Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Oq2eXtHmE.exe

Overview

General Information

Sample name:6Oq2eXtHmE.exe
renamed because original name is a hash value
Original sample name:74D1B3D898B42F285B8718CC8010919F.exe
Analysis ID:1498206
MD5:74d1b3d898b42f285b8718cc8010919f
SHA1:4ca51aece95740cf74845d3ae360fe132a24edf5
SHA256:aa9809519069ba9a0caaa0743fa0d908eb87f544422f55af6b60113b3353fc66
Tags:exeOrcusRAT
Infos:

Detection

Orcus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Orcus RAT
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6Oq2eXtHmE.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\6Oq2eXtHmE.exe" MD5: 74D1B3D898B42F285B8718CC8010919F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Orcus RATOrcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat

Malware Configuration

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-08-17T19:23:49"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "0.0.0.0", "Port": "10134"}, {"Ip": "178.211.130.175", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "false"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "false"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\Orcus.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "d9a00bf22a4a417e82bc8c3d42094449"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6Oq2eXtHmE.exeJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
    6Oq2eXtHmE.exeMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
    • 0xc9b47:$s1: ProcessedByFody
    • 0xd56b2:$s2: SELECT * FROM AntivirusProduct
    6Oq2eXtHmE.exeRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
    • 0xc92c1:$text01: Orcus.CommandManagement
    • 0xaff57:$text02: Orcus.Commands.
    • 0xbd8d9:$text02: Orcus.Commands.
    • 0xbda47:$text02: Orcus.Commands.
    • 0xbda87:$text02: Orcus.Commands.
    • 0xbdadc:$text02: Orcus.Commands.
    • 0xbdd0b:$text02: Orcus.Commands.
    • 0xbe500:$text02: Orcus.Commands.
    • 0xbe967:$text02: Orcus.Commands.
    • 0xbed0e:$text02: Orcus.Commands.
    • 0xbef7a:$text02: Orcus.Commands.
    • 0xbf256:$text02: Orcus.Commands.
    • 0xbf5a2:$text02: Orcus.Commands.
    • 0xbf697:$text02: Orcus.Commands.
    • 0xbfc4f:$text02: Orcus.Commands.
    • 0xbfe1f:$text02: Orcus.Commands.
    • 0xc0140:$text02: Orcus.Commands.
    • 0xc03e3:$text02: Orcus.Commands.
    • 0xc04be:$text02: Orcus.Commands.
    • 0xc0a2e:$text02: Orcus.Commands.
    • 0xc0acd:$text02: Orcus.Commands.
    6Oq2eXtHmE.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
    • 0xd6f2c:$f1: FileZilla\recentservers.xml
    • 0xd6a5c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
    • 0xd72c2:$b1: Chrome\User Data\
    • 0xd732e:$b1: Chrome\User Data\
    • 0xd73de:$b2: Mozilla\Firefox\Profiles
    • 0xd6e78:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
    • 0xdf003:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
    • 0xd6c26:$b4: Opera Software\Opera Stable\Login Data
    • 0xd6950:$b5: YandexBrowser\User Data\
    • 0xd69bc:$b5: YandexBrowser\User Data\
    • 0xd7376:$s1: key3.db
    • 0xd7496:$s4: logins.json
    • 0xd65de:$a1: username_value
    • 0xd65fc:$a2: password_value
    • 0xc6ef7:$a3: encryptedUsername
    • 0xd74e2:$a3: encryptedUsername
    • 0xc6ee5:$a4: encryptedPassword
    • 0xd7506:$a4: encryptedPassword

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      • 0xc90c1:$text01: Orcus.CommandManagement
      • 0xafd57:$text02: Orcus.Commands.
      • 0xbd6d9:$text02: Orcus.Commands.
      • 0xbd847:$text02: Orcus.Commands.
      • 0xbd887:$text02: Orcus.Commands.
      • 0xbd8dc:$text02: Orcus.Commands.
      • 0xbdb0b:$text02: Orcus.Commands.
      • 0xbe300:$text02: Orcus.Commands.
      • 0xbe767:$text02: Orcus.Commands.
      • 0xbeb0e:$text02: Orcus.Commands.
      • 0xbed7a:$text02: Orcus.Commands.
      • 0xbf056:$text02: Orcus.Commands.
      • 0xbf3a2:$text02: Orcus.Commands.
      • 0xbf497:$text02: Orcus.Commands.
      • 0xbfa4f:$text02: Orcus.Commands.
      • 0xbfc1f:$text02: Orcus.Commands.
      • 0xbff40:$text02: Orcus.Commands.
      • 0xc01e3:$text02: Orcus.Commands.
      • 0xc02be:$text02: Orcus.Commands.
      • 0xc082e:$text02: Orcus.Commands.
      • 0xc08cd:$text02: Orcus.Commands.
      Process Memory Space: 6Oq2eXtHmE.exe PID: 6588JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: 6Oq2eXtHmE.exe PID: 6588JoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
          Process Memory Space: 6Oq2eXtHmE.exe PID: 6588RAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
          • 0x72f9b:$text01: Orcus.CommandManagement
          • 0x8b74e:$text01: Orcus.CommandManagement
          • 0x5a00f:$text02: Orcus.Commands.
          • 0x676a8:$text02: Orcus.Commands.
          • 0x67811:$text02: Orcus.Commands.
          • 0x67851:$text02: Orcus.Commands.
          • 0x678a1:$text02: Orcus.Commands.
          • 0x67ad0:$text02: Orcus.Commands.
          • 0x682c5:$text02: Orcus.Commands.
          • 0x6872c:$text02: Orcus.Commands.
          • 0x68ad3:$text02: Orcus.Commands.
          • 0x68d3f:$text02: Orcus.Commands.
          • 0x6901b:$text02: Orcus.Commands.
          • 0x69367:$text02: Orcus.Commands.
          • 0x69458:$text02: Orcus.Commands.
          • 0x69a03:$text02: Orcus.Commands.
          • 0x69bd3:$text02: Orcus.Commands.
          • 0x69eef:$text02: Orcus.Commands.
          • 0x6a192:$text02: Orcus.Commands.
          • 0x6a268:$text02: Orcus.Commands.
          • 0x6a7d4:$text02: Orcus.Commands.

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.6Oq2eXtHmE.exe.ac0000.0.unpackJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            0.0.6Oq2eXtHmE.exe.ac0000.0.unpackMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
            • 0xc9b47:$s1: ProcessedByFody
            • 0xd56b2:$s2: SELECT * FROM AntivirusProduct
            0.0.6Oq2eXtHmE.exe.ac0000.0.unpackRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            • 0xc92c1:$text01: Orcus.CommandManagement
            • 0xaff57:$text02: Orcus.Commands.
            • 0xbd8d9:$text02: Orcus.Commands.
            • 0xbda47:$text02: Orcus.Commands.
            • 0xbda87:$text02: Orcus.Commands.
            • 0xbdadc:$text02: Orcus.Commands.
            • 0xbdd0b:$text02: Orcus.Commands.
            • 0xbe500:$text02: Orcus.Commands.
            • 0xbe967:$text02: Orcus.Commands.
            • 0xbed0e:$text02: Orcus.Commands.
            • 0xbef7a:$text02: Orcus.Commands.
            • 0xbf256:$text02: Orcus.Commands.
            • 0xbf5a2:$text02: Orcus.Commands.
            • 0xbf697:$text02: Orcus.Commands.
            • 0xbfc4f:$text02: Orcus.Commands.
            • 0xbfe1f:$text02: Orcus.Commands.
            • 0xc0140:$text02: Orcus.Commands.
            • 0xc03e3:$text02: Orcus.Commands.
            • 0xc04be:$text02: Orcus.Commands.
            • 0xc0a2e:$text02: Orcus.Commands.
            • 0xc0acd:$text02: Orcus.Commands.
            0.0.6Oq2eXtHmE.exe.ac0000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
            • 0xd6f2c:$f1: FileZilla\recentservers.xml
            • 0xd6a5c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
            • 0xd72c2:$b1: Chrome\User Data\
            • 0xd732e:$b1: Chrome\User Data\
            • 0xd73de:$b2: Mozilla\Firefox\Profiles
            • 0xd6e78:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
            • 0xdf003:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
            • 0xd6c26:$b4: Opera Software\Opera Stable\Login Data
            • 0xd6950:$b5: YandexBrowser\User Data\
            • 0xd69bc:$b5: YandexBrowser\User Data\
            • 0xd7376:$s1: key3.db
            • 0xd7496:$s4: logins.json
            • 0xd65de:$a1: username_value
            • 0xd65fc:$a2: password_value
            • 0xc6ef7:$a3: encryptedUsername
            • 0xd74e2:$a3: encryptedUsername
            • 0xc6ee5:$a4: encryptedPassword
            • 0xd7506:$a4: encryptedPassword

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            Timestamp:2024-08-23T20:56:56.662484+0200
            SID:2824244
            Severity:1
            Source Port:10134
            Destination Port:49704
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 6Oq2eXtHmE.exeAvira: detected
            Found malware configuration
            Source: 6Oq2eXtHmE.exeMalware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-08-17T19:23:49"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "0.0.0.0", "Port": "10134"}, {"Ip": "178.211.130.175", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "false"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "false"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\Orcus.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "d9a00bf22a4a417e82bc8c3d42094449"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}
            Multi AV Scanner detection for submitted file
            Source: 6Oq2eXtHmE.exeReversingLabs: Detection: 86%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 6Oq2eXtHmE.exeJoe Sandbox ML: detected
            Source: 6Oq2eXtHmE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6Oq2eXtHmE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032AA000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000327E000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458196437.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000329C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032AA000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000327E000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458196437.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000329C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4457835711.0000000005A0C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.0000000005670000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4458457255.0000000006AF2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdbDr source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.0000000005670000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdbD source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2824244 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Certificate (Orcus RAT) : 178.211.130.175:10134 -> 192.168.2.5:49704
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 178.211.130.175:10134
            Source: Joe Sandbox ViewASN Name: TIS-DIALOG-ASRU TIS-DIALOG-ASRU
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: unknownTCP traffic detected without corresponding DNS query: 178.211.130.175
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4457835711.0000000005A0C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455227402.0000000001169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.startssl.com00
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.startssl.com07
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLogd
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registryd
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/$
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/(_
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateValueLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateValueResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetPathLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetPathResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/IsAliveLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/IsAliveResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/StartProcessLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/StartProcessResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/WriteFileLR
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/WriteFileResponse
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.startssl.com/0P
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.startssl.com/policy0
            Source: 6Oq2eXtHmE.exeString found in binary or memory: https://api.ipify.org/I(.

