba340947b34e749c2e8ac46dd072a66cb5d7a9ef8fa3dcc627cd5fe41059
Opcode Fuzzy Hash: e6702b80369c2ef9b389e0ba55a1d0ac818f52adecec7132e2ac1fa804ca9e5b
Instruction Fuzzy Hash: B7214A70E0020DDBDB09DFA4C8106EEBBB2FF89324F10806AC415B7290DB795945CBA0

Function 0134A850 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47402871c13e68a28e35a231f0d63bd23c6ddcc58613a2671b688a2453e6ddb2
Instruction ID: 23c190a9bcd46f364fc53366c1c5a1bf0b211b9b1a790f2b29caca20d3640c7c
Opcode Fuzzy Hash: 47402871c13e68a28e35a231f0d63bd23c6ddcc58613a2671b688a2453e6ddb2
Instruction Fuzzy Hash: E611EF3168430A9FEB06DF18D804AAA7FE5FB44314F00402AF906CB352CB31ECA6CB91

Function 0134E798 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb59ee635bace7abb582ed61ef83ffc6cc9a782023900c208ddfc9966178f6e
Instruction ID: f2f3b3a0f3fed22a227e4419098032474c7eec1db566444b6c56e4e1f83d620b
Opcode Fuzzy Hash: 0eb59ee635bace7abb582ed61ef83ffc6cc9a782023900c208ddfc9966178f6e
Instruction Fuzzy Hash: 63112974E0020DDBDB08DFE9C4506EEBBB2FF88324F10846AD525A7350DB38A941CBA0

Function 01346E50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134ba86f077b7bb7f8b29a3f61f8e70b7de4a0bc532e45ac1431731b9b00cc92
Instruction ID: 6c90e040a7e85618d9969ca29219efcd703ef645791c93241e0525bb9827b83d
Opcode Fuzzy Hash: 134ba86f077b7bb7f8b29a3f61f8e70b7de4a0bc532e45ac1431731b9b00cc92
Instruction Fuzzy Hash: C711E1753016129BD7395E2DD86892ABBEABFC66543054178E90ADB3A0CF31EC4187D0

Function 01349DB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed96ad3d7faf5219b947b9a5e29f812f3a3c044a9d7669536e432783b788436
Instruction ID: 33cd79abb8db789b700d0b1c951c0f569c470ffd4dd485a5e6ab36eab759164b
Opcode Fuzzy Hash: 4ed96ad3d7faf5219b947b9a5e29f812f3a3c044a9d7669536e432783b788436
Instruction Fuzzy Hash: 941160757002049FCB24DFA9DC44B9EBBFAFB8C314F144069E906A7394CA71AC51CBA0

Function 08320610 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357ebcbc839dcad137b5b92697ad76ace4d8cbc3136564639df22fa72ce4c462
Instruction ID: 39ebdf700cc1cbfb4163667562ca38c0301e825c605a4254f2b7a83d9b5c378b
Opcode Fuzzy Hash: 357ebcbc839dcad137b5b92697ad76ace4d8cbc3136564639df22fa72ce4c462
Instruction Fuzzy Hash: EB01F7767046255B8B0EF6698CA047FB7EBEFD5552306843ED018C7340DE349C0287A4

Function 0134A958 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5371d23e58e9f44c2b3846d040be383522a34442b86ac30db9cbd52c16cf56
Instruction ID: de4ebc9956526daadf5994b398603b80b508e37a9ef7b3f427052eae67faa17d
Opcode Fuzzy Hash: fc5371d23e58e9f44c2b3846d040be383522a34442b86ac30db9cbd52c16cf56
Instruction Fuzzy Hash: C50149317042896FCB028FA85C10BAF7FEBEFCA200F08805AF506DB281CA31DC119791

Function 011ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472745194.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 0a4b1c5df3d2ecbafde1e073a6eae6a971ee3febf80f52b7749d91edd7093310
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9611BB79504680DFCB06CF94D6C4B15FBA1FB84224F24C6A9D8494B2A6C33AD40ACB62

Function 01346F22 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e335253b3fbaf546179c66f3e368bba4d53ff5bac7c2adb4a187063bb5456eca
Instruction ID: bb3167d31dee55c674e8da528ca3352544bdb0524df6df6aafdbe178632470e9
Opcode Fuzzy Hash: e335253b3fbaf546179c66f3e368bba4d53ff5bac7c2adb4a187063bb5456eca
Instruction Fuzzy Hash: AE0147B27043158FD3145F6DE45079A77D5FB92768F4500BEEA09DB391CB22EC058390

Function 011DD789 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472705833.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369ddda7f92c5df2b7adba73ad6c519e6af6ec2a68274c0c3eda21f3d617e040
Instruction ID: e523226467ce8de98f14a2030ecb88b1f29d8da5d4c63a5b2be2efdab8ebe4fc
Opcode Fuzzy Hash: 369ddda7f92c5df2b7adba73ad6c519e6af6ec2a68274c0c3eda21f3d617e040
Instruction Fuzzy Hash: 4A012B71005784DAFB188BA9ED80B67FF98DF41368F09C49AEE094A1D6C7B89840C672

Function 01348E38 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8f7506339cfc37c56a5ae417c5f821947605ef515e689e8158283c566b7bfe
Instruction ID: e8efdda06a074fd90d47d839b9e57742345d3534e0650e9be36bfe54c17f651f
Opcode Fuzzy Hash: 9c8f7506339cfc37c56a5ae417c5f821947605ef515e689e8158283c566b7bfe
Instruction Fuzzy Hash: E4F062313005104BD7355AAE9848A2ABBDEBFC8A9971544B9EA49C7362DE60EC428790

Function 011DD788 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472705833.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68904879077c0e862322dc90512d6a87237887cc6a576236eeae641b781d90cd
Instruction ID: 481201fea8acca2a4413d47d8481418b67ee3e4a29f6c50efc5bafab4d2dd7e1
Opcode Fuzzy Hash: 68904879077c0e862322dc90512d6a87237887cc6a576236eeae641b781d90cd
Instruction Fuzzy Hash: 1CF0C8714053849AEB148B5ADC84762FF98EF40628F14C45AEE084A286C3795840CA71

Function 08320508 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf95fc4733363180da23aee079fcc821d39d90c6d719f84897b470d116c51b99
Instruction ID: fccf4da51d98e1bf5ff336c9edc2284e89befbd834f8c879263af85626e8c3c7
Opcode Fuzzy Hash: bf95fc4733363180da23aee079fcc821d39d90c6d719f84897b470d116c51b99
Instruction Fuzzy Hash: 38F0E2317082545FD3048B6AAC44D6BFFE9AFD962071440BFE045D7362CAB09C05C764

Function 08320557 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f989bae0c982bdc1049b03c93400160c7cca312196b65c971d7c9ea18b9c8231
Instruction ID: 948d19ee81e7889e3b49ae2e5b70ae7f6bacfc469ec97b5c5feee02d06e9b5ee
Opcode Fuzzy Hash: f989bae0c982bdc1049b03c93400160c7cca312196b65c971d7c9ea18b9c8231
Instruction Fuzzy Hash: 97F0A0353082405FC311CB2AE894D56FFA4EFCA26071540EFF54ACB7A2CA20AC46CB60

Function 08320518 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de675aedfb475605aab903c9e41e55baaadd66d5e85c3a4aa520b96ac0a0d66
Instruction ID: 296975c7b1b8633e60a23e2e7e6739a7693c62612f66ccafa5dabe91ae9cb512
Opcode Fuzzy Hash: 0de675aedfb475605aab903c9e41e55baaadd66d5e85c3a4aa520b96ac0a0d66
Instruction Fuzzy Hash: 5BE092717002186FD3049A5EDC40E6BFBEEFFD9A20B21807AF508D7360CAB0AC0186A4

Function 01345390 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9f9ddb020ac37c73369b2e274ce77e7d9443b6c28a9d9180e42318bc594a94
Instruction ID: cc177c23e6ff82134846a221deb8900d290bd572a00e1592e04727144cf5d749
Opcode Fuzzy Hash: 3e9f9ddb020ac37c73369b2e274ce77e7d9443b6c28a9d9180e42318bc594a94
Instruction Fuzzy Hash: 92F08570C09349DFCB01CFB8A40828CBFF0AF0A314F2481AAC804E7221E3B14A80CB00

Function 0832CF33 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e852367e45c4e82df4f61c4f9de4700b6dad4b6379011ccf2ba45161d5e46
Instruction ID: 78e0cdb62573e2309cc43bf1fd86a64327f30ffc3f1e517338714f61f64fa356
Opcode Fuzzy Hash: 0a0e852367e45c4e82df4f61c4f9de4700b6dad4b6379011ccf2ba45161d5e46
Instruction Fuzzy Hash: 3BF0522144F3D19FD743AB6498655917F70AE1325474A04CBC4E6CF0A7C62C295ADB22

Function 0832A050 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c6b1867cc848b7cef3ff11d6c5830e369df9baada3bfcae9306565c77cdf0a
Instruction ID: a8612811d85469b723dd4d4cefe49ccf14dbf6e7b0e4b0edae13d3b83a96f277
Opcode Fuzzy Hash: 11c6b1867cc848b7cef3ff11d6c5830e369df9baada3bfcae9306565c77cdf0a
Instruction Fuzzy Hash: 9BE0E534206315CFC726AF70EC284B97B76BF6721234494AEE40BC61A6CB76A865CF11