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: Detects BackNet samples Author: Florian Roth
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
            Source: 00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            Source: Process Memory Space: 6Oq2eXtHmE.exe PID: 6588, type: MEMORYSTRMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            Yara detected Orcus RAT
            Source: Yara matchFile source: 6Oq2eXtHmE.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 6Oq2eXtHmE.exe PID: 6588, type: MEMORYSTR
            .NET source code contains very large strings
            Source: 6Oq2eXtHmE.exe, SettingsData.csLong String: Length: 13976
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_015380E00_2_015380E0
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_069100400_2_06910040
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_0691DC180_2_0691DC18
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_069109100_2_06910910
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_0691CED80_2_0691CED8
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Plugins.dll< vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.StaticCommands.dllJ vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Plugins.dll< vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.dllB vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000000.2005181360.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOrcus.exe" vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.StaticCommands.dllJ vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455142507.0000000000F35000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.dllB vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000327E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Plugins.dll< vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4458196437.0000000005DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.0000000005670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.dllB vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.Shared.dllB vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.StaticCommands.dllJ vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000329C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOrcus.StaticCommands.dllJ vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exeBinary or memory string: OriginalFilenameOrcus.exe" vs 6Oq2eXtHmE.exe
            Source: 6Oq2eXtHmE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
            Source: 6Oq2eXtHmE.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
            Source: 0.0.6Oq2eXtHmE.exe.ac0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
            Source: 00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
            Source: Process Memory Space: 6Oq2eXtHmE.exe PID: 6588, type: MEMORYSTRMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
            Source: 6Oq2eXtHmE.exe, RespawnTask.csTask registration methods: 'RegisterRespawnTask'
            Source: 0.2.6Oq2eXtHmE.exe.3203530.2.raw.unpack, CursorStreamCodec.csTask registration methods: 'CreateModifierTask'
            Source: 0.2.6Oq2eXtHmE.exe.58f0000.18.raw.unpack, CursorStreamCodec.csTask registration methods: 'CreateModifierTask'
            Source: 6Oq2eXtHmE.exe, SettingsData.csBase64 encoded string: 'JJBa9F96aPxNFaRLnkuYMzz30CRoRscvAW8hJMqnd8KVspJ/Zn1yJGvg4PW7X5E41f7bJI1fV5r5tplv4yOTagXmWdjTI4Ld7KzihU+730Ech68wUwEeFvhmE0fJrZQ9bgWVUZOHbb9XM2rLatXruVPHlGRXtnGuZGfkGNXoszk6Suw0c/9Z6IoTNDHHeQbjxifXWo2J1SYmdOcmpJ2caY3Ik/rBmlHRAj+dGiKSnTdfgmk52tIvjUr0ZHsnAMLyaysXh+gdMOFLeQrG9vqz7dN2aJhm4UDLAIBYBfzOE1VtU2lO4SwnXeeGPdbISM068Ue1FOYckIp2OeXvvZUedJili6xfQbf6BZf+IF6EgDo+aoqsKfCA6jCAXLM2ybWItd/+GKkHIHwLXr0A6wb3hnUMN8opfw28TbOZuVIi6uwF3Gv1G/U7mS5TxFr61aFvL78i8qsilE/IpvA4WuDevmN9CsPhZj9IMsXUlB6wKQD8WWMPxl/REWK7Eg62i1HL4Jw5p43L8b3ZqObqPD5Nry5hkqyvJ9mn1+0iCiG8lj+ntfQYsMR5A8O+ven9Nkeo0OXLOsj82vscx3ufAarb6D3tjNpFvs2FOGJDwxEZpsyzGMf99v6u90kQUqOW+T/neDIVM4pJTp4/cAW4ZSCX5QHXb5AepInO5ALBzzeR5NOzxVGt45yD9SHklwO2KQGswSZ03RZMgnqXChG+IDiSAyeZObtCmM5hBN1HVAiLniKVPvWCyoKSJfIcY0Zyr8n+gMdu2o0yHk/nnYNx/pTd8d/SEr/CpXZfQPH1em6o4Eatk8W42/5K5LNr4iGvU0N2KU6DcYHWWgvyQchI3ymqM22W7IE3QIHhHCpZLWdS8mD0Z7g1ZsPN+m+11LaPC7WagEGGgM+xAeKKkmwAjaz3MU5bKjBMFLtYkqOyxRETt6rriQSYCeFdnVAriYj9biDheiKZ3vr3794eToe/VWkGMvAY2SqOIu9G8Ff+RkuU/y/TOBeM6ZEKHKcEW7PvWgMFNOkvHxHuJAmNVlQMW5gbtbrAyLq7CYyL+mk0uDzisTRT1VKfhexPckCwWt6n9F6Dt7W77Fzl8lk2ecGaFuTFsNmvyUJTG2JNTFsvTCM0IH/76SWAxyK0i5nf0HFFIDTHKpJFfqD+PBu5W7V3nWKbBOl7+Kc88gWFRKtsTinBe0MoMXpm9zbJxrn2qhv3tiG+fdA9gXvnK73hwH0A7EIjuWuw1PfyeXB4BYkwhNmsxOwyVLAC3txxAP4vvn7XxXdxirD6JdfRPHbZRA3pvaInwdcjQxChhVmwl4wg+KFXxmeASGSTlFojfX+XoPN132EVaagsynkTg4TRaqHnKBSyx1xvOIS5jCq4fv5KPzHa2qdkYlGI5hyfV605y3g2eC1ysul2e4Gk/Kefk/YKzz1O8ubkDj6sZDw6eTKUw4f2/nR/nk8AjpRNSdjlAadktXP/N+57BL2e6CfoHsUYzwB+xtKcMD5zGo70HeefknO8/RMYTGxyhnWjraFpEDKBmes83fK9YxtWd5vE1B+woAg3mnVcGKu8UnyP8/nMotwS0JfYfQRGfZ3Gmv+M5SLy7JQzvHtMkXkHDFKLxJOjAZKmkOe+D+tNo4mYj2ZYPztzsWp0apjEHwUqHQ2CZuYWeJg6lE1ho7yJWjcF22E43wEUDmzVvYvXqzmp8AobuSgBHd1YEJ1Jop/PkftotmFpFo6E0elm44AM6O3lASDdDjlxY1LXsMDtEqYNOkKUfNhSdCzzfOmywh00nPFMRpVSnUNJob1VUz4WUvK56IVpfUtJYZg+Jsa7Z1eQRyVo5F3vmkyoYnNifsRgZWjVWTBgPkl2/5Umf7AG/0uahcZmtIQuZUcAS+yTBhA+f1NFJfzBFnuJ11JB53akgIZnVbgNVHBXrcFXjWzsebflxA66nxG6UIoVt6Af25cM3B9O05fRExrHKN95p0VjQmTw/7jUnj/0oK1tzZELGhssx71Z9iAxO3iSrBajtU+R4TAWkEnF9M0KKk5fLgBKwS6eSIm0hL4TJuV4lk43pYyc77JtZsMGIe/IyZFBzEU9PgFFIEIatAl1Y+Rh6XhIA3oB043thVMcow2hnie41gDuYY7iKCj10ljp3aAC96wTzmpq+r6r0TjshbB+touh4aceYi8gheoeV9yoDo37dFMVdCm/VGv229foxfW4JymGaAvueupE8hhw0doSe5NDudwgFolbs6hybmHg0BK3tMPXSffRpgfpr5185MBxTbl528vxaf89rPyxEeA2Wuhggr43nc2KViaMLRhW04MWFPIp7gJRG2MoeAYYOEGPJ+wInFs/HLKgC/c1IzBw1mASxdL8kgFwbPrcb2JCxuOrpDYgZOCYvBGRe7oAo6Saabxj3tSJyYzuAMhabNeS+WaVvscyhxZQBp+y/nOWpemNUVVERaVbZaF14GkQClYS3LYjw8AoQcET3HqgVTIBHAwdVovnEkFPtrhXSaOJEzV1ZPi4S/dMsfXzIHRlic35Z2bVCxLQowQRYWyM1UxzFB2tKQfO8DJXye2DaxGmWMbVrW/HwpjEAK4vg2OhP+N8XD4xFeMO0Jq74jNn+d0t1PeGVCBUlmpvTl6xum6oH/YPjiPOxjiBJd4flagndBSjkakN2jmeGyPnbzE132QDLHoJw/0+PAk+o0SmthmWux/Zd44dK6PDWo4yFSDU2+M35eQBx4yzARuSWvmNpbOjkfy+Jjt977IKYVokwMny3CvJOWxz6C7U2Ykuqd8TkTv1SneFo2dv9LQJBbmF02KG4ktCn8c3gMHdXyqoTKbIaUwKezaBS/nHQVxy1S6oiMGyJgeZ0zBuKVsNc5L39xIgP6DOg1NVAxlrV3LexGCnOpB4Kq5JRURgRrMW0VRmPLrTE8D7rd7zCL+3diKfEtofYicvbPTUDjJr92/rkSTQZ+XSr1yYY8u1PMsNjvQWZm4YvTd7WUnzIwj3Pj9BLPJIHeChW1J
            Source: 0.2.6Oq2eXtHmE.exe.3ffd5b0.11.raw.unpack, KeyDatabase.csBase64 encoded string: 'LLRoXV86AlBeBo3gr4j5ksNz+rUdyxTAXD7SqpWJBBkxzSUyDEiVA+O9eBOsRNGM', 'OKwgx+ENIbgtqRVdHAQDNzVAljJosuOsQvegxi9iaRp8fU2QMtC33rhaMK+0L+ie', 'gx7soik3QiZs2ND2XzdSE75IEDI3Y20JdsJgP6hZpb9H41GxM/QlnbjCKXlj5K8P', 'uuesSDgbaTSX5NoGigaHLi/gX5RCdz9spyy0H8i6QxA20VrDqnlslUpGgdejo9sy', 'Uz7Q/c4M0rYzv5dXs8JL1z8vWgB1ZUqJm6fm5+wiveEOlA0/ScCnhhio22vyEs7G', 'OGKNd3DCifhKxKHVlfNnsriucooii76f7LVzTFbES8PKlDC0IlmtpjTlZAcmnPPj', 'X0CqsAN8xg8RLjduBT4HCyNGUhRlKEajE68/lRhcQLMyQi9KO93AmyZiDmge58hD', 'KzxkwLJWqc3A5NLwo/kqQyGjOHcNEtx1UfT/uLHBuAA59oAEuOBwJF1c+OkbBjwG', 'SvAd86CrtADibJP4DQi0J/VoqtdGTL1yNDhVoSMH+tIZi6OLgd+x7QXNQuz8erFO', 'XInNAzTkeNpo24AaPlUlT+Yz9NuB/kt1x031WByMVo+d9ftF9wS7WWBwIpH2+mxz', 'Qr/7AtbODKwRvK1+Zl4qJNVNplORdKbLvldxC8vDjbUcjK86qxHPaIokWi9HosYb', 'HRcYJIwZghvv/DHAHRj81a5v0kSmAoSZ+NB1q63ICxH57QAryYkmYvYw2F5oVzaz', 'v7mj41wpeahjU+PxfULc5x6EKMqktqzLg0Vj37hXr/MV/nPnu+dlru6ErMoF3o/J', 'wIx+ssCbqA6eFjol20RLaSA2HKHvBjTJic5dLMQBPdfjE5c646aV4gVtXpbdoFCx', 'uEIWQfHpHaUjgniOrw9ATEaDCCpvRR6uSCDZPN00dwHLWb+9pZJSkLkBUAiY5y4Q', 'Y5ytkJax0ay/eI3J6J/U4SbJ7cZmvZ0bffpcQjW+rwLOGpq4AtuBRZV7M3aBYE7F', 'XD1MIMwBM17D+Tmmi9LZ+DEhg2kZpxY1SmTyqv90lM+qgF+U5q5JXh05kqO8V170', 'JQafwmk8QA9GqijIahqYL/ISzOhmcUYXiNxQ80Pv6DI/cgq8Qd0E8BlZwd7X4f4C', 'pDRUjkDFFnKMacyoXf7IGPlDfOAYSGyjyOLWzK7Nmu3Id3TGR99dEQyC3g0b1Q0U', 'KacKd1h5i1mmRhJ5AlfVDXZMX77XCvO8AecWrLg9rZflhwBuLNeS7yxeygPaTMgl', 'UnNFCa+15bwu9haUERlOlwxpDI7DGKxz0vNDda3C6hf7n0muX/2YIDdOQqf8hfO2', 'KKppwnlOWmznL/8v6Fy1zVmdtGOw1hKaKtaOcgg1u9Ig8c6N4hhLMgYcGQqYrUJN', 'TnnQJTTI6Mcmi1/X3swqam0XaXWgTTvnkOShXaOcEztHPaB8f9z3T7cZPPEkBiyD', 'SAAuLX3l/wZJ1J3V0mFWqhzDVtMA2BhL8dZ4tV3ojemJdKFZUYbEJCBG8whhCYee', 'LjLuGByUVKa6V4KrQoDlHHpAHaqYI5P35/BcR4Z7kDClpGsL0dYG7E9meDfWnRju', 'hSXzzzybSgOYwDbkh0tbGHUB5fKieNOoULCZsPfPZ1EkMf3wmXzF2XPUPDdN5FVE', 'G5LGae6g7sOouwyMyendq4hFGTe9m94Riu8msKLXxUPHXeUb5BIH1ULNfn9d3ZGz', 'sHHZnz5a+F35s0VENqJXHtlEDvHubuN36y+3NOeiaXvZ7pgC8Y84Aw2wF5n0bbt8', 'swx0nHzDyVuHHezsYZW/+rS9z9IKBnVvUIOIdaH/buVZ+quH7D/vqj7MN9Oj6D4J', '/DEeR4iP4I2G2hA9DQCekUGFbswgwn0ra9eMmFwsfQOi48wYXrhl78yieJQRuwdw', 'GW+pdpbEzDWJ6kgB+lig+R1i5HSDZYaoFLITlPVvZHsi9QyU32rEdM6OFDJvq2Vk', 'VJJ4za8d9HFKohFmSpvhdiSb44JNd5GAnTsyFX2jT+J3couTiGBfDEYiVT1jtOEn', 'WD88YgwKQ7UXIbWksOUPn5b5X+X/K+7p8jJFq4Exd5pqRo1/1dcOOUo6BXyYG6Z8', 'wl0yMQGTnLTmIcVs4TkWLVTM7YgpbwecQt3KcxN1sIuJv8eZnlbvb0n51dsXpvdn', 'hPm4vV7aw7i1Ss7hRMfs8WLRGxK8OAaAn/B1wXEEc2VqvVs+BFf6A9YGGNCK8Dxg', 'Gt3emW4XxKDllLyO7RhB2toJlr5kmtVsx1hxZ7fH11o6OhuAJvwsh/KXEzKGZPBQ', 'hTv/t6X3gx6UAxgi4wRuHp9PIZXYFIClnIz2hQYePtA9aL2HX9GTpU32Yi8RDg1x', 'pVV0CEPKllCk03vZKSfB0v2Taee5xNRkG/aHQ1wnXMEpof9qrRFEYbiBAZgXTwIO', 'ypaZWoqA/XRWYHsn1+7cJuY5YYt0cRBBWiKEg5KzhsnSZ7DAkAtLBsFBhyvH44md', 'rsu+ut+M6pTxLOeN7WwAWoNDzk65Yg0D7p1sPZvqMbFTWY5JPAh7MHoGQZkzifyh', 'XDZe0kBvd0EiI69cJlPNsKholDNzrFurqlV/mJujo4EdKRmHkdGR6F4i30fRpZjU', 'VKr2j3gn2d+CobbgXvtCKl4UdcNPBl1lePlYYoGZhYCI97i+e7oc6UoHEARAEMY1', 'puCUoUYp24GLuB8TKygEAToyvRqQL9IaHPutAEDPbF0OsniEl+TCdJh2H1nz89Rf', '/su7PIEOzM1ch1yvca4Sl3vMMfquA9RIMrIRv3I2gw7+llVbcy/xU5iiTbhGjlh8', 'PetZ5Lw
            Source: 0.2.6Oq2eXtHmE.exe.409d5d0.10.raw.unpack, KeyDatabase.csBase64 encoded string: 'LLRoXV86AlBeBo3gr4j5ksNz+rUdyxTAXD7SqpWJBBkxzSUyDEiVA+O9eBOsRNGM', 'OKwgx+ENIbgtqRVdHAQDNzVAljJosuOsQvegxi9iaRp8fU2QMtC33rhaMK+0L+ie', 'gx7soik3QiZs2ND2XzdSE75IEDI3Y20JdsJgP6hZpb9H41GxM/QlnbjCKXlj5K8P', 'uuesSDgbaTSX5NoGigaHLi/gX5RCdz9spyy0H8i6QxA20VrDqnlslUpGgdejo9sy', 'Uz7Q/c4M0rYzv5dXs8JL1z8vWgB1ZUqJm6fm5+wiveEOlA0/ScCnhhio22vyEs7G', 'OGKNd3DCifhKxKHVlfNnsriucooii76f7LVzTFbES8PKlDC0IlmtpjTlZAcmnPPj', 'X0CqsAN8xg8RLjduBT4HCyNGUhRlKEajE68/lRhcQLMyQi9KO93AmyZiDmge58hD', 'KzxkwLJWqc3A5NLwo/kqQyGjOHcNEtx1UfT/uLHBuAA59oAEuOBwJF1c+OkbBjwG', 'SvAd86CrtADibJP4DQi0J/VoqtdGTL1yNDhVoSMH+tIZi6OLgd+x7QXNQuz8erFO', 'XInNAzTkeNpo24AaPlUlT+Yz9NuB/kt1x031WByMVo+d9ftF9wS7WWBwIpH2+mxz', 'Qr/7AtbODKwRvK1+Zl4qJNVNplORdKbLvldxC8vDjbUcjK86qxHPaIokWi9HosYb', 'HRcYJIwZghvv/DHAHRj81a5v0kSmAoSZ+NB1q63ICxH57QAryYkmYvYw2F5oVzaz', 'v7mj41wpeahjU+PxfULc5x6EKMqktqzLg0Vj37hXr/MV/nPnu+dlru6ErMoF3o/J', 'wIx+ssCbqA6eFjol20RLaSA2HKHvBjTJic5dLMQBPdfjE5c646aV4gVtXpbdoFCx', 'uEIWQfHpHaUjgniOrw9ATEaDCCpvRR6uSCDZPN00dwHLWb+9pZJSkLkBUAiY5y4Q', 'Y5ytkJax0ay/eI3J6J/U4SbJ7cZmvZ0bffpcQjW+rwLOGpq4AtuBRZV7M3aBYE7F', 'XD1MIMwBM17D+Tmmi9LZ+DEhg2kZpxY1SmTyqv90lM+qgF+U5q5JXh05kqO8V170', 'JQafwmk8QA9GqijIahqYL/ISzOhmcUYXiNxQ80Pv6DI/cgq8Qd0E8BlZwd7X4f4C', 'pDRUjkDFFnKMacyoXf7IGPlDfOAYSGyjyOLWzK7Nmu3Id3TGR99dEQyC3g0b1Q0U', 'KacKd1h5i1mmRhJ5AlfVDXZMX77XCvO8AecWrLg9rZflhwBuLNeS7yxeygPaTMgl', 'UnNFCa+15bwu9haUERlOlwxpDI7DGKxz0vNDda3C6hf7n0muX/2YIDdOQqf8hfO2', 'KKppwnlOWmznL/8v6Fy1zVmdtGOw1hKaKtaOcgg1u9Ig8c6N4hhLMgYcGQqYrUJN', 'TnnQJTTI6Mcmi1/X3swqam0XaXWgTTvnkOShXaOcEztHPaB8f9z3T7cZPPEkBiyD', 'SAAuLX3l/wZJ1J3V0mFWqhzDVtMA2BhL8dZ4tV3ojemJdKFZUYbEJCBG8whhCYee', 'LjLuGByUVKa6V4KrQoDlHHpAHaqYI5P35/BcR4Z7kDClpGsL0dYG7E9meDfWnRju', 'hSXzzzybSgOYwDbkh0tbGHUB5fKieNOoULCZsPfPZ1EkMf3wmXzF2XPUPDdN5FVE', 'G5LGae6g7sOouwyMyendq4hFGTe9m94Riu8msKLXxUPHXeUb5BIH1ULNfn9d3ZGz', 'sHHZnz5a+F35s0VENqJXHtlEDvHubuN36y+3NOeiaXvZ7pgC8Y84Aw2wF5n0bbt8', 'swx0nHzDyVuHHezsYZW/+rS9z9IKBnVvUIOIdaH/buVZ+quH7D/vqj7MN9Oj6D4J', '/DEeR4iP4I2G2hA9DQCekUGFbswgwn0ra9eMmFwsfQOi48wYXrhl78yieJQRuwdw', 'GW+pdpbEzDWJ6kgB+lig+R1i5HSDZYaoFLITlPVvZHsi9QyU32rEdM6OFDJvq2Vk', 'VJJ4za8d9HFKohFmSpvhdiSb44JNd5GAnTsyFX2jT+J3couTiGBfDEYiVT1jtOEn', 'WD88YgwKQ7UXIbWksOUPn5b5X+X/K+7p8jJFq4Exd5pqRo1/1dcOOUo6BXyYG6Z8', 'wl0yMQGTnLTmIcVs4TkWLVTM7YgpbwecQt3KcxN1sIuJv8eZnlbvb0n51dsXpvdn', 'hPm4vV7aw7i1Ss7hRMfs8WLRGxK8OAaAn/B1wXEEc2VqvVs+BFf6A9YGGNCK8Dxg', 'Gt3emW4XxKDllLyO7RhB2toJlr5kmtVsx1hxZ7fH11o6OhuAJvwsh/KXEzKGZPBQ', 'hTv/t6X3gx6UAxgi4wRuHp9PIZXYFIClnIz2hQYePtA9aL2HX9GTpU32Yi8RDg1x', 'pVV0CEPKllCk03vZKSfB0v2Taee5xNRkG/aHQ1wnXMEpof9qrRFEYbiBAZgXTwIO', 'ypaZWoqA/XRWYHsn1+7cJuY5YYt0cRBBWiKEg5KzhsnSZ7DAkAtLBsFBhyvH44md', 'rsu+ut+M6pTxLOeN7WwAWoNDzk65Yg0D7p1sPZvqMbFTWY5JPAh7MHoGQZkzifyh', 'XDZe0kBvd0EiI69cJlPNsKholDNzrFurqlV/mJujo4EdKRmHkdGR6F4i30fRpZjU', 'VKr2j3gn2d+CobbgXvtCKl4UdcNPBl1lePlYYoGZhYCI97i+e7oc6UoHEARAEMY1', 'puCUoUYp24GLuB8TKygEAToyvRqQL9IaHPutAEDPbF0OsniEl+TCdJh2H1nz89Rf', '/su7PIEOzM1ch1yvca4Sl3vMMfquA9RIMrIRv3I2gw7+llVbcy/xU5iiTbhGjlh8', 'PetZ5Lw
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMutant created: NULL
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMutant created: \Sessions\1\BaseNamedObjects\d9a00bf22a4a417e82bc8c3d42094449
            Source: 6Oq2eXtHmE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 6Oq2eXtHmE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 6Oq2eXtHmE.exeReversingLabs: Detection: 86%
            Source: 6Oq2eXtHmE.exeString found in binary or memory: $this.Icon-InstallationPromptForm
            Source: 6Oq2eXtHmE.exeString found in binary or memory: --install
            Source: 6Oq2eXtHmE.exeString found in binary or memory: /keepAlive?/launchSelfAndExit "{0}" {1}{2}
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: 6Oq2eXtHmE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 6Oq2eXtHmE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032AA000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000327E000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458196437.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000329C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032AA000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000327E000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458196437.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.000000000329C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.ServiceModel.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4457835711.0000000005A0C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.0000000005670000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 6Oq2eXtHmE.exe, 00000000.00000002.4458457255.0000000006AF2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdbDr source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.0000000005670000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdbD source: 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: Process Memory Space: 6Oq2eXtHmE.exe PID: 6588, type: MEMORYSTR
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_06919500 push esp; ret 0_2_06919501
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_0691A292 push eax; retf 0_2_0691A299
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeCode function: 0_2_0691C360 push es; ret 0_2_0691C370
            Source: 6Oq2eXtHmE.exeStatic PE information: section name: .text entropy: 7.149137498574232
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMemory allocated: 4F80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 300000Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299875Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299765Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299656Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299546Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299437Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299328Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299219Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299094Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298984Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298875Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298765Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298656Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298547Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298437Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298328Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298219Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298109Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297999Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297879Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297754Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297640Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297490Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297372Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297265Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297156Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297047Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296922Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296812Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296703Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296594Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296469Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296359Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296250Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296140Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296031Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295921Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295811Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295701Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295593Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295484Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295375Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295265Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295127Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294963Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294804Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294700Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294593Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294484Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeWindow / User API: threadDelayed 2877Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeWindow / User API: threadDelayed 6971Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 2604Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 5764Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 1196Thread sleep count: 2877 > 30Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 1196Thread sleep count: 6971 > 30Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -35048813740048126s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299546s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -299094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298984s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298547s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -298109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297999s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297754s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297490s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297372s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -297047s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296140s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -296031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295921s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295811s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295701s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295593s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -295127s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -294963s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -294804s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -294700s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -294593s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 4292Thread sleep time: -294484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exe TID: 2604Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 300000Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299875Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299765Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299656Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299546Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299437Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299328Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299219Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 299094Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298984Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298875Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298765Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298656Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298547Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298437Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298328Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298219Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 298109Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297999Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297879Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297754Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297640Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297490Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297372Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297265Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297156Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 297047Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296922Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296812Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296703Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296594Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296469Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296359Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296250Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296140Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 296031Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295921Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295811Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295701Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295593Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295484Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295375Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295265Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 295127Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294963Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294804Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294700Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294593Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 294484Jump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 6Oq2eXtHmE.exe, 00000000.00000002.4458457255.0000000006AF2000.00000004.00000020.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457835711.0000000005A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 6Oq2eXtHmE.exe, ServerConnection.csReference to suspicious API methods: LibraryLoader.Current.LoadLibrary(item.Library, _sslStream, item.Length)
            Source: 6Oq2eXtHmE.exe, HiddenDesktopApplicationManager.csReference to suspicious API methods: NativeMethods.MapVirtualKey((uint)scanCode, MapVirtualKeyMapTypes.MAPVK_VSC_TO_VK)
            Source: 6Oq2eXtHmE.exe, ProcessExtension.csReference to suspicious API methods: NativeMethods.OpenProcessToken(pToken, desiredAccess, ref TokenHandle)
            Source: 6Oq2eXtHmE.exeBinary or memory string: Shell_TrayWnd
            Source: 6Oq2eXtHmE.exeBinary or memory string: ProgMan
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Users\user\Desktop\6Oq2eXtHmE.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\6Oq2eXtHmE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: 6Oq2eXtHmE.exe, WindowsModules.cs.Net Code: SetTaskManager