Function 08320568 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc35f76d807f9904e14dc9e315df67bf97bcfb4f1172a6596ad3f01b98d8d1d
Instruction ID: 958b23939c995e40fecc4b12846ac2be91dfadb6e155ad32055e6afc4f7f3672
Opcode Fuzzy Hash: adc35f76d807f9904e14dc9e315df67bf97bcfb4f1172a6596ad3f01b98d8d1d
Instruction Fuzzy Hash: E1E0EC763046146FC3149A4FEC88D46FBADEFC9771B55806AFA09C7361CA71AC41CAA4

Function 01347287 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b054572b079357e3c77e4ab28098c784adc91428d2df8d30f67e034753e7429
Instruction ID: 1b8f2a662dd72f56118b724761a4f7c5fcd1088d9741327ed2b9aef92060e030
Opcode Fuzzy Hash: 2b054572b079357e3c77e4ab28098c784adc91428d2df8d30f67e034753e7429
Instruction Fuzzy Hash: DFE0863400868BCBC7069B709C64185BF72ADD230031892F5D4459E127CABA585A8741

Function 01349C98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 522011fca1421da705c90db2521228f05a60a976d6b6e6d5e09a5ce5689295b9
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 6DC0123364C2282BE625204E7C40EA3BBCCC2CA2BDA210137F95C832009842AC8003E8

Function 01349E65 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a2f0fa25f001623258da5a0290f75d893ccd552d57fbcb5d0b0ef37ca8ef54
Instruction ID: 230dfc4121fd4899d52a34d47c04f4cf0594bc39ea931f589e74df3bc68ad568
Opcode Fuzzy Hash: 95a2f0fa25f001623258da5a0290f75d893ccd552d57fbcb5d0b0ef37ca8ef54
Instruction Fuzzy Hash: 0ED0673AB001089FCB14DF98EC409DDF7B6FB9C221B048126E915E3264C6319925DB50

Function 01347298 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ea842f9ed8c841942a6d2e2c7bc432eba953e79b3410f35d68c08997e6b89c
Instruction ID: 29ad571eb5f0081814aa92773aed71ae976d4de3d94e63161134a36fab759f88
Opcode Fuzzy Hash: 09ea842f9ed8c841942a6d2e2c7bc432eba953e79b3410f35d68c08997e6b89c
Instruction Fuzzy Hash: 89C0123010420FC6D609F7B5FC545193B2AAAD0304740A538D1099E229DFFC18594691

Function 0832F298 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bb5e4e08834e9a96d3d2de69a2c487e2faedabcdfc72c8db246c44e1565b95
Instruction ID: a0158cee5c6d8ef328c45f22ef56b4809a94e40f3404e97671b1561e52570be3
Opcode Fuzzy Hash: 30bb5e4e08834e9a96d3d2de69a2c487e2faedabcdfc72c8db246c44e1565b95
Instruction Fuzzy Hash: 84D0627090111ACBCB94DF65C99179DB7B6AF84200F0055AA901DB7214DB745A458F55

Non-executed Functions

Function 075BD718 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

tI'5, xrefs: 075BD7C9
tI'5, xrefs: 075BD7E0

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: tI'5$tI'5
API String ID: 0-1618107
Opcode ID: 198fa59a296a787b5fb1760c8c4d451e468ab4aca3f2440091634e7adff1fd14
Instruction ID: 54d2902a926e40594f8b96b2b98dc141a3048eb43ceea6222f80d256fe3c8c4c
Opcode Fuzzy Hash: 198fa59a296a787b5fb1760c8c4d451e468ab4aca3f2440091634e7adff1fd14
Instruction Fuzzy Hash: 285138B4E1525ADFCB14CFA4D4809EEBBB2FF89300F14866AE405BB215D770AA45CF90

Function 075BF650 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

L~, xrefs: 075BF73E

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: 369f2db27ab2cb7d9bdae11fa05a2682f9e6ab4a5fde65a6fce5b11ab98bb6a8
Instruction ID: 4d7d83b7324b50c4744bf9c414a6a37d26e5ab2aa2f4958dfc94bcdf28ab7014
Opcode Fuzzy Hash: 369f2db27ab2cb7d9bdae11fa05a2682f9e6ab4a5fde65a6fce5b11ab98bb6a8
Instruction Fuzzy Hash: A19103B4E15219CFCB04CFA9C9849EEFBF2FB89310F249859D415AB264D334AA41CF55

Function 075BF640 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

L~, xrefs: 075BF73E

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: fa6e763b78de23e808235c3de4b619de1ee84d12ee41382da11c1454f09f9680
Instruction ID: 0751a872637ca6b02fde9cd36b0b03d17441aa7b4d06f3a953acbaf8e21f0a64
Opcode Fuzzy Hash: fa6e763b78de23e808235c3de4b619de1ee84d12ee41382da11c1454f09f9680
Instruction Fuzzy Hash: 8C911574A15259CFCB04CFA9C9849EEFBF2FF89310F14995AD415AB2A4D330AA41CF51

Function 075B2E45 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec05fc6052712698bf0c2dac6dd40466bfd519d992ac26791fedee5de37203ee
Instruction ID: 4afa700eec0e583b7eb1d10c1f865ec60a8bd311507df1b6184dede185255a94
Opcode Fuzzy Hash: ec05fc6052712698bf0c2dac6dd40466bfd519d992ac26791fedee5de37203ee
Instruction Fuzzy Hash: 5722A071E10215CFCB08EFB9D9989AEBBF2FF88200B518629D405AB354EF359C45DB90

Function 079DEDC8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30812263c6b7525b5f6bed90755fc73f177489edf197f6536fb382356dd08a52
Instruction ID: e0a7f2b418fffc2ea56da2d79029d43bab72970ba97ae6912d9611bb170d26b3
Opcode Fuzzy Hash: 30812263c6b7525b5f6bed90755fc73f177489edf197f6536fb382356dd08a52
Instruction Fuzzy Hash: 3DD1A8B17016028FDB29EB79C454BAEB7FAAFC9708F148469D246DB291CB34EC01CB51

Function 0134BB4D Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2472987096.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1340000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedd88d3e30417f4be2bbde64b30a07ca07580f96001773a637eeb69e5338ad8
Instruction ID: a598de87bff811bc8bd7f73c7579dc6492e30200e0cbe7e0c7ce85bdd8381565
Opcode Fuzzy Hash: eedd88d3e30417f4be2bbde64b30a07ca07580f96001773a637eeb69e5338ad8
Instruction Fuzzy Hash: E6B1F734700209CBEB3C1B39985473AFAEAEFC1B45F18482DD94AD659CCE31E845AF56

Function 07F1D410 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486965109.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7659d3fa71c173020fcd9a76cb6b8f2edcc92329d4a4233658ad459fca54a055
Instruction ID: 603e9d7e562f76ca91e16249351ea162a50cd2e421bd1985f2fb964b5ea45ff0
Opcode Fuzzy Hash: 7659d3fa71c173020fcd9a76cb6b8f2edcc92329d4a4233658ad459fca54a055
Instruction Fuzzy Hash: 36A181B4B002559FEB5CABB8881476F7AE7AFC8640F14853D910AE7784DF389D078791

Function 079DF728 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc203ded06f8429c7d64fdfa11386f4b20207f5f9220e0aa385e8808ff203ae3
Instruction ID: 5203d07fc5750b893cc88e912614e4035916df84346f778d7c814adf42769971
Opcode Fuzzy Hash: cc203ded06f8429c7d64fdfa11386f4b20207f5f9220e0aa385e8808ff203ae3
Instruction Fuzzy Hash: 8DD1C574A00605CFDB18DF69C599AA9B7F6BF8C304F2580A9E516EB361DB31AD40CF60

Function 0831E317 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487453766.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4e025e990c2b363cfa02f936e183ce8ca7c3b26f98048b9ef5a2b3fc76da05
Instruction ID: d90f7bc326d13cbbd42b9ab9bc479b06bb3624c67e6bc763910efbb6a7b74421
Opcode Fuzzy Hash: ea4e025e990c2b363cfa02f936e183ce8ca7c3b26f98048b9ef5a2b3fc76da05
Instruction Fuzzy Hash: 36D10731D20B5ACACB14EBA4D990699B7B1FFD5300F20D79AD4497B211EF706AC4CB91

Function 0831E328 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487453766.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7ca824bd07fba6d1f0753cf7545686cefcc1665b74c30049b8149fc650d79b
Instruction ID: b401470dc042b800e4caa8197c53ab0053cf702b1b304bb220ff2b313d31346b
Opcode Fuzzy Hash: be7ca824bd07fba6d1f0753cf7545686cefcc1665b74c30049b8149fc650d79b
Instruction Fuzzy Hash: 62D1F731D20B5ACACB14EBA4D950699B7B1FFD5300F20DB9AE5497B210EF706AC4CB91

Function 08329D85 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533c98c21289c49f04752404f37c421bd546b5309025a9a3d4b2b49ad97ea1db
Instruction ID: cc8e624e1baa013cb2bf8590c63ad79308131686b8d8224c0f4137d0d585724a
Opcode Fuzzy Hash: 533c98c21289c49f04752404f37c421bd546b5309025a9a3d4b2b49ad97ea1db
Instruction Fuzzy Hash: 71515C3050D3C18FC306EB78C8A59597FB5AF87210B0A89EFD4C68F1A3CA385809C762