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Process Injection            		11
            Disable or Modify Tools            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		41
            Virtualization/Sandbox Evasion            		LSASS Memory11
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)1
            DLL Side-Loading            		1
            Process Injection            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Native API            		Login HookLogin Hook21
            Obfuscated Files or Information            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            6Oq2eXtHmE.exe87%ReversingLabsByteCode-MSIL.Trojan.Sorcurat
            6Oq2eXtHmE.exe100%AviraHEUR/AGEN.1309946
            6Oq2eXtHmE.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
            http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
            http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
            http://tempuri.org/0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetPathResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/0%Avira URL Cloudsafe
            https://api.ipify.org/I(.0%Avira URL Cloudsafe
            http://schemas.datacontract.org0%Avira URL Cloudsafe
            http://crl.startssl.com/sfsca.crl0f0%Avira URL Cloudsafe
            http://crl.startssl.com/sca-code3.crl0#0%Avira URL Cloudsafe
            http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLogd0%Avira URL Cloudsafe
            http://aia.startssl.com/certs/sca.code3.crt060%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteValueResponse0%Avira URL Cloudsafe
            http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registryd0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetSecurityEventLogResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/CreateValueResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/WriteFileLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteFileLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/CreateSubKeyLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteValueLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/IsAliveResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteSubKeyResponse0%Avira URL Cloudsafe
            http://tempuri.org/$0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetPathLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetRegistryValuesLR0%Avira URL Cloudsafe
            http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/WriteFileResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetSecurityEventLogLR0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/IsAliveLR0%Avira URL Cloudsafe
            http://ocsp.startssl.com070%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/CreateSubKeyResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/StartProcessResponse0%Avira URL Cloudsafe
            http://www.startssl.com/policy00%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$0%Avira URL Cloudsafe
            http://ocsp.startssl.com000%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/CreateValueLR0%Avira URL Cloudsafe
            http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry0%Avira URL Cloudsafe
            http://aia.startssl.com/certs/ca.crt00%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteSubKeyLR0%Avira URL Cloudsafe
            http://www.startssl.com/0P0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetRegistryValuesResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/StartProcessLR0%Avira URL Cloudsafe
            http://tempuri.org/(_0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/DeleteFileResponse0%Avira URL Cloudsafe
            http://tempuri.org/IServicePipe/GetRegistrySubKeysLR0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://tempuri.org/IServicePipe/GetPathResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.datacontract.org6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLogd6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.ipify.org/I(.6Oq2eXtHmE.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://aia.startssl.com/certs/sca.code3.crt066Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.startssl.com/sfsca.crl0f6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteValueResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.thawte.com/ThawteTimestampingCA.crl06Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.startssl.com/sca-code3.crl0#6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registryd6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetSecurityEventLogResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/WriteFileLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/CreateValueResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/CreateSubKeyLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteFileLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/IsAliveResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteValueLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteSubKeyResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/$6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.datacontract.org/2004/07/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/IServicePipe/GetSecurityEventLogLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetPathLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.thawte.com06Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/CreateSubKeyResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetRegistryValuesLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/IsAliveLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.startssl.com076Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/WriteFileResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/StartProcessResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.startssl.com/policy06Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/CreateValueLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.startssl.com006Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteSubKeyLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://aia.startssl.com/certs/ca.crt06Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetRegistryValuesResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.startssl.com/0P6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4458123019.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457678916.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457090880.0000000005660000.00000004.08000000.00040000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.000000000409D000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4456676066.0000000004122000.00000004.00000800.00020000.00000000.sdmp, 6Oq2eXtHmE.exe, 00000000.00000002.4457113369.00000000056C7000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/6Oq2eXtHmE.exe, 00000000.00000002.4455845204.0000000003043000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tempuri.org/IServicePipe/DeleteFileResponse6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/GetRegistrySubKeysLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/IServicePipe/StartProcessLR6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tempuri.org/(_6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/actor/next6Oq2eXtHmE.exe, 00000000.00000002.4455845204.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              178.211.130.175
              		unknownUkraine
              		31214TIS-DIALOG-ASRUtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1498206
              Start date and time:2024-08-23 20:56:05 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 19s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:6Oq2eXtHmE.exe
              renamed because original name is a hash value
              Original Sample Name:74D1B3D898B42F285B8718CC8010919F.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/2@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 94
              • Number of non-executed functions: 1
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 88.221.110.121
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: 6Oq2eXtHmE.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              14:56:55API Interceptor12157412x Sleep call for process: 6Oq2eXtHmE.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bg.microsoft.map.fastly.nethttp://ezp-prod1.hul.harvard.edu/login?qurl=https://nearbystorageunitss.com/image#bGNpcHJpYW5vQHNlY3VydXN0ZWNobm9sb2dpZXMuY29tGet hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172
              http://ikenn99.store/Get hashmaliciousUnknownBrowse
              • 199.232.214.172
              https://heveavillasbali.com/tmp/Get hashmaliciousUnknownBrowse
              • 199.232.210.172
              http://apotekspeakeasy.comGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              http://www.saessential.co.zaGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              https://wouterwippertlearnformulacom-dot-mm-event2.appspot.com/em_L0xwi5FXO9uLSWq5icjY?url=https%3A%2F%2Funderarmourclub.com%2Fpackage%2Fanti-fraud-internal-audit-master-fundamentals-techniques%2Fbogholderiet@dk.gt.com&key=f54c41b767a44c00bbdb4c81f8791744809895f1Get hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172
              http://www.jetflightsimulatorperth.com.auGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              Board Torpedo new- cost.xlsGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              http://login.doxa.coGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://l4vm89ff.r.us-west-2.awstrack.me/L0/https:%2F%2Fsnip.ly%2FFedExx/1/010101917bbe6db8-0435991f-93dd-44cd-b7b8-51bfd5cf53c7-000000/HIvKUOwubES5gbenLtlgHO_SzP8=389Get hashmaliciousUnknownBrowse
              • 199.232.210.172