Function 0832E830 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e3acc7622cb65b83ba53d11226db35d204a61904fc9f22ad652b120b301a86
Instruction ID: 2d3569c4888527ab68f447e6f7835145cc2ebb9d0b10d85816193973c41d0ac3
Opcode Fuzzy Hash: 72e3acc7622cb65b83ba53d11226db35d204a61904fc9f22ad652b120b301a86
Instruction Fuzzy Hash: 9C711274E05219CFCB08CFA9C5819EEFBF6FF89210F68946AD415BB315D3349A418B68

Function 0832E840 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea918739e07012f1c4f89a6691370ab0a893002c3c3c98ea61de93e60341a78
Instruction ID: dc50f5f010f56eec053239263f5799054da242154c73ef36b2ee832af8afe1e4
Opcode Fuzzy Hash: 9ea918739e07012f1c4f89a6691370ab0a893002c3c3c98ea61de93e60341a78
Instruction Fuzzy Hash: 257113B4E15219CFCB08CFA9C5819DEFBF6FF89210F68942AD415B7315D334AA418B64

Function 0832DF98 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c0a8439ac2609e01850d0a73b46e809e9acc27999e419c0fa04d201693df9f
Instruction ID: 83e1b84e683423af19c3dd8443cf666b099124dc7b0291f3b15077635da0ddcb
Opcode Fuzzy Hash: 65c0a8439ac2609e01850d0a73b46e809e9acc27999e419c0fa04d201693df9f
Instruction Fuzzy Hash: 367117B4E0426ADFCB04CF99D5819AEFBB1FF88311F18852AD516A7315C334A982CF95

Function 0832E288 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d985e0110767922a40e65df1ff63abfa52774b5e78eff132d251d26e8641bf
Instruction ID: a9eed1ee7d3822b5b07bcc635fd2693f89764fef1edc03e7689bdf3379edfe90
Opcode Fuzzy Hash: 94d985e0110767922a40e65df1ff63abfa52774b5e78eff132d251d26e8641bf
Instruction Fuzzy Hash: 0E6159B0E04229DFDB04DFA9C4829EEFBB1BF89301F14C16AD415AB241D334AA52CF95

Function 0832DF88 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2087e1b430392fd0cf75308a9b24c2ef74508c1c43dc67ae071324f4bf61ed
Instruction ID: 28f03cf6149889a373c2074c450b5945bad5ae7141e9a8e50af642cef3e60d7e
Opcode Fuzzy Hash: cc2087e1b430392fd0cf75308a9b24c2ef74508c1c43dc67ae071324f4bf61ed
Instruction Fuzzy Hash: 506116B0D0426ADFCB04CF99D5819AEFBB2FF88311F18856AD516A7311C330A982CF95

Function 0832EC60 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fae760d9191ddbad30715c1e7cf35093105531e7f47d8af0f20f9277f4b52c
Instruction ID: 8f80121a65485758b6d01a92c77a37753706db31dca58c3139075de5f4a68860
Opcode Fuzzy Hash: f7fae760d9191ddbad30715c1e7cf35093105531e7f47d8af0f20f9277f4b52c
Instruction Fuzzy Hash: 7951FA71E05268CFDB58CF6AD94169EBBF3AFC9201F14C1AAC409AB265D7304A45CF51

Function 079D0006 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253b3ccd20ef8cd0a92348516ea20a29f421b7dabe949de131b9be917c33c4b1
Instruction ID: a432ffebdfcc68c9ef5b5d93387a0612fb6d483b4199696ea6d4feacc4205306
Opcode Fuzzy Hash: 253b3ccd20ef8cd0a92348516ea20a29f421b7dabe949de131b9be917c33c4b1
Instruction Fuzzy Hash: FF519971E057588FDB19CF6B894428AFBF3AFC9210F18C1AAC44DAB225DB340A858F11

Function 0832E5F8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3aff986e274a1792071ac72e1679f18baa1ffaa04a1b39be7de85b630df8f5
Instruction ID: b6f8c97ff3db883b4384a94e2eba98812dbbc41d3652779eed7758c8e82f19c4
Opcode Fuzzy Hash: bc3aff986e274a1792071ac72e1679f18baa1ffaa04a1b39be7de85b630df8f5
Instruction Fuzzy Hash: F5410A70E0421ACFDB44CFAAC5815AEFBF2FB88301F14C56AC415A7255D338A641CF94

Function 075BEBE8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e7b3bcd590ce42935908df19259de43f15c654b0a446ce0ea3eae03b32bad
Instruction ID: dcdc7b37b2b1ff7db30a7cb685f4cc6ca853c92bb440c0775e1688d6787dca68
Opcode Fuzzy Hash: 6c0e7b3bcd590ce42935908df19259de43f15c654b0a446ce0ea3eae03b32bad
Instruction Fuzzy Hash: 0A4148B0E1521ACFCB44CFA9C4415EEFBF1FF8A210F18956AC415AB264D3349A41CFA0

Function 0832E608 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b747c97cab8e73e0cae4b56b70b95fc630751bd4b29a34829bb915ab090f91
Instruction ID: 38fb325fc385a8cad1352c92faba69e3ede8a07f4a93f77981b5a368caa95916
Opcode Fuzzy Hash: 03b747c97cab8e73e0cae4b56b70b95fc630751bd4b29a34829bb915ab090f91
Instruction Fuzzy Hash: 91410AB0E0021ADFDB44CFAAC5815AEFBF6FB88301F14D46AC415A7215D339AA41CF94

Function 075BF45A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486113402.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30555b2de9c0d45470a3e4bae7c4aeb59b5a8455bbb84f28ce6080fb7b4549f4
Instruction ID: e4d83c2fba80c935d46f7eb1bac0ec1459ce14be360c0390bf6ae55c0b5baaf1
Opcode Fuzzy Hash: 30555b2de9c0d45470a3e4bae7c4aeb59b5a8455bbb84f28ce6080fb7b4549f4
Instruction Fuzzy Hash: 48411CB0D1520ADFCB14CFA9C9819EEFBB2FF85310F14D9AAC005A7295D7349A458FA1

Function 0832EC70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2487500485.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8320000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813d97a190ed7fb6e901d8f1609573b3304a5cb2736e81d2851a18f575dcf4d4
Instruction ID: a6a51ab8eb04b28cd5b432249bbd2e7dbe6e7901b833e1ebf93af1050ad5498d
Opcode Fuzzy Hash: 813d97a190ed7fb6e901d8f1609573b3304a5cb2736e81d2851a18f575dcf4d4
Instruction Fuzzy Hash: 8241D871E01668DFEB58CF6AD94079EFBB3BFC8201F14C1AAC419A7215DB309A468F51

Function 079D0040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed3d768b170da50026255e4183b2b2524e8244251c87ea38f7c0090b564bc0c
Instruction ID: efa10912d01e994aae74bb427ee66a84b1dc51fd6cd3e60b1c6edb3653a6d329
Opcode Fuzzy Hash: fed3d768b170da50026255e4183b2b2524e8244251c87ea38f7c0090b564bc0c
Instruction Fuzzy Hash: C6415EB1E016598BEB58CF6B9D4439EFBF7BFC9300F14C1BA950CA6214EB7409858E11

Function 079D7CA1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10660ec593149105fb5c14e2cd180dd8011a7a581f8031e3ce0dde91232407e
Instruction ID: 54b8e5102b1c6c4637ff528508d3a78a636ce6ffc9983bceeaee2bd43d4fb4bf
Opcode Fuzzy Hash: f10660ec593149105fb5c14e2cd180dd8011a7a581f8031e3ce0dde91232407e
Instruction Fuzzy Hash: 7B4132B4E05219CFCB18CFE8E9946ADFBB2FB89310F10882AD506F7254D73499418F28

Function 079D3210 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7dbcf7b224081e6f9986b15c44cf00e6b7c6db2a669d173c9a5c6ae8dd2a7ce
Instruction ID: e9cab4158459200e7ad8aa0942925d7d12f09fa3464b09fa8348582271ba113d
Opcode Fuzzy Hash: e7dbcf7b224081e6f9986b15c44cf00e6b7c6db2a669d173c9a5c6ae8dd2a7ce
Instruction Fuzzy Hash: 832144B1E11619CBDB08CFAAD8406EEFBF7AFC9210F14C12AD508A7254EB344A418B61

Function 079D2B80 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e562189c3ecf90193bdd906188d65530aa396ce3afbf6694230b2f205e92f929
Instruction ID: e0a913e29a9e6b3e6b0e513e77abf516ac8af3cd032495a5100889a12ac84688
Opcode Fuzzy Hash: e562189c3ecf90193bdd906188d65530aa396ce3afbf6694230b2f205e92f929
Instruction Fuzzy Hash: 4F1156B1E11629CBDB08CFABE8406EEFBF7FBC8200F14C07AD408A7214DA344A418B51