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              TIS-DIALOG-ASRUhttps://soivre.org/Get hashmaliciousUnknownBrowse
              • 178.211.133.19
              https://miempresaessaludable.theobjective.comGet hashmaliciousUnknownBrowse
              • 178.211.133.47
              https://miempresaessaludable.theobjective.comGet hashmaliciousUnknownBrowse
              • 178.211.133.47
              n8RoxsQ4om.elfGet hashmaliciousMiraiBrowse
              • 185.234.121.174
              RFQ-25251.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59
              MR-239-1599-A.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59
              letter No. 8283 J-80-PM-MRQ-8025-4901.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59
              RFQ02212420.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59
              PI No. LI-4325.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59
              COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 178.211.137.59

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\Desktop\6Oq2eXtHmE.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):71954
              Entropy (8bit):7.996617769952133
              Encrypted:true
              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
              Malicious:false
              Reputation:high, very likely benign file
              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\Desktop\6Oq2eXtHmE.exe
              File Type:data
              Category:dropped
              Size (bytes):328
              Entropy (8bit):3.2296051843270717
              Encrypted:false
              SSDEEP:6:kKwx79UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:WSDImsLNkPlE99SNxAhUe/3
              MD5:4894CA8B8471C4F9B265012D9F086826
              SHA1:C43D94275C7CCC6578685BA7A0248CBDD2E1D81C
              SHA-256:04718B7FD1E58A2BD4D047AB13D512B03E7C9D1B8BBBF2F7C9D92D02B16DEC4E
              SHA-512:401FF24710C7F4998C830CAB5B7756F5C08B0FDF5E83EAC860D0604F8484176DFFEA8E19C6EB0397F41C90FE8510027D5FAFD77D5296570B16502DAE3B3FD7A6
              Malicious:false
              Reputation:low
              Preview:p...... ........9.8@....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.142884181962274
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:6Oq2eXtHmE.exe
              File size:925'184 bytes
              MD5:74d1b3d898b42f285b8718cc8010919f
              SHA1:4ca51aece95740cf74845d3ae360fe132a24edf5
              SHA256:aa9809519069ba9a0caaa0743fa0d908eb87f544422f55af6b60113b3353fc66
              SHA512:9dc53ae6ae9f4955dc99c8e2ef38aafb8cb4346cd49fb4709c1ce035bc7a6999529d056897077b8be2fc21cad9974b6b895b0f4b6bc6197ae496289f125d314e
              SSDEEP:12288:V0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlz:cj54MROxnF2HrrcI0AilFEvxHPq8oo6
              TLSH:3E15BF013BADBD07C1BE3679B7731AC907B8ED0A5092FB4E089851AD1D9B701BD163A7
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................(... ........@.. ....................................`................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x4e280e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66C0CEB0 [Sat Aug 17 16:24:16 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xe27c00x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x1000.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xe08140xe0a003653d5b842b71f6a51d3e2e0659f1881False0.6453844515164162SysEx File - Jellinghaus7.149137498574232IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xe40000x10000x10003ab4106e597f72ec5283e0108ac84240False0.3896484375data4.994911528676872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xe60000xc0x200d5e1ec7ff8fc4f0efb0170d26f2cd55eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0xe40900x2ccdata0.43435754189944137
              RT_MANIFEST0xe436c0xc38XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.39641943734015345

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
              2024-08-23T20:56:56.662484+0200TCP2824244ETPRO MALWARE Observed Malicious SSL Certificate (Orcus RAT)11013449704178.211.130.175192.168.2.5

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 23, 2024 20:56:55.933834076 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:55.938906908 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:55.938988924 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:55.960377932 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:55.965766907 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:56.652209997 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:56.657680988 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:56.662483931 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:56.885895967 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:56.930567980 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.117074013 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.122052908 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:58.122140884 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.126971960 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:58.531267881 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:58.571192980 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.710602999 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:58.714795113 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.719657898 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:58.719791889 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:58.724559069 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.127027988 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.166917086 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:59.171825886 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.171890974 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:59.176732063 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.584073067 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.584568977 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:59.589468002 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.589535952 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:56:59.594438076 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.811698914 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:56:59.852428913 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.893399954 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.896084070 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.896430969 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.896714926 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.897000074 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.897279024 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.897759914 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.898044109 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.898595095 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.898714066 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.898776054 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.898992062 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.899239063 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.901784897 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.901859999 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902196884 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902208090 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902235985 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902252913 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902285099 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902285099 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902297020 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902342081 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902509928 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902529001 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902582884 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902582884 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902863979 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902898073 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902957916 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902957916 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.902977943 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.902987957 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.903136969 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.903136969 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.904318094 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.904360056 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.904401064 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908083916 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908093929 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908102036 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908112049 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908199072 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908243895 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908284903 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908293962 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908329010 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908406019 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908488035 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.908727884 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.909025908 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.909245968 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.909408092 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:00.914977074 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:00.920008898 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:30.766087055 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:30.821192980 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:30.945593119 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:30.950007915 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:30.956053972 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:57:30.956226110 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:57:30.961719990 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:00.772494078 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:00.821299076 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:00.966782093 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:00.967040062 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:00.972045898 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:00.972103119 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:00.977071047 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:25.290435076 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:25.295358896 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:25.295579910 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:25.300370932 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:26.586944103 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:26.862052917 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:26.862170935 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:26.866919994 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:26.868700027 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:26.873549938 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:26.873646975 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:26.878465891 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:35.058078051 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:35.063014030 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:35.064129114 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:35.068993092 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:42.932104111 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:42.937577009 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:42.938148022 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:42.943506002 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:51.915146112 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:51.920075893 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:51.920134068 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:51.924928904 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:52.868304014 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:52.873259068 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:52.876158953 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:52.881068945 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:56.336925983 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:56.342405081 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:58:56.342464924 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:58:56.347932100 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:01.136106014 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:01.141391039 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:01.141613007 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:01.146539927 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:05.727597952 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:05.770081997 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:05.770131111 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:05.775233984 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:13.915095091 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:13.920099020 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:13.920152903 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:13.925605059 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:15.260137081 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:15.265096903 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:15.266345024 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:15.271161079 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:26.477579117 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:26.482624054 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:26.482717991 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:26.487472057 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:31.464159966 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:31.469080925 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:31.469188929 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:31.474100113 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:40.555710077 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:40.560851097 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:40.560934067 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:40.565715075 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:49.168186903 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:49.173198938 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 20:59:49.173289061 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 20:59:49.178157091 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:01.416204929 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:01.422179937 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:01.424283981 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:01.429145098 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:01.907167912 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:01.912065029 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:01.912127018 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:01.917030096 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:08.290190935 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:08.296576023 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:08.296647072 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:08.302757978 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:16.462045908 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:16.466979027 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:16.467052937 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:16.471914053 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:22.980226040 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:23.289971113 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:23.441925049 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:23.441955090 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:34.415138960 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:34.420027971 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:34.420084000 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:34.427166939 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:45.040144920 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:45.045849085 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:45.048612118 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:45.055803061 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:47.150654078 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:47.155582905 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:47.155690908 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:47.160512924 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:48.024441957 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:48.029803991 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:48.029858112 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:48.035291910 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:54.352581024 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:54.357673883 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:54.357733965 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:54.363329887 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:57.746285915 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:57.751362085 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:00:57.754432917 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:00:57.761882067 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:01:00.274502993 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:01:00.279438972 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:01:00.279503107 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:01:00.284287930 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:01:00.965730906 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:01:00.970699072 CEST1013449704178.211.130.175192.168.2.5
              Aug 23, 2024 21:01:00.972342014 CEST4970410134192.168.2.5178.211.130.175
              Aug 23, 2024 21:01:00.977166891 CEST1013449704178.211.130.175192.168.2.5

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 23, 2024 20:57:16.234963894 CEST53651441.1.1.1192.168.2.5

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Aug 23, 2024 20:56:57.111960888 CEST1.1.1.1192.168.2.50xbfNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Aug 23, 2024 20:56:57.111960888 CEST1.1.1.1192.168.2.50xbfNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:14:56:54
              Start date:23/08/2024
              Path:C:\Users\user\Desktop\6Oq2eXtHmE.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\6Oq2eXtHmE.exe"
              Imagebase:0xac0000
              File size:925'184 bytes
              MD5 hash:74D1B3D898B42F285B8718CC8010919F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
              • Rule: RAT_Orcus, Description: unknown, Source: 00000000.00000000.2005103261.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:10.7%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:28
                Total number of Limit Nodes:2
                execution_graph 29738 1535c87 29740 1535c18 29738->29740 29739 1535c95 29740->29739 29743 153acc0 29740->29743 29741 1535cba 29744 153ace5 29743->29744 29748 153b1c9 29744->29748 29752 153b1d8 29744->29752 29745 153acef 29745->29741 29749 153b1d8 29748->29749 29750 153b2dc 29749->29750 29756 153ae58 29749->29756 29754 153b1ff 29752->29754 29753 153b2dc 29753->29753 29754->29753 29755 153ae58 CreateActCtxA 29754->29755 29755->29753 29757 153c268 CreateActCtxA 29756->29757 29759 153c32b 29757->29759 29722 153dcf8 29723 153dd3e 29722->29723 29727 153ded8 29723->29727 29730 153dec8 29723->29730 29724 153de2b 29734 153d630 29727->29734 29731 153ded8 29730->29731 29732 153d630 DuplicateHandle 29731->29732 29733 153df06 29732->29733 29733->29724 29735 153d635 DuplicateHandle 29734->29735 29737 153df06 29735->29737 29737->29724

                Executed Functions

                Function 015380E0 Relevance: 2.5, Strings: 1, Instructions: 1208COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q
                • API String ID: 0-1259897404
                • Opcode ID: 000d79409ea2b0f596f47dddb8c52290593f3e83dab08e54ca45adbacdd3870a
                • Instruction ID: 64a7e42f6c1dcd54285030b7aca069d65e7582db0bc1607aa3219aeda0dbe617
                • Opcode Fuzzy Hash: 000d79409ea2b0f596f47dddb8c52290593f3e83dab08e54ca45adbacdd3870a
                • Instruction Fuzzy Hash: 86B226B47006118FDB29DF39C898A6E77F2BF88304B144AADE516CB3A1DB74E845CB51
                Function 0691DC18 Relevance: .8, Instructions: 758COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27e83484dcba9ad960c1d77e026ef603b325d1c9bf963c077dc2374bd5b44a3e
                • Instruction ID: 1defb51d7395b7a0b9b2c35cb88f72b4a99482e176dca717ebe1b05285b57ae3
                • Opcode Fuzzy Hash: 27e83484dcba9ad960c1d77e026ef603b325d1c9bf963c077dc2374bd5b44a3e
                • Instruction Fuzzy Hash: FF62FE74B00219CFDB55DF64D898BADBBB2BF88300F1484A9E90A9B395DB309D85CF51
                Function 06910040 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b343a87dd4e2c9fe91752b8b9200ddf874276ee4476240f885a4255017bf124
                • Instruction ID: 6db4f2eba18d31aa736d5f0ddc84896a79e8dc22ed58966754dcf314f29808a3
                • Opcode Fuzzy Hash: 7b343a87dd4e2c9fe91752b8b9200ddf874276ee4476240f885a4255017bf124
                • Instruction Fuzzy Hash: 17B14E70E0020DCFDF54CFA9C98579EBBF6BF88304F248529D419AB654EB759886CB81
                Function 06910910 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: baa1a7ab54f6a03b6c508eb7bcf0ebd932c4691d24b8732b15966c62560b9eaa
                • Instruction ID: 918f19ab57e75b6a6c1b0d7d30f9ee2a23ec56cd24e8f1b6f5eb31f823743662
                • Opcode Fuzzy Hash: baa1a7ab54f6a03b6c508eb7bcf0ebd932c4691d24b8732b15966c62560b9eaa
                • Instruction Fuzzy Hash: 7CB17D70E0020ECFDF50CFA8D99579EBBF6BF88314F248529D419AB654EB759881CB81
                Function 06916008 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 503 6916008-6916011 530 6916013 call 6915ff1 503->530 531 6916013 call 6916114 503->531 532 6916013 call 6916008 503->532 504 6916019-6916024 506 6916026-6916031 504->506 507 691603f-6916062 504->507 510 6916033-691603e 506->510 511 6916069-69160fc 506->511 507->511 528 6916105-6916112 511->528 530->504 531->504 532->504
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q$4']q
                • API String ID: 0-3120983240
                • Opcode ID: 43a8e72c1c5d4b840c1d93009a83cc9c835313ddbe04fe497af66f538343653e
                • Instruction ID: 62c958aacca8f765cf79ddbff300c336489edf8bf998ab43fd1cfe4a0712f751
                • Opcode Fuzzy Hash: 43a8e72c1c5d4b840c1d93009a83cc9c835313ddbe04fe497af66f538343653e
                • Instruction Fuzzy Hash: 8421233070535E9FC719AB79942857E3BE7AFC561072088AEE946C7791EE348C0583D2
                Function 06919C38 Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 533 6919c38-6919c47 534 6919c49-6919c96 533->534 535 6919c98-6919ce3 533->535 548 6919ce5 534->548 535->548 550 6919ce7 call 6919cf8 548->550 551 6919ce7 call 6919d08 548->551 549 6919ced-6919cf4 550->549 551->549
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q$4']q
                • API String ID: 0-3120983240
                • Opcode ID: 19000663bec5c2b5da96a14302b807ba48c23f160911cebe7cddfb76dd9c3f67
                • Instruction ID: 5412d993d37ac8096f5e048d48f318c458e0a8a9aac3564f94c49863ec0a8218
                • Opcode Fuzzy Hash: 19000663bec5c2b5da96a14302b807ba48c23f160911cebe7cddfb76dd9c3f67
                • Instruction Fuzzy Hash: 61117C7070030B9FCB19EF29D8A0A5EB7B2FF94200B204E29E4459B655EB74BC198791
                Function 06916114 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 552 6916114-6916120 553 69160d2 552->553 554 6916122-69161a4 552->554 556 69160d3-69160d8 553->556 557 69160bc-69160d8 553->557 560 69160e0-69160fc 556->560 557->560 564 6916105-6916112 560->564
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q$4']q
                • API String ID: 0-3120983240
                • Opcode ID: 5a0e5d96ecc2965420dca7e6c252178c196448be4fcfd4ea2e3e3c8e4349a401
                • Instruction ID: 3091ff16808ecd4c449b06de85c3d0f5ab5d10e05bf242957f2d2aa7d81fb80a
                • Opcode Fuzzy Hash: 5a0e5d96ecc2965420dca7e6c252178c196448be4fcfd4ea2e3e3c8e4349a401
                • Instruction Fuzzy Hash: 31017DB150E3598FC316E77AAC514967FE6EE815003148DDFE4C28B922DB64A80683A2
                Function 06916638 Relevance: 2.0, Instructions: 1982COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1007 6916638-691877d 1394 6918785-6918798 call 6916528 1007->1394 1414 6918798 call 6919770 1394->1414 1415 6918798 call 6919762 1394->1415 1398 691879e-69187a6 1400 6918810-6918813 1398->1400 1401 69187a8-69187bf 1398->1401 1404 69187c1-69187ca 1401->1404 1405 69187e0 1401->1405 1407 69187d1-69187d4 1404->1407 1408 69187cc-69187cf 1404->1408 1406 69187e3-69187f3 1405->1406 1411 6918801 1406->1411 1412 69187f5-69187ff 1406->1412 1409 69187de 1407->1409 1408->1409 1409->1406 1413 6918808-691880b 1411->1413 1412->1413 1413->1400 1414->1398 1415->1398
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85cc9527700353a35d184686b47b37e99ccfae8cf2dc87b992844157a1a44a31
                • Instruction ID: e0f64ee6d50188bd091acbb8df2788cd517283dfe783e83386faa1d75f01c242
                • Opcode Fuzzy Hash: 85cc9527700353a35d184686b47b37e99ccfae8cf2dc87b992844157a1a44a31
                • Instruction Fuzzy Hash: D2232235902204DFCB666F61D918659B773FB5A347B2084BAED0253BB0CB7A9E81DF40
                Function 06916648 Relevance: 2.0, Instructions: 1978COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1416 6916648-6918798 call 6916528 1822 6918798 call 6919770 1416->1822 1823 6918798 call 6919762 1416->1823 1806 691879e-69187a6 1808 6918810-6918813 1806->1808 1809 69187a8-69187bf 1806->1809 1812 69187c1-69187ca 1809->1812 1813 69187e0 1809->1813 1815 69187d1-69187d4 1812->1815 1816 69187cc-69187cf 1812->1816 1814 69187e3-69187f3 1813->1814 1819 6918801 1814->1819 1820 69187f5-69187ff 1814->1820 1817 69187de 1815->1817 1816->1817 1817->1814 1821 6918808-691880b 1819->1821 1820->1821 1821->1808 1822->1806 1823->1806
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab4b706714605bf3860190766d5100afb7d037a78cd9ad91e95523187c1f3921
                • Instruction ID: de6fb9ef4ea7972e9cd36bffa91e0b7b4e2e319e2977cbc84247d794700b43e2
                • Opcode Fuzzy Hash: ab4b706714605bf3860190766d5100afb7d037a78cd9ad91e95523187c1f3921
                • Instruction Fuzzy Hash: 47232235902204DFCB666F61D918659B773FB5A347B2084BAED0253BB0CB7A9D81DF40
                Function 0153D6E0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1824 153d6e0-153d6f8 1828 153d67b 1824->1828 1829 153d6fa-153d713 1824->1829 1830 153d635-153d637 1828->1830 1831 153d67d-153d67e 1828->1831 1835 153df40-153dfd4 DuplicateHandle 1829->1835 1830->1835 1833 153d680-153d693 1831->1833 1834 153d608-153d628 1831->1834 1833->1824 1838 153dfd6-153dfdc 1835->1838 1839 153dfdd-153dffa 1835->1839 1838->1839
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d20eb7b81808e6a34e19e9e6aa8779a420a6af4a75644b1b27bf8515cc1c051a
                • Instruction ID: 587a82cbbbc9d6aed4463bc06f1ff6e79937e396e7f32ca47b03b81b4dacb30b
                • Opcode Fuzzy Hash: d20eb7b81808e6a34e19e9e6aa8779a420a6af4a75644b1b27bf8515cc1c051a
                • Instruction Fuzzy Hash: 67319CB58052499FDB10DFADD4846EEBFF4FF89310F54880AE958AB311C3389944CBA5
                Function 0153C25C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1860 153c25c-153c262 1861 153c268-153c329 CreateActCtxA 1860->1861 1863 153c332-153c38c 1861->1863 1864 153c32b-153c331 1861->1864 1871 153c39b-153c39f 1863->1871 1872 153c38e-153c391 1863->1872 1864->1863 1873 153c3a1-153c3ad 1871->1873 1874 153c3b0 1871->1874 1872->1871 1873->1874 1876 153c3b1 1874->1876 1876->1876
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 0153C319
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: f95b86d8f3743af1dd6a05d845608b89c479d445e9e5db39a52e6f281d47700e
                • Instruction ID: 3225f11d00ca3b9a07bc6b0e937c58fa20e3e80a3af487a85f50fa6b69390806
                • Opcode Fuzzy Hash: f95b86d8f3743af1dd6a05d845608b89c479d445e9e5db39a52e6f281d47700e
                • Instruction Fuzzy Hash: 9A41AEB0C04719CFDB24DFA9C884B9EBBB5BF89304F20816AD409AB251DB756949CF91
                Function 0153AE58 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1843 153ae58-153c329 CreateActCtxA 1846 153c332-153c38c 1843->1846 1847 153c32b-153c331 1843->1847 1854 153c39b-153c39f 1846->1854 1855 153c38e-153c391 1846->1855 1847->1846 1856 153c3a1-153c3ad 1854->1856 1857 153c3b0 1854->1857 1855->1854 1856->1857 1859 153c3b1 1857->1859 1859->1859
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 0153C319
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 23ca7ac8d1f83c87a0cbc2376b851d581af0876a47d9773da1efac878ee8561a
                • Instruction ID: 95c832c9194506a2267f153d5c63bdb1f8a43069ac913b68abb326ee857085c8
                • Opcode Fuzzy Hash: 23ca7ac8d1f83c87a0cbc2376b851d581af0876a47d9773da1efac878ee8561a
                • Instruction Fuzzy Hash: C241BDB0C04719CBDB24DFA9C884B9EBBF5BF89304F20806AD409BB251DB756949CF91
                Function 0153D630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1877 153d630-153dfd4 DuplicateHandle 1880 153dfd6-153dfdc 1877->1880 1881 153dfdd-153dffa 1877->1881 1880->1881
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0153DF06,?,?,?,?,?), ref: 0153DFC7
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 7b8b9286c0e47e3eea1f0dcaae3dcde587414c8b984e579009b8a0b8106758e0
                • Instruction ID: 46c8ebea0f0a74eecb796a1e50f23505486555c2a2605b32d2ee972da0953eaf
                • Opcode Fuzzy Hash: 7b8b9286c0e47e3eea1f0dcaae3dcde587414c8b984e579009b8a0b8106758e0
                • Instruction Fuzzy Hash: D821F2B5D002099FDB10CFAAD884AEEBBF8FB48310F10841AE918A7310D374A954CFA1
                Function 0153DF39 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0153DF06,?,?,?,?,?), ref: 0153DFC7
                Memory Dump Source
                • Source File: 00000000.00000002.4455701042.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1530000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 9e7a024adcb007dfa0b2cd87da4ee0e2580883775758a6cb1441e8b9070dbded
                • Instruction ID: eea44cf31a7f423a8021c41a553c4cf3e9420bc88c978a7531139441dbec059b
                • Opcode Fuzzy Hash: 9e7a024adcb007dfa0b2cd87da4ee0e2580883775758a6cb1441e8b9070dbded
                • Instruction Fuzzy Hash: E921D2B5D003099FDB10CFAAD984AEEBFF8FB48310F14841AE918A7210D375A954CFA5
                Function 06919C32 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q
                • API String ID: 0-1259897404
                • Opcode ID: 8071e2339a5c6af89a676e9c04c53717cc296e419b80bec3adf887ff329807b6
                • Instruction ID: 61daef802d146c474447d934ba5c14688749323906bb971b0a415b839bb7386a
                • Opcode Fuzzy Hash: 8071e2339a5c6af89a676e9c04c53717cc296e419b80bec3adf887ff329807b6
                • Instruction Fuzzy Hash: 0101D67170021AAFCF14EB29D85099EB7A6FB94610B204A29F4454B604EB74B81587E1
                Function 06918E01 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: 4']q
                • API String ID: 0-1259897404
                • Opcode ID: d9f792a5010119c4796892a0d5ebf2ec5550614cc85d4f8bc8cb46fd19e438be
                • Instruction ID: a74de68a3ab4f1b77e96dfd43bc61de1af2195d56e70b13cffcf2c138e67776b
                • Opcode Fuzzy Hash: d9f792a5010119c4796892a0d5ebf2ec5550614cc85d4f8bc8cb46fd19e438be
                • Instruction Fuzzy Hash: 01E092B1F062099FCF08DF7499904FD7BE7EBD4600B2446EAE40DC7254DA350E119751
                Function 0691D340 Relevance: .4, Instructions: 432COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c96246603a730353edb0f06e90b9b39359b327de033ab836b9608ed2f94363e
                • Instruction ID: 14379eb1b4dea2b038645bd3aa8c311f7908f5b723fdf7c1ea0c911e87637202
                • Opcode Fuzzy Hash: 3c96246603a730353edb0f06e90b9b39359b327de033ab836b9608ed2f94363e
                • Instruction Fuzzy Hash: 20F18F757002598FCB45DF78C858A6A7BB6FF89300F2544A9E506CB3A2DB34DC46CB91
                Function 069112C0 Relevance: .4, Instructions: 419COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 104fc9c8aa503ea1b68cdd36c402c6835193cea4f16db42f622277388a7d666b
                • Instruction ID: bb845df54ec3ea7ab07744286450942847aa8a0c31377865bef542e54668c835
                • Opcode Fuzzy Hash: 104fc9c8aa503ea1b68cdd36c402c6835193cea4f16db42f622277388a7d666b
                • Instruction Fuzzy Hash: 67028278A00209CFCB99EF79D46496D77F2FF88705B60466AE5069B7A4DB31EC42CB40
                Function 0691C528 Relevance: .4, Instructions: 357COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e16f1002a4feaf8a70fa022568e43341ea4e2521f17bf491d514c316d99bb416
                • Instruction ID: 28d90052b348878cf25cae233f8fa1b1d820f063425a661b3a751e7eba250929
                • Opcode Fuzzy Hash: e16f1002a4feaf8a70fa022568e43341ea4e2521f17bf491d514c316d99bb416
                • Instruction Fuzzy Hash: 32E14D74A0020ADFCB14DF65D894A6EBBB6FF88310F248569E8069B765DB34EC41CF91
                Function 0691FBD8 Relevance: .3, Instructions: 306COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6558ae94859c4e2b3674557d98dc746e15b605ccae0bfd3f837ca3f4073711ed
                • Instruction ID: 5ebb62940affd6ac2f9250076372ed620ce9d7f32674ab7e141761fd59c7dd34
                • Opcode Fuzzy Hash: 6558ae94859c4e2b3674557d98dc746e15b605ccae0bfd3f837ca3f4073711ed
                • Instruction Fuzzy Hash: 0FB1AF75A0020A9FDB00DF65C894BAEB7F2FF88310F248569E5159B7A1CB70EC45CB91
                Function 0691E241 Relevance: .3, Instructions: 304COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e8e2fae843558352b14b73c91a1d26aad6b44d9c2eb0ec4e5be684a5d405ad0
                • Instruction ID: eb9a468b9d24779a5bd7d25f65456ee4d6071bbe2f297ac88dde43f5f70b1551
                • Opcode Fuzzy Hash: 4e8e2fae843558352b14b73c91a1d26aad6b44d9c2eb0ec4e5be684a5d405ad0
                • Instruction Fuzzy Hash: 28D10A74A00219CFDB55DF64D894BAD7BB2BF88301F2484A9E90AAB390DB319D85CF51
                Function 06910006 Relevance: .3, Instructions: 299COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 644394320719592278732dfd27b96512e6f74f92720666ee3f794282cd36be04
                • Instruction ID: bdb8670ceee8b8f820ffe47ad5c024bfb13dc7256cb459eb51b634150b0caec5
                • Opcode Fuzzy Hash: 644394320719592278732dfd27b96512e6f74f92720666ee3f794282cd36be04
                • Instruction Fuzzy Hash: 35C17D70E0420DCFDB51CFA8C88579EBBF5BF89304F248529E414EB694EB759886CB91
                Function 069112B0 Relevance: .3, Instructions: 294COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d10e88148c34d5e39c8893d632b887298ff74969cf0f4285fca3c7819f3b6073
                • Instruction ID: 788ef1dd5ba638e9a331f4efd38118d3c557b570883a9f90b7249cabc447c43a
                • Opcode Fuzzy Hash: d10e88148c34d5e39c8893d632b887298ff74969cf0f4285fca3c7819f3b6073
                • Instruction Fuzzy Hash: 91C18178A10209CFCB89EF78D46496D77F2FF887057604A6AE506AB764DF31AC46CB40
                Function 06910905 Relevance: .3, Instructions: 261COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6307455af25dc57bd334a12fa4d86a858c3a6f76bed26b4f201cd42764e1228e
                • Instruction ID: 97bc20fefa60b072f257ea2f9475a44c63ad772ad7577714c9a712478745fa2a
                • Opcode Fuzzy Hash: 6307455af25dc57bd334a12fa4d86a858c3a6f76bed26b4f201cd42764e1228e
                • Instruction Fuzzy Hash: C0A17B70E0020ECFDF50CFA8D98579EBBF5BF88314F248529D419AB694EB759881CB91
                Function 0691C518 Relevance: .2, Instructions: 195COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ea0b377866297954a716316f110212bec53397ded3eb19861ac554a02ff2dc1
                • Instruction ID: f4493d5313434002c52134eb0082d464b3f107ad5a8bb5109c7b93865f29bb37
                • Opcode Fuzzy Hash: 4ea0b377866297954a716316f110212bec53397ded3eb19861ac554a02ff2dc1
                • Instruction Fuzzy Hash: AE813C78A0020ADFCB54DF64D4949ADBBB3FF88310B258559E806AB765DB30EC51CF91
                Function 0691BB48 Relevance: .2, Instructions: 191COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a8312f7a1c37527babf14207b86fd4fab37d6dddedcead5a7b90f163fffbf9fa
                • Instruction ID: 8f41f158545aacf14ccd82ec123fdac2d337193e89771fdfb5690feb916f0674
                • Opcode Fuzzy Hash: a8312f7a1c37527babf14207b86fd4fab37d6dddedcead5a7b90f163fffbf9fa
                • Instruction Fuzzy Hash: 77712A75E0020A8FDB54DFA9C4546AEBBF7BF89300F24852AD505AB394DB709C45CB81
                Function 06911412 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1afb63507148db11c3fcf6fdef94ce7d036d100cfb0666c74dfd4ec32481c989
                • Instruction ID: afff0d4473f2468a74021b35d86dc937b72bcbe23a180831d3ec29348e699fcb
                • Opcode Fuzzy Hash: 1afb63507148db11c3fcf6fdef94ce7d036d100cfb0666c74dfd4ec32481c989
                • Instruction Fuzzy Hash: EA718078B10209CFCB89EF78E46442D77B2FF88705760492AD906AB768DF35AC42CB50
                Function 0691B930 Relevance: .2, Instructions: 153COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a37c88b61ec3ba474c3fd81f382ab47c12c58847b8e1171d827886da3a149abe
                • Instruction ID: 08c76e679d882ae19cef3c52f21d30e3e1d0f836d4fd025976a25da047c0359d
                • Opcode Fuzzy Hash: a37c88b61ec3ba474c3fd81f382ab47c12c58847b8e1171d827886da3a149abe
                • Instruction Fuzzy Hash: 1951EA74A0021DAFDB14DFA4E8949EDBBB7FF88310F244469E912AB764DB349C41CB51
                Function 0691C8EF Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 217206b8dd3f199fe23a6b648028f909ec296f1499339e9739f243334741e5b5
                • Instruction ID: 5081ecf85c49ebaf25190eb587af624a05d461ccd819001c8de99939c1ce569f
                • Opcode Fuzzy Hash: 217206b8dd3f199fe23a6b648028f909ec296f1499339e9739f243334741e5b5
                • Instruction Fuzzy Hash: 1B510A38A40209DFCB14DFA4D994AADBBB2FF88310F258558E805AB765CB35EC52CF50
                Function 06911A50 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77704f1358b21a811fde5f0f585fe4c3b411b556e7b3d32038f598f20641ac8a
                • Instruction ID: c511844ddbe2d8fdbde19ed8f267ba122b3aa26fb8611d943ee546b3e8b04944
                • Opcode Fuzzy Hash: 77704f1358b21a811fde5f0f585fe4c3b411b556e7b3d32038f598f20641ac8a
                • Instruction Fuzzy Hash: 7B41907094420EEBEB54EF94D5987AEBBF2EB88300F304865C241BEB84DB754D84CB95
                Function 0691BE28 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4332487afb6e5243e3d4b1ea641f3438307ca12c25bdcc4caad7a08f5c28eef2
                • Instruction ID: 8a6697e37c5f745893d798da34100322145521e4a96175578310a13fe51779cc
                • Opcode Fuzzy Hash: 4332487afb6e5243e3d4b1ea641f3438307ca12c25bdcc4caad7a08f5c28eef2
                • Instruction Fuzzy Hash: 5231DE30B002098FD759DB68C86477EBBB6EF89310F2484AAD609CB795DB319D41CBD2
                Function 06918C50 Relevance: .1, Instructions: 109COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 430e9010a348a85ed4d7cd21f4a36efe565a9b329618f5f6ab7650a6a62fa952
                • Instruction ID: a68c7c27e20f2375fbbd2a92575c38675fd22c9db9addaab404ba2df247b5947
                • Opcode Fuzzy Hash: 430e9010a348a85ed4d7cd21f4a36efe565a9b329618f5f6ab7650a6a62fa952
                • Instruction Fuzzy Hash: D131D170F0424D9FDB14EF79C8247AE7BB2AF85300F2044AAD5059B295DB789D05DB92
                Function 069164DF Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9cb0c7f2873c1267abbab0d7642b3410c92c0cbdd40ed3b4a472e1ac463781b1
                • Instruction ID: 7307d7d15607fd222328990070ea6356c1207745e465f48b4de1943bd826bc00
                • Opcode Fuzzy Hash: 9cb0c7f2873c1267abbab0d7642b3410c92c0cbdd40ed3b4a472e1ac463781b1
                • Instruction Fuzzy Hash: 35310871E0475E8FCB01AF78D8601EAB7B1FF85300B20866BD495EB255EF34A985CB91
                Function 06911651 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7fadc68f8339445c6aacb2d71630426a6c0d7c26d3b7e69ed11f6addcb0aec1b
                • Instruction ID: 201a2ac19be1029072ef50f85bb0f387eebbc428e49a9e839ba9c2b0bb9ab18c
                • Opcode Fuzzy Hash: 7fadc68f8339445c6aacb2d71630426a6c0d7c26d3b7e69ed11f6addcb0aec1b
                • Instruction Fuzzy Hash: 56416F78A00219CFCB89EFB9E46446D7BB2FFC8700760452AD902AB768DF309C06CB50
                Function 06915EA8 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 319037454cc203d2390297d30e3d60207f806972585835584b3cf3ebd20919d8
                • Instruction ID: 71641deda5c9cf56381767552a0bd8a4e19ac31e79fdf376d86f83f1ab47f65f
                • Opcode Fuzzy Hash: 319037454cc203d2390297d30e3d60207f806972585835584b3cf3ebd20919d8
                • Instruction Fuzzy Hash: A1313974B0020D8FD748EF69C468A6E7BF6EB8C700F2644A8E5069B7A0DB35DC40CB51
                Function 069134EF Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e25d7710cb943f2d89647c6934f0c13530317e402206b3c88661f37ba20adc59
                • Instruction ID: fc22e26b651e02d47d674ca789459a70e762e6fb077e2918ef4535d23d7b31bf
                • Opcode Fuzzy Hash: e25d7710cb943f2d89647c6934f0c13530317e402206b3c88661f37ba20adc59
                • Instruction Fuzzy Hash: 2A21AC6210F3D61FC3436B385C645EA3FA69FD3154B2A08DBE081CF1A3D918594AC3B2
                Function 069193B7 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 58c444a744b2746d578961f72c57c7940ee3b42cb1216c7a3406196aaff4244c
                • Instruction ID: d981c063f1de236e9717c4e62d4912fc9e565e6240d3c19bdfab5e5c78eb8119
                • Opcode Fuzzy Hash: 58c444a744b2746d578961f72c57c7940ee3b42cb1216c7a3406196aaff4244c
                • Instruction Fuzzy Hash: 3A31BC72D0074A8ACB11EFB9C8502D9B772FF99311F24875AE58977280EB70B9D5CB81
                Function 06914AC8 Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d04c9ea15f672bc25cd446009ef285b5a228e3601b75e883058414ecbf0b9402
                • Instruction ID: 6b8b80ea02d8c12376d09a46cd2499c043847c153262bc2a8e87d65970a1b1d9
                • Opcode Fuzzy Hash: d04c9ea15f672bc25cd446009ef285b5a228e3601b75e883058414ecbf0b9402
                • Instruction Fuzzy Hash: D341F5B590020EEFCF01AFA2E858AADBFB2FB48301F104499F611A7264C7395D91DF56
                Function 06915E9A Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae0378c62335ef8cc97cf60239831d818a5c9e69d6a5fcf712bfc77b43fd7f89
                • Instruction ID: 0b5a8d109a3c217793be84f147ea7c991454f97101b11ed0e177b2b75da01d0d
                • Opcode Fuzzy Hash: ae0378c62335ef8cc97cf60239831d818a5c9e69d6a5fcf712bfc77b43fd7f89
                • Instruction Fuzzy Hash: E9312974B0020D9FD754DF69C498BAE7BF6EB8C700F2644A8E5069B7A0CB319C41CBA1
                Function 069193C8 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65162995f2272895cdeeb2060e8e3a890adae9df32f6c12f4555e00e4e2907c2
                • Instruction ID: 5a399034561d8d37a744a82e7415764d3ed81219ade05ca154f0ece0af898c92
                • Opcode Fuzzy Hash: 65162995f2272895cdeeb2060e8e3a890adae9df32f6c12f4555e00e4e2907c2
                • Instruction Fuzzy Hash: 9E318B31D0070A8ACB10EFBAD850299F372FF99321F208716E55977240EB70B9D5CB85
                Function 06914AD8 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c9318d7cc4e35df5680c9e1e89313b6e14c179353cbb32fe2a4a83def1d13846
                • Instruction ID: c5e53844ca5ac9cb3a052d6e344ab5988b12c2592b12a78c9b0d814644fe6d5c
                • Opcode Fuzzy Hash: c9318d7cc4e35df5680c9e1e89313b6e14c179353cbb32fe2a4a83def1d13846
                • Instruction Fuzzy Hash: C431D5B590010EEFCF01AFA2E8589ADBFB2FB48301F104499F611A7264DB355D91DF56
                Function 06913C8F Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba1c6767e3caccd2a8648163868ccfc768566134452ec93431aca583ddb78dd8
                • Instruction ID: a142fcf02ffc28976f8a2aa1cd950541b58d5c122e0cb8c055e7ae682ddd7cce
                • Opcode Fuzzy Hash: ba1c6767e3caccd2a8648163868ccfc768566134452ec93431aca583ddb78dd8
                • Instruction Fuzzy Hash: 87313C7650020AEFCF01AFA1EC449A9BFB2FF48302F108495F60997660C73A5DA4EF51
                Function 0691D3C8 Relevance: .1, Instructions: 80COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 103be4ab34e8c5c276bb402db797263ae774fc3096eaaadbc762a81d14a3a118
                • Instruction ID: fb51596ddb88e5026e3e8270e09fd5c7ee46f301902ca96d9afbf0ae941c4d79
                • Opcode Fuzzy Hash: 103be4ab34e8c5c276bb402db797263ae774fc3096eaaadbc762a81d14a3a118
                • Instruction Fuzzy Hash: DB21A334A0020D9FDB51DF24C844AAB7BB5EF89350F248465E9158F3A1DB30ED46CBA1
                Function 06916528 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b635a09e1b9682aa96b26132a19de9ae529822125f1fcce8705dc04ab23ca4e8
                • Instruction ID: 0b56d46869f379b1c1b0102262fc2d8f531b43b016e6b9a91e6c09b02fa4a366
                • Opcode Fuzzy Hash: b635a09e1b9682aa96b26132a19de9ae529822125f1fcce8705dc04ab23ca4e8
                • Instruction Fuzzy Hash: 6031B131E0060ECFCF11AFB9C4101AAB3B2FF85300B20866AC55AA7644EF34E981CB91
                Function 06919770 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb3de64674f6d0dd01920b941169421fd1a55074a8c6a82aab81fc839446272c
                • Instruction ID: da5517e676e6c02d61e7b809daa9dcdbb3b96086e0091fe3ea8f79dcf45396c3
                • Opcode Fuzzy Hash: cb3de64674f6d0dd01920b941169421fd1a55074a8c6a82aab81fc839446272c
                • Instruction Fuzzy Hash: 3821A771B0864DCFD749AB75A42923A3AA7EB41602B2405EDD603CBA91DE39CC41C753
                Function 06919762 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67960877dd3160f0db3cf41066612c753012f907fa100e1adf9147f6cd26a833
                • Instruction ID: d10a6c82032c53a2677d17487d4b73de8a4dbd2198cfc3bf979bbe0d32d61d7c
                • Opcode Fuzzy Hash: 67960877dd3160f0db3cf41066612c753012f907fa100e1adf9147f6cd26a833
                • Instruction Fuzzy Hash: F721F871B0974DCFD7556B71A42913A3FABAF4190272406DEE243CAA91DB38CC06C763
                Function 06911D13 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f1799997684c2ff350cd0d254a135617274ef62d61fb2e4dfc4e9e890829b99
                • Instruction ID: d8df9dd8ff2a3fae4bc9efdfd9980ee743427b411bb7ed1e459131b84d4b8151
                • Opcode Fuzzy Hash: 1f1799997684c2ff350cd0d254a135617274ef62d61fb2e4dfc4e9e890829b99
                • Instruction Fuzzy Hash: EF21E734606284DFDF41AB74C8546EE3FF6EF8A210F240596D183DB792DA788D02C7A2
                Function 014ED04C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4455564630.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_14ed000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6734cce8c2e86fa22e2ea32d17703263d8322e319bba664a972b78568c32d3e5
                • Instruction ID: 5b68c7468ac5be34374ac0941a7a6b5e834c54fd76e5a56dc1655b2df3d5b75b
                • Opcode Fuzzy Hash: 6734cce8c2e86fa22e2ea32d17703263d8322e319bba664a972b78568c32d3e5
                • Instruction Fuzzy Hash: DC2134B1904200DFDB05DF58D9C8B26BFA5FB84319F28C5AED80A4B366C336D407CA61
                Function 06913CA0 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b4d48a5d1acf5fe98a9340825ca2d378c6443a7ba521bc98257974f117290f4
                • Instruction ID: 77c2ca64aef3d53d1e66fa8280039ddb21c577916e6830236d82e7ebd95e2789
                • Opcode Fuzzy Hash: 9b4d48a5d1acf5fe98a9340825ca2d378c6443a7ba521bc98257974f117290f4
                • Instruction Fuzzy Hash: 9931FC7590010AEFDF01AFA5EC54A69BFB2FF48302F108454F60A96660D73A5DA0EF51
                Function 06912F58 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51e5bd4c91481a7caca52ee127e61b71a1c23d9db380e1e14cd8ccf038548126
                • Instruction ID: 38fc5d3fe83bc0aabd3e3024f440ad167027c61d4a17dd356d4484ad432c661c
                • Opcode Fuzzy Hash: 51e5bd4c91481a7caca52ee127e61b71a1c23d9db380e1e14cd8ccf038548126
                • Instruction Fuzzy Hash: 9721AC34A012058FCB50EF29D994AAA7BE2FF89700B5004ADF546977A5CB31AD05CB91
                Function 06913C69 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddf5386e03b8d772fe73a9a240076517b39a038f4db5e060c39d7926ad198e7b
                • Instruction ID: 90f72617a173b7692496503df804681f9f52a16b016ed56a14da071e1afa3d39
                • Opcode Fuzzy Hash: ddf5386e03b8d772fe73a9a240076517b39a038f4db5e060c39d7926ad198e7b
                • Instruction Fuzzy Hash: 31213B7650020AEFCF02AFA1EC44EA97FB3FF49302B148059F60996661C73A5DA0EF51
                Function 0691B000 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 023332593018ec7f5044a3179635ddffb0acb73f0c4a9d3f5c99a814286a4a5e
                • Instruction ID: b9ec89e5cfa25dd8e6ba21c3bd3f2bc9e0fe446dbdb84c7c9a83a33e2917ee93
                • Opcode Fuzzy Hash: 023332593018ec7f5044a3179635ddffb0acb73f0c4a9d3f5c99a814286a4a5e
                • Instruction Fuzzy Hash: 4311E3343013089FC3666B35D85872A7BA7FFC5205F1408AEE24BCB655CAB59C06C762
                Function 06912F68 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78dabbae76a2a765b75080aea2a329011121737c21768cfea2a2a8f3ab2fa007
                • Instruction ID: 8859a4e8a574d0d1c9e8d402ebae66d9dca7fa42baea13f55c832652b9c96e40
                • Opcode Fuzzy Hash: 78dabbae76a2a765b75080aea2a329011121737c21768cfea2a2a8f3ab2fa007
                • Instruction Fuzzy Hash: 42218C74A012088FCB94EF69D954A6E7BF2FF88B00F5004ADE646977A4DB31AD05CB91
                Function 06911E38 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b2fd8458d9f9e3cd766cd3ea59913bb6576dd2952da92aed08637389759823f
                • Instruction ID: e88a75c9d9efcc431686fa839b59949279d8e2d6dd9d6e4feceb86ab6939771a
                • Opcode Fuzzy Hash: 7b2fd8458d9f9e3cd766cd3ea59913bb6576dd2952da92aed08637389759823f
                • Instruction Fuzzy Hash: D021C371E04619DFCB50CFB8C8849ADBBF4FF49324B3086AAE124DB6A1D3309901CB90
                Function 0691CC72 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c58cba52bf0d0a68dee256cfa9b0a07972bdd4389354b9fbc314b37e595e05c
                • Instruction ID: 9b97a9a3e6b92f7cb4787f9708b0b5895379bc3617998ba0ebdcdf1cd381877c
                • Opcode Fuzzy Hash: 9c58cba52bf0d0a68dee256cfa9b0a07972bdd4389354b9fbc314b37e595e05c
                • Instruction Fuzzy Hash: 8C11A371300205ABCB04DE3AD850AAE379BEFD5251B608929F506CB390DF78DD85C7D0
                Function 0691CC78 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b21c0820246b01715b6d96dfc1cc7688626feb68d346ec0f73401b378ffc33db
                • Instruction ID: cb2f81f67a0c99ec1c4033ec1359c3e0a1021bb9e6fc64a7d046b29c3df3f285
                • Opcode Fuzzy Hash: b21c0820246b01715b6d96dfc1cc7688626feb68d346ec0f73401b378ffc33db
                • Instruction Fuzzy Hash: 9C11C2713002059BCB04EE2AD8906AE379BEFD5240F608929E506CF390DF78DD85C7D0
                Function 06911E48 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c957732075273327f775d9cea3c233ffa0cc24af66aafac1c32a5edda1229e1
                • Instruction ID: e2b65a7d43588c1759255dcc6c625eacb16668e7af5fe2d738ce4a6d2e4cf54b
                • Opcode Fuzzy Hash: 6c957732075273327f775d9cea3c233ffa0cc24af66aafac1c32a5edda1229e1
                • Instruction Fuzzy Hash: EF117F75E00619DFCB40DFA8C88496DB7F4FF49320B208669E124DB760D3309901CB80
                Function 014ED047 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4455564630.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_14ed000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                • Instruction ID: 73b9194b640305a5b9073dcb2160b87d4dd08165ab98a98faa8b57b0e1671f6a
                • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                • Instruction Fuzzy Hash: B111BE75904240CFDB06CF54D5C4B16FFB1FB44214F28C6AAD8494B766C33AD40ACB61
                Function 0691B010 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff63f47ea4c6760c65b22c61ae66ca0dda37eed3406670e542c04856652a2317
                • Instruction ID: 6471252080dcc068574e61a42f1588bd6c65da617905c6e27e107d50af456670
                • Opcode Fuzzy Hash: ff63f47ea4c6760c65b22c61ae66ca0dda37eed3406670e542c04856652a2317
                • Instruction Fuzzy Hash: A901C0343003098FC765AB75D85872E7BA7FBC5219F20086DE20B8B755CEB1AC05C752
                Function 0691A780 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9caa24d5837a58a5e9d8f6f33a9bdf4c37008ccbc1effd221809d7d7143fda99
                • Instruction ID: b90b5ab933afe1cfb88cb9332429a1c4dd694956cddc221afbfb6e0bf63fc36e
                • Opcode Fuzzy Hash: 9caa24d5837a58a5e9d8f6f33a9bdf4c37008ccbc1effd221809d7d7143fda99
                • Instruction Fuzzy Hash: 9401B1352012069FC741CB29D844D9ABBFAEFC5300721C4AAF405CB621DBB0ED42CB90
                Function 06911D48 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a7c6af1a503b879e2c739888d1e781039cb0482330a4e88ad7f89edb3115c80
                • Instruction ID: 5a80e84b3c3c6a4e8e1b2f2a64b466025c831b3f847a99d0f2035b1a394c16e7
                • Opcode Fuzzy Hash: 5a7c6af1a503b879e2c739888d1e781039cb0482330a4e88ad7f89edb3115c80
                • Instruction Fuzzy Hash: 08018C34701218DFDF84EB68C8187AE37F6EB89600F200429D106EB790DB748D00CBA6
                Function 06911920 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a916b20b7d871ced51a3e006f02521b51c82691049df4de0c02c8500bbbb109
                • Instruction ID: 1b6ec90f678f998909345ef99c9a0a26a8c872f1a22fe5d857d2a15b475448e5
                • Opcode Fuzzy Hash: 9a916b20b7d871ced51a3e006f02521b51c82691049df4de0c02c8500bbbb109
                • Instruction Fuzzy Hash: C7F0C87319919A0FE3159B58F8627B1BF25EF02215F1C41B7E155CF697C41A9850D3A0
                Function 069135C0 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8bfda693e8cfca0945a4e11191e7715460a862fae17aeb0b83b897ac09ae2b85
                • Instruction ID: 9a31e483e9a1000aa914f23c67ea4216897205c30a543e3675465d50f7811a3b
                • Opcode Fuzzy Hash: 8bfda693e8cfca0945a4e11191e7715460a862fae17aeb0b83b897ac09ae2b85
                • Instruction Fuzzy Hash: DFF0F6713062062FCB077739A8645BE3B9BEBD661031408AEF106CB241DE352D4A83A3
                Function 0691BE18 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d72ac8491b2bcad9c2edcec98b95071e8eabb8f42b36688a98a7ed22a9a732f6
                • Instruction ID: ed7c3c733fb506166863722ca06de431a5cc35ce5256c6ffcea82796d8a7a759
                • Opcode Fuzzy Hash: d72ac8491b2bcad9c2edcec98b95071e8eabb8f42b36688a98a7ed22a9a732f6
                • Instruction Fuzzy Hash: BCF02B31B052085FC3149629DC54AE7FFEADBC9220F1485BBE509CB351DB31A900C7E1
                Function 06919AF8 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 150803ad1969712c3e6c3954aba8e9d0b7eff7aeabf4105fa61248a0ebc15c41
                • Instruction ID: ecb7f8269b4955b24cf1de63383e9919b9ae9988da7aee669f37bb1cb33223ea
                • Opcode Fuzzy Hash: 150803ad1969712c3e6c3954aba8e9d0b7eff7aeabf4105fa61248a0ebc15c41
                • Instruction Fuzzy Hash: 5A016932A01718AFCB10DF69D8049DEBBF6EF88700B00852AE959E3600D7706956CFE2
                Function 0691BB37 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ebaa0a02ef07c86e65da1858907ad7a8f5b8615dba2ef1f5b80141f3cba365c8
                • Instruction ID: cfe1ae1fe5e7d9656dc8afe241a46fbc4bf63f8f7afbd9af33e7515f00447b9e
                • Opcode Fuzzy Hash: ebaa0a02ef07c86e65da1858907ad7a8f5b8615dba2ef1f5b80141f3cba365c8
                • Instruction Fuzzy Hash: E1F02436B01308ABCB04EA99C4040DEBBFBDBCA351F68002AE508AB714C6301C15CBC1
                Function 0691A790 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 947b1c17d6e7f4828dccf128d0f174f5743c02bd92dff4d05c9a55ca5d144325
                • Instruction ID: 92958a63c481ea54487e10c56cb3ca4022866e34f8bfb0d65bcf80c5d1523bb2
                • Opcode Fuzzy Hash: 947b1c17d6e7f4828dccf128d0f174f5743c02bd92dff4d05c9a55ca5d144325
                • Instruction Fuzzy Hash: 0401693420060A8FC754DB29D444D9ABBF6FF84310B61C46AF8058BB21DBB0EE41CB90
                Function 06911F44 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36e3112e2b7c13f7c9a54da95f8f0ed27111669abc074e5e38fba0e9a1c50519
                • Instruction ID: 154c2530aee272ee6333555cfa700b0b464572453907cfd74eb193c18d25b504
                • Opcode Fuzzy Hash: 36e3112e2b7c13f7c9a54da95f8f0ed27111669abc074e5e38fba0e9a1c50519
                • Instruction Fuzzy Hash: D7F0595A60B1561FD3026328AC320B23F99DA5210136446CBE442CF769EA04DC06D7A1
                Function 06919CF8 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43c1695c1151f78ac97b116b4e6e8a63529a5cc4bb86aa969917bb1fb0d8943f
                • Instruction ID: 04f8d1687256d102e00e97545ec395c03fc38d50632d7e9e65d1de2d072c42eb
                • Opcode Fuzzy Hash: 43c1695c1151f78ac97b116b4e6e8a63529a5cc4bb86aa969917bb1fb0d8943f
                • Instruction Fuzzy Hash: 88F05973306B556FC3028B28D844C8ABFB9EF8162031941DAF4488B722CF10EC91C7E1
                Function 0691DC09 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c70eca00291c0e026c2992e9625fb5badb2b6b58441b17a6c8866c33aea88f0a
                • Instruction ID: a6388356339bba8ff9a82a25df2e5e9509995b7f18b6b5889387d8e5d5cec193
                • Opcode Fuzzy Hash: c70eca00291c0e026c2992e9625fb5badb2b6b58441b17a6c8866c33aea88f0a
                • Instruction Fuzzy Hash: 84F02439A0014967CF208A24EC40BCBBBAE9B40380F0004BAE506A6641EBB058A4CAF1
                Function 06913038 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e72591427e91bfc80b0c2b722965cfac92045c2852cb80923d7f8afee17d2d3c
                • Instruction ID: 3bcff5684cf437e0e7128950998e6c4e6f59a094544871163050d682058b1882
                • Opcode Fuzzy Hash: e72591427e91bfc80b0c2b722965cfac92045c2852cb80923d7f8afee17d2d3c
                • Instruction Fuzzy Hash: 22F0E9711063493FC701AB25EC285EA3FABEFC1710B04859FF14687591CBA41815C7E3
                Function 069119A8 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c8d71555999e89024711287dab5f970a6ca20f4918d36caf778c6d16514225a
                • Instruction ID: b07227ac7dc242c2966dfda3f0e311304e176511ef543782053b79bd4404fc6c
                • Opcode Fuzzy Hash: 5c8d71555999e89024711287dab5f970a6ca20f4918d36caf778c6d16514225a
                • Instruction Fuzzy Hash: E9F09671F112199FCB40EFB9A40559E7BF4EF49250B200469D61ADB354EB308E00DBC1
                Function 06919A97 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94c9735785816d6fc5fd787b6c18ddf514ca7b8ba980f22e14e6f767bbc65349
                • Instruction ID: b09fc063925e04e455e14a717f89ac76393c1ef793fb8436cf2593efebffd61a
                • Opcode Fuzzy Hash: 94c9735785816d6fc5fd787b6c18ddf514ca7b8ba980f22e14e6f767bbc65349
                • Instruction Fuzzy Hash: C6F05C353053483FC3012B7AA8188AB7F5AE7C651030040BAF109C3322CD750C4587B2
                Function 06915FF1 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f75bd6e9c78b30ddf8dea45b21b5c7332d73e2664c851ac4a33eb66dfc28f4a6
                • Instruction ID: e21cba24e797383741b023f19122bf3db221ec930f2d2b6b557d8ab9d6633159
                • Opcode Fuzzy Hash: f75bd6e9c78b30ddf8dea45b21b5c7332d73e2664c851ac4a33eb66dfc28f4a6
                • Instruction Fuzzy Hash: 53F0A7316093565FC706533A98140657F6A5EC265072541BBE908CB552EB25981983E6
                Function 069136B1 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0820f07aa4e530941dccfce3b1721673ed3e0e345338c4cc85cb3c9d22288e23
                • Instruction ID: d6a838242d8a40c93d7d8ce16b0abab6d0d1da9b476cece8c2fe58249e3aec95
                • Opcode Fuzzy Hash: 0820f07aa4e530941dccfce3b1721673ed3e0e345338c4cc85cb3c9d22288e23
                • Instruction Fuzzy Hash: 49F08C70501B098FD714DF62E908562BBF3FF883117008A6AE58AC2A11DB74A989CF96
                Function 069135D0 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e50df4727b8f6f537b442110dd0e369fccc9df2dbd368a688bb150f73f12d61
                • Instruction ID: a67e0fd0852dc8c6043e5691f0b272896d8609bf73b58c21c1f6fee36c9a15ee
                • Opcode Fuzzy Hash: 3e50df4727b8f6f537b442110dd0e369fccc9df2dbd368a688bb150f73f12d61
                • Instruction Fuzzy Hash: 7BF0827130111A5BCA067B69E82467E3A9BEBD5650314086DE107CB244DE666D468392
                Function 06913558 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00a44fb9842b1726dd8fc5b89a674f6e597e60019c61d51e2850cd2bb17bbf33
                • Instruction ID: 6d257245578d86917fd4a7650489ffe68553459d5aff7bbef7a1ce0669aba0a0
                • Opcode Fuzzy Hash: 00a44fb9842b1726dd8fc5b89a674f6e597e60019c61d51e2850cd2bb17bbf33
                • Instruction Fuzzy Hash: 63F0A07230010A0FCB8ABB3AA82447E3A97FFE5650364087EE507C7644DD347D468792
                Function 0691BB05 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4b6da17f1078ed9bbe603c4693e13339eeacf3953d9854208ee9092ddc8ef56
                • Instruction ID: 725e73d8a6913e59cc485188cbbcd6a39323936baffd7deac764d107945ddd55
                • Opcode Fuzzy Hash: e4b6da17f1078ed9bbe603c4693e13339eeacf3953d9854208ee9092ddc8ef56
                • Instruction Fuzzy Hash: 8001F674A4121DAFDB11CF90D895FEDBB72BF48300F244005E801BB6A9C774A940DB91
                Function 06919B08 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac85282cdf4b38db753c2075b8287db2affc2415af7ae2acc008856360b1ddff
                • Instruction ID: bf4cd3f7c9044379656bacf2e601a2cff48e0d526ddf62359bda1a77d06c067c
                • Opcode Fuzzy Hash: ac85282cdf4b38db753c2075b8287db2affc2415af7ae2acc008856360b1ddff
                • Instruction Fuzzy Hash: 04F0F471A0021D8FCB50EF69D8045AEBBF6FF88711B10896AE919E7200E7746A05CBD5
                Function 06911F00 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 873b416af0f1aaa78609ea41bd109b473fc59ecde0041be612c3cee8cbfca589
                • Instruction ID: 31e5694ebe9d00349671f54948a8dfe467102def132ece2490844e78dfed5fc0
                • Opcode Fuzzy Hash: 873b416af0f1aaa78609ea41bd109b473fc59ecde0041be612c3cee8cbfca589
                • Instruction Fuzzy Hash: A9E0262E32711A1FC3077228BC314BA3B9EDB82511320429BF402CF359EE609C0687F1
                Function 06919D08 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 655b213ff530763aad6d1fb19f91ac1965e1517cf51b6ec5f3c618fd177e2e08
                • Instruction ID: 018c8213be267f7d6cfe1781363b85eedc25e9d5dfd7b79f45d78ddb43fa7ed1
                • Opcode Fuzzy Hash: 655b213ff530763aad6d1fb19f91ac1965e1517cf51b6ec5f3c618fd177e2e08
                • Instruction Fuzzy Hash: 31F0E532301A2A5FC3018F28D804C4ABBB9EF80620315819AF8088B721CB20FD40C7C0
                Function 069136C0 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25f8ee9c5de98adca459b0e268f170a711a4a3c0851f05f843f0c8a0fdc456f9
                • Instruction ID: 54bc8af6e1e895a34d81e58b5a3c65df5e7e6803d27ba3fd00d6bd7ac67e4b1a
                • Opcode Fuzzy Hash: 25f8ee9c5de98adca459b0e268f170a711a4a3c0851f05f843f0c8a0fdc456f9
                • Instruction Fuzzy Hash: 06F03070501B09CFD714DF26D508566BBF3FF88315700896DE58AC2A10DB74A589CF95
                Function 06911240 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 831687c91d3b99efbb085be663b554910ad44757a88d55c31350dd955c329702
                • Instruction ID: da65339f6b55a9146efde8047c8653d900529c9fa212423ec41ce383e419700c
                • Opcode Fuzzy Hash: 831687c91d3b99efbb085be663b554910ad44757a88d55c31350dd955c329702
                • Instruction Fuzzy Hash: DDE09275506289AFC742DFA4ED158ADBBB9EB0120072041DBE409EB252EA302F1487A2
                Function 06919D51 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a63086b94aad568d621310eacefbee94d878be81cd5b9317c78b8b55028da03
                • Instruction ID: 6bfd8834976f2f4a9f40b4e5f6118de40233a7020408a5aa99fd8b138a03a302
                • Opcode Fuzzy Hash: 3a63086b94aad568d621310eacefbee94d878be81cd5b9317c78b8b55028da03
                • Instruction Fuzzy Hash: 6AE0D872205354AFC359DB75B41088D7FA6DEC521470540EED445C7342EE35588083A1
                Function 06919AA8 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e13179ec3c272ff97ea2372633a6ece0242510298845cde9d359f5fef58a830
                • Instruction ID: 93e9bac12ad3b28906e070abb0d2a184796d92101b81f7ab1bfac82e4488ef4f
                • Opcode Fuzzy Hash: 3e13179ec3c272ff97ea2372633a6ece0242510298845cde9d359f5fef58a830
                • Instruction Fuzzy Hash: 39E0267530020C2BC7007BAFF8588AB7B9EF7C9A217100479F60A83321CEB54C45C6A2
                Function 06913048 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1bdfea9e05d93fb8f81139a6775a6e50f795776cf49291665bba0b1fa022394c
                • Instruction ID: 8f3dac8cc2cd18eb72585cffb8c2d13a4eb2d7f49ee84d7ec8ba2f5d084cdbed
                • Opcode Fuzzy Hash: 1bdfea9e05d93fb8f81139a6775a6e50f795776cf49291665bba0b1fa022394c
                • Instruction Fuzzy Hash: 77E0D8702012065FC701FB16E4286BD7BE7EFC0710F40895EE10B87650CF74684687D2
                Function 06918C40 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2b778228e403a096f104ce8f6ccdbac0c86bdd6f11928eafef0f3cf22bfd651
                • Instruction ID: eeb512f51c4fb9b0c4d76cb05a2f8b4b196e30ead483cd46d7fb097705a7a3f7
                • Opcode Fuzzy Hash: d2b778228e403a096f104ce8f6ccdbac0c86bdd6f11928eafef0f3cf22bfd651
                • Instruction Fuzzy Hash: 0CE0C235B012089FD7149B79F80D99A3FBEDF8661176181A2F50ACB365EA71DC10CBE2
                Function 06918E21 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c76ca0e669cf2bcfa7b5897a768bfc08a2207ab825a33d7edbbb600ff80cb61
                • Instruction ID: 3a6d8c509ffb592086550db8a634a9b989df254199d93dcb37f383ce4cc5f32d
                • Opcode Fuzzy Hash: 2c76ca0e669cf2bcfa7b5897a768bfc08a2207ab825a33d7edbbb600ff80cb61
                • Instruction Fuzzy Hash: 3CD02BB36053142F87059AA854904CE7FAECBC4120F0040B7D509D7242ED610D0042EA
                Function 06919A50 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70af9e66f5f70e0bec5a9c11409d41425b6cf3f234aaf4df669a2ba8c8227f58
                • Instruction ID: 9e9f166c946e71b9716c0226a4bc87bbed1eea1560f3e634b6bc557457c8562d
                • Opcode Fuzzy Hash: 70af9e66f5f70e0bec5a9c11409d41425b6cf3f234aaf4df669a2ba8c8227f58
                • Instruction Fuzzy Hash: E1E020B55185844FCB46DF35C4107D73BE2D7C6500F154196D045CB172C7788CC5C751
                Function 06913780 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c820a5a57c1039bbf8bb8ca785875e451ea50cad43336db27c3758363846fe00
                • Instruction ID: 6170c9553b363dbdcf70dfff7d7d474fc398ca8f34082ddf55cf479b6ff4ac9c
                • Opcode Fuzzy Hash: c820a5a57c1039bbf8bb8ca785875e451ea50cad43336db27c3758363846fe00
                • Instruction Fuzzy Hash: 51E0C2551082988FD312EB28C4697D63BA1A7C2200FC840D6D080CB6A6CE5C890ECBA2
                Function 06919D60 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 138edd1819ca143e797c92d3acb95d4ca445f8fcca37d05964a7db740e735b1f
                • Instruction ID: 0b283c5af0da83e16e521e3973e72389a2c7157c60c4c6afe3489460f1f33cc1
                • Opcode Fuzzy Hash: 138edd1819ca143e797c92d3acb95d4ca445f8fcca37d05964a7db740e735b1f
                • Instruction Fuzzy Hash: D0E0C2322003149FC748EB79E00048E7BAADBC822471044BED409D7300EE36A8C087D5
                Function 0691BF60 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 767e16292a2da62a53e5fcc08f88f7f1d2c1829cb6cf5a4ac28d44a675d2fbc3
                • Instruction ID: ae10a6af255be7897e73294d06cc44b808e6cf0ad31d6d7d2c4972fa51cabd9a
                • Opcode Fuzzy Hash: 767e16292a2da62a53e5fcc08f88f7f1d2c1829cb6cf5a4ac28d44a675d2fbc3
                • Instruction Fuzzy Hash: 82E092B4D0420D9F8B94DFA9D4415BEBFF4AB48200F10816AE918E3350E6345A51CFE5
                Function 06911250 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8adae54ec86d6f88a35a51fb7dcde7f0ef12ee64324851e02fcfc06867a4723e
                • Instruction ID: 58506758bf61361565320aceb2a394ddb4e3b1b7772528531ccf889787825dd7
                • Opcode Fuzzy Hash: 8adae54ec86d6f88a35a51fb7dcde7f0ef12ee64324851e02fcfc06867a4723e
                • Instruction Fuzzy Hash: FED05BB490110DEFCB41EFB8D91155DB7F5EB54200B50459BD909E3310DA312F009741
                Function 06918E30 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f258da86908c1b475def5abc4a9ad7411208001fef07a495fcf93a4a17dbb623
                • Instruction ID: 396b7832fbd4a8b9e57e9f1f293fb673bd751ea8557180156b3038d06cd680da
                • Opcode Fuzzy Hash: f258da86908c1b475def5abc4a9ad7411208001fef07a495fcf93a4a17dbb623
                • Instruction Fuzzy Hash: 70D012726042182B5B45EAAD54504DE7F9DDB84170F0040BBD509D7241ED715E4442DE

                Non-executed Functions

                Function 0691CED8 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4458380227.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6910000_6Oq2eXtHmE.jbxd
                Similarity
                • API ID:
                • String ID: Haq
                • API String ID: 0-725504367
                • Opcode ID: e99f0113ccca30acbae790bb8b548476aa929d2a7321c39ad18f22dbfebc737c
                • Instruction ID: 58983cd222ec57490a3e8279fcab4963d732318725718b5b44d56f375aa0912b
                • Opcode Fuzzy Hash: e99f0113ccca30acbae790bb8b548476aa929d2a7321c39ad18f22dbfebc737c
                • Instruction Fuzzy Hash: 6FD18174B002098FCB54DFB9C854A6E7BFABF89240B2584A9E505DB3A5DF30DC02CB91