Function 079D81D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32a474d61566e817e6dd30683ebec8ab464a208f10d2a5d9cbcebb187d3fcd0
Instruction ID: 6b56ad3f0fee4fd674fdf7876dc20b2cff88e5e1d9efdcd0c84faaaf21c8563c
Opcode Fuzzy Hash: e32a474d61566e817e6dd30683ebec8ab464a208f10d2a5d9cbcebb187d3fcd0
Instruction Fuzzy Hash: 711129B5E116198BDB08CFABD94069EFBF7BBC8310F14C03AD518A7214EB705A458B51

Function 079D2B72 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16218bd285c30ee0d5caa64660ffe81196a5f1d44e2b99ec32cbcc9a7c85ec64
Instruction ID: 10e72ae5b7cad80dc49a3afc9f13d1d6dde0d48df22bd1d851bb1cf754db3849
Opcode Fuzzy Hash: 16218bd285c30ee0d5caa64660ffe81196a5f1d44e2b99ec32cbcc9a7c85ec64
Instruction Fuzzy Hash: 23215C70E016598FDB19CFAAD9406AEBBF3AFC9200F18C17AD408EB255DA344A458B51

Function 079D68E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b67a7d391321923e8f34ad5c49c1f4a19ca6b31fa37b119282f247da294d782
Instruction ID: fb9f9d80fd70182d685d0450023b63f30cb29edf76650d8db907ba34fe13c97f
Opcode Fuzzy Hash: 7b67a7d391321923e8f34ad5c49c1f4a19ca6b31fa37b119282f247da294d782
Instruction Fuzzy Hash: 501114B1E116199BDB08CFAAD8406AEFBF7AFC8210F14C17AD408A7214DB745A558FA1

Function 079D3878 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad54febeaacfde57f68a6381b0a83dc60998d2d5b703f0dd9a6d0ffe1dfd2da
Instruction ID: 10d59d364b607adef97870b494d85b2fca8007695d2ead3ea15e622366820d32
Opcode Fuzzy Hash: aad54febeaacfde57f68a6381b0a83dc60998d2d5b703f0dd9a6d0ffe1dfd2da
Instruction Fuzzy Hash: 341126B1E11619DBDB58CFABE9406AEFBF7EFC8200F14C06AD408A7214DA345A458F61

Function 079D3200 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4b07a10e5c7fff9158ef0d0e9487f97c619214a6eb3dc8cc215fa595846137
Instruction ID: 4fa74784673e49198c55120606c4fd8580cca8e7985554af3481fe9bdbffcf38
Opcode Fuzzy Hash: 1e4b07a10e5c7fff9158ef0d0e9487f97c619214a6eb3dc8cc215fa595846137
Instruction Fuzzy Hash: 3A214AB0E116198BDB18CFAAD8416EEFBF3AFC9300F18C22AD408A7254DB344A45CF51

Function 079D3867 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8917338f66ece0e0a7d49ae5ac7268123a8d7a1cefb3cab0d9e63a3064bad24
Instruction ID: 85090e023ad685294aedf7836247918385b87d6173bc703c927fdba0b3a28870
Opcode Fuzzy Hash: b8917338f66ece0e0a7d49ae5ac7268123a8d7a1cefb3cab0d9e63a3064bad24
Instruction Fuzzy Hash: 3D113DB1E116599FDB18CFABD94069EBBF3AFC8300F18C16AD408A7354DA344A468F61

Function 079D68D9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134c64aae333bd2b01c7ea83c547b5139b3cc36c92ecaf7da299721919a0c113
Instruction ID: 5de1db227ad30b7fdf497535da0af1597a6f1f69567f0b3df56f4e71faf67980
Opcode Fuzzy Hash: 134c64aae333bd2b01c7ea83c547b5139b3cc36c92ecaf7da299721919a0c113
Instruction Fuzzy Hash: 0B116AB0E116598BDB08CF6AD8806AEFBF3AFC9300F14C17AD408A7214D7344A458F90

Function 079D81D1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2486805165.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2ce7fe0bed080be71e47fc1aab0a75c9b453e6825cec3591724f84572fa909
Instruction ID: 68e3c80054a0acd77448ac272258e75a33a7e96143437740f14c1a2b888d8a05
Opcode Fuzzy Hash: 0a2ce7fe0bed080be71e47fc1aab0a75c9b453e6825cec3591724f84572fa909
Instruction Fuzzy Hash: 0E1146B0E116598BEB08CFABD9406AEFBF7BFC8200F14C06A9418A7214EB704A45CF51

Analysis Process: InstallUtil.exePID: 3136, Parent PID: 5044COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 0273A9D0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0273AE9E,?,?,?,?,?), ref: 0273AF5F

Memory Dump Source

Source File: 00000004.00000002.4558742199.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f9d039197e3126ca50541aecc912ee362598e6249daa341d004730e738f2d234
Instruction ID: e7d14cb294dff226eeb8269e29efc27d7f481b8588463ca4b2b24774428b361b
Opcode Fuzzy Hash: f9d039197e3126ca50541aecc912ee362598e6249daa341d004730e738f2d234
Instruction Fuzzy Hash: 6E21F4B59002099FDB10CF9AD584ADEBBF4EB48314F14801AE954B3310D379A954CFA0

Function 0273AED0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0273AE9E,?,?,?,?,?), ref: 0273AF5F

Memory Dump Source

Source File: 00000004.00000002.4558742199.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a87ce607856650ebffb72d6a817b7d27ddb88c467b09b274a747bfc1677e0802
Instruction ID: 7936742d72a246e3d3a133d5f57e26a6565f152ea213d2cd08a214af48fde949
Opcode Fuzzy Hash: a87ce607856650ebffb72d6a817b7d27ddb88c467b09b274a747bfc1677e0802
Instruction Fuzzy Hash: 682105B59002499FDB10CFAAD984ADEFFF4FB48314F14801AE954A3310D379A944CFA1

Function 02735B80 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02735BFB

Memory Dump Source

Source File: 00000004.00000002.4558742199.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_InstallUtil.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b6cb0df20ce06fc21b631ad4300dbeff97487b5d7fe2dd4476072e846f1888af
Instruction ID: b05a8624c55510ffa40e8e187c96a215871cf6f75ce25a5cba378aa67f89af09
Opcode Fuzzy Hash: b6cb0df20ce06fc21b631ad4300dbeff97487b5d7fe2dd4476072e846f1888af
Instruction Fuzzy Hash: 5E2115B19002498FDB14DF9AC944BDEBBF5BF88314F108429D419A7250D779A944CFA1

Function 02735B78 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02735BFB

Memory Dump Source

Source File: 00000004.00000002.4558742199.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2730000_InstallUtil.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 533185110ced1c290d79cf7a0f901825e33a7154d07136cbafbdcb0e5f2319c0
Instruction ID: c7d2f889602fa287dbcbe9db95521244fa16c27cba9572619d949987002de663
Opcode Fuzzy Hash: 533185110ced1c290d79cf7a0f901825e33a7154d07136cbafbdcb0e5f2319c0
Instruction Fuzzy Hash: E32135B5D0020ACFDB14CF99D944BDEBBF1BF88314F208429D418A7250CB78A944CFA1

Function 025CD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4557989767.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00dae807b6bc481f70f84e273eea2ef71868b2c5ec67d86ba106d1ea1450d0d
Instruction ID: 2b1da44ab4bd3bb116e865b1733e866658cb756e871ec93d3fe48abdc9913c47
Opcode Fuzzy Hash: d00dae807b6bc481f70f84e273eea2ef71868b2c5ec67d86ba106d1ea1450d0d
Instruction Fuzzy Hash: 4621FFB5504204AFDB04DF50D980B26BBB1FB88314F20C97DD80A8A352D37AD446CA61

Function 025CD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4557989767.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c59362cad170ac427cf09e038a18a615e372e498f0d493d735c57cd184a539
Instruction ID: 67c5f18d83a73412333053f8d7d7ac79df2562e0dc1874fabb6c19fecc15ce1e
Opcode Fuzzy Hash: 29c59362cad170ac427cf09e038a18a615e372e498f0d493d735c57cd184a539
Instruction Fuzzy Hash: AD210071604204EFDB14DF68C580B26BFB1FB84328F30C57CD90A9B252E37AC846CA62

Function 025CD006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4557989767.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cb43f423c655f63211f4b9c61cea092b2b2f5b9991cc2a59169f37185c8597
Instruction ID: 4db3e66def3a46d8dc4739172f5d4b835dbc0ee2f6d85e0dde964030bc28af17
Opcode Fuzzy Hash: 65cb43f423c655f63211f4b9c61cea092b2b2f5b9991cc2a59169f37185c8597
Instruction Fuzzy Hash: 7D216F755093C48FCB12CF24C594725BF71BB46214F28C5EED8898B6A3D33AD84ACB62

Function 025CD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4557989767.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25cd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b8378cd6447b882010ff643879dc7c2f188138b4266242629424d6f8229eb221
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 24118B76504284DFDB06CF50D9C4B15BFB1FB88218F24C6ADD8498B756C33AD45ACBA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diagaudio.lnk

C:\Users\user\AppData\Roaming\diagaudio.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe

Function 08322AD0 Relevance: 5.6, Instructions: 5633
COMMON

Function 08322ACF Relevance: 5.6, Instructions: 5633
COMMON

Function 08313538 Relevance: 5.2, Instructions: 5170
COMMON

Function 079D9E40 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Function 079D28E0 Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Function 075BD89A Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Function 079D98A8 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre