Edit tour

Windows Analysis Report
21FuuTyh3g.exe

Overview

General Information

Sample name:	21FuuTyh3g.exe renamed because original name is a hash value
Original sample name:	E6398ED6CA5A0F1C041B10ACB0BA17A4.exe
Analysis ID:	1537535
MD5:	e6398ed6ca5a0f1c041b10acb0ba17a4
SHA1:	24314373c9a131ee397fbbb4a93162f64819d8c4
SHA256:	167840f5f5ad88007e20720f09445a1d6b4f8e1c2f4e8d9238a0b918c62ed5fb
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

21FuuTyh3g.exe (PID: 6216 cmdline: "C:\Users\user\Desktop\21FuuTyh3g.exe" MD5: E6398ED6CA5A0F1C041B10ACB0BA17A4)

InstallUtil.exe (PID: 5016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 6604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["104.168.34.185:2819"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 21FuuTyh3g.exe PID: 6216	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 21FuuTyh3g.exe PID: 6216	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 21FuuTyh3g.exe PID: 6216	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5016	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.InstallUtil.exe.800000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.21FuuTyh3g.exe.462c290.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.21FuuTyh3g.exe.4447540.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.21FuuTyh3g.exe.462c290.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["104.168.34.185:2819"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for domain / URL

Source: 104.168.34.185:2819

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Source: 21FuuTyh3g.exe	ReversingLabs: Detection: 70%
Source: 21FuuTyh3g.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 21FuuTyh3g.exe

Joe Sandbox ML: detected

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C8600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EE8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C85F0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152D8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.168.34.185:2819

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124D0 NtResumeThread,	0_2_066124D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611398 NtProtectVirtualMemory,	0_2_06611398
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612128 NtUnmapViewOfSection,	0_2_06612128
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124C8 NtResumeThread,	0_2_066124C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612581 NtResumeThread,	0_2_06612581
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611377 NtProtectVirtualMemory,	0_2_06611377
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612120 NtUnmapViewOfSection,	0_2_06612120
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066121D1 NtUnmapViewOfSection,	0_2_066121D1

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0320DB6C	0_2_0320DB6C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D50	0_2_064B0D50
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9990	0_2_064B9990
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8478	0_2_064B8478
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8488	0_2_064B8488
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF8	0_2_064B9EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF2	0_2_064B9EF2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D3F	0_2_064B0D3F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A4D	0_2_064B4A4D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B21	0_2_064B2B21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B30	0_2_064B2B30
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9980	0_2_064B9980
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE58	0_2_065CBE58
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE01	0_2_065CBE01
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE21	0_2_065CEE21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE80	0_2_065CEE80
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E8	0_2_065CE1E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C5258	0_2_065C5258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE48	0_2_065CBE48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2EAE	0_2_065C2EAE
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CD7C0	0_2_065CD7C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E2	0_2_065CE1E2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0040	0_2_065E0040
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0006	0_2_065E0006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F552F	0_2_065F552F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F18A7	0_2_065F18A7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F22F9	0_2_065F22F9
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F6B48	0_2_065F6B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F5867	0_2_065F5867
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F1916	0_2_065F1916
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100D0	0_2_066100D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616DF7	0_2_06616DF7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614268	0_2_06614268
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614258	0_2_06614258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661920A	0_2_0661920A
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B48	0_2_06616B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06619352	0_2_06619352
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B38	0_2_06616B38
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100C1	0_2_066100C1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9C8	0_2_0661A9C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9D8	0_2_0661A9D8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B78	0_2_06620B78
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B68	0_2_06620B68
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696D848	0_2_0696D848
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696CB90	0_2_0696CB90
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950006	0_2_06950006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950040	0_2_06950040

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12

Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.00000000034B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1888466530.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1876345471.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000000.1655986323.0000000000F36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/0

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\723fe924-8f78-4798-98ba-0ce505a1b608

Jump to behavior

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 21FuuTyh3g.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 21FuuTyh3g.exe	ReversingLabs: Detection: 70%
Source: 21FuuTyh3g.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\21FuuTyh3g.exe "C:\Users\user\Desktop\21FuuTyh3g.exe"
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 21FuuTyh3g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 21FuuTyh3g.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 21FuuTyh3g.exe

Static file information: File size 1291264 > 1048576

Source: 21FuuTyh3g.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11e600

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 21FuuTyh3g.exe, FactoryVisitorComp.cs	.Net Code: ExcludeWorker System.AppDomain.Load(byte[])
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.4447540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064BDCAD push ecx; ret	0_2_064BDCB4
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A45 push es; retf	0_2_064B4A4C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CB86E push es; iretd	0_2_065CB870
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2800 push esp; iretd	0_2_065C280D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C28B1 push es; ret	0_2_065C28C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA24E push cs; retf	0_2_065FA24F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA0AE pushfd ; ret	0_2_065FA0B1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661AE88 pushad ; iretd	0_2_0661AE95
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_069535FD push es; retf	0_2_06953600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0695713C push ss; ret	0_2_06957147

Source: 21FuuTyh3g.exe

Static PE information: section name: .text entropy: 7.860639651513403

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 21FuuTyh3g.exe, CollectionVisitorComp.cs	Reference to suspicious API methods: ((Application)P_0).TryFindResource(P_1)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 832000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 850000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 716008	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Users\user\Desktop\21FuuTyh3g.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 DLL Side-Loading	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
21FuuTyh3g.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
21FuuTyh3g.exe	55%	Virustotal		Browse
21FuuTyh3g.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
104.168.34.185:2819	9%	Virustotal		Browse
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
104.168.34.185:2819	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.ip.sb/ip	21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-neti	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/14436606/23354	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537535
Start date and time:	2024-10-19 06:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	21FuuTyh3g.exe renamed because original name is a hash value
Original Sample Name:	E6398ED6CA5A0F1C041B10ACB0BA17A4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 225 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.570623751650901
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	21FuuTyh3g.exe
File size:	1'291'264 bytes
MD5:	e6398ed6ca5a0f1c041b10acb0ba17a4
SHA1:	24314373c9a131ee397fbbb4a93162f64819d8c4
SHA256:	167840f5f5ad88007e20720f09445a1d6b4f8e1c2f4e8d9238a0b918c62ed5fb
SHA512:	6b073f289a6b17a488fd971dd4b11d3fb43b5c359fa4224295f04f7dba5d452caacffc0be9cdca7c5e7dadd4d29991cf579815e4254d7bda873f830a7e1f5200
SSDEEP:	24576:wQ4ko5YLva4CjsewrxG7GVEMDjruO4FrWJNapF0+ciHXF8f3eIJ:CktCgT1zV7GngJnuXoeI
TLSH:	FD55027772A785A1C39A1B36C5A6C9310371ED85A2A3D70ABACD2FDB38037769C40357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D..g............................N.... ... ....@.. ....................... ............`................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x52044e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6707AE44 [Thu Oct 10 10:36:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x120400	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x122000	0x1c970	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x140000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11e454	0x11e600	4f6edb3ed425469ac98b3a6d0d23a785	False	0.9130241297468354	data	7.860639651513403	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x122000	0x1c970	0x1ca00	28bc5666cae3a2648a7a47ca5f1df18d	False	0.23763305131004367	data	2.6108095597848373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x140000	0xc	0x200	a090d81a2d66e901cc95df70aab8d5f6	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x122220	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x125f24	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x13674c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x13a974	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x13cf1c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x13dfc4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x13e42c	0x5a	data	0.7666666666666667
RT_VERSION	0x13e488	0x2fc	data	0.43848167539267013
RT_MANIFEST	0x13e784	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	00:21:57
Start date:	19/10/2024
Path:	C:\Users\user\Desktop\21FuuTyh3g.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\21FuuTyh3g.exe"
Imagebase:	0xe00000
File size:	1'291'264 bytes
MD5 hash:	E6398ED6CA5A0F1C041B10ACB0BA17A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:22:19
Start date:	19/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x400000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:22:19
Start date:	19/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
Imagebase:	0xad0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	99.4%
Signature Coverage:	4.9%
Total number of Nodes:	466
Total number of Limit Nodes:	47

Executed Functions

Function 065F552F Relevance: 16.2, Strings: 12, Instructions: 1150COMMON

Download Yara Rule

Strings

$dq, xrefs: 065F5E21
$dq, xrefs: 065F5E6A
$dq, xrefs: 065F5987
$dq, xrefs: 065F57C3
$dq, xrefs: 065F5A37
$dq, xrefs: 065F5E11
$dq, xrefs: 065F57D3
$dq, xrefs: 065F5E7A
,hq, xrefs: 065F5FFA
$dq, xrefs: 065F5997
$dq, xrefs: 065F5A47
4, xrefs: 065F5F15

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ,hq$4$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-55242283
Opcode ID: 3a7ac81ce6e45ef241f4b29e86a56260fdda173ed382d34dbe133433eb369de9
Instruction ID: 65160253f137be528aac78d85d2e61123931bad7d79955100fecceb90c3c829c
Opcode Fuzzy Hash: 3a7ac81ce6e45ef241f4b29e86a56260fdda173ed382d34dbe133433eb369de9
Instruction Fuzzy Hash: DDB20774A10218CFDB54CFA8C894BADB7B6FF48300F158599EA05AB3A5DB70AD85CF50

Function 065F5867 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$dq, xrefs: 065F5E6A
$dq, xrefs: 065F5987
$dq, xrefs: 065F5A37
$dq, xrefs: 065F5E11
,hq, xrefs: 065F5FFA
4, xrefs: 065F5F15

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ,hq$4$$dq$$dq$$dq$$dq
API String ID: 0-967947350
Opcode ID: f324f2d4521f164b227511355fecafec7ba6428296c4e3b3f42dba83e5045c00
Instruction ID: 751ade0f20e5920d986368b55b0f2839ac4e3218ac88f725ebdd2fa6e832cf6c
Opcode Fuzzy Hash: f324f2d4521f164b227511355fecafec7ba6428296c4e3b3f42dba83e5045c00
Instruction Fuzzy Hash: C8222A74A10219CFDB64DFA4C994BADB7B6FF88300F148199D609AB3A5DB319D81CF50

Function 065CE1E8 Relevance: 4.3, Strings: 3, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 065CE2F4
fiq, xrefs: 065CE307
/t5s, xrefs: 065CE627

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: fiq$/t5s$8
API String ID: 0-673875772
Opcode ID: 77db7d064fb72712ee05f6892721188cc3154b05aa0c33a5423221eee56c2a9e
Instruction ID: bc2920bd02f0c043d3e662e7438a45dd1d5b4be75e08e29d20ff478ec885ea14
Opcode Fuzzy Hash: 77db7d064fb72712ee05f6892721188cc3154b05aa0c33a5423221eee56c2a9e
Instruction Fuzzy Hash: 6E42C375D006298FDB64CF69C850BD9B7B2BF89310F1486EAD40DA7255EB30AE85CF80

Function 06611377 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06611421

Strings

-?`, xrefs: 066113BA

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: -?`
API String ID: 2706961497-1721009604
Opcode ID: 14d81644bd0c0c2fb91b1198b319399650b8af7c256ccf390b7519cf135a69b1
Instruction ID: 9143e047e072e5f5a43bbe3c37ea2fb1075fceee3dd8d17bac35ea31a75017ac
Opcode Fuzzy Hash: 14d81644bd0c0c2fb91b1198b319399650b8af7c256ccf390b7519cf135a69b1
Instruction Fuzzy Hash: F73154B19013499FCB10DFAAD884ADEFFF9FF49324F20841AE559A7250C7359940CBA1

Function 06611398 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06611421

Strings

-?`, xrefs: 066113BA

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: -?`
API String ID: 2706961497-1721009604
Opcode ID: d1910aca9efc8cd6ac0aa6ad6b2fef2ac27e0b12d1946688769efa976af3e31c
Instruction ID: 591ffd042a9c467c027b041c08d8db89de7aa95efcc523e6fc0d523a3cd02e7a
Opcode Fuzzy Hash: d1910aca9efc8cd6ac0aa6ad6b2fef2ac27e0b12d1946688769efa976af3e31c
Instruction Fuzzy Hash: 312112B1D003499FCB10DFAAD984ADEFBF5FF48310F60842AE519A7250C775A940CBA1

Function 066124C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0661253E

Strings

-?`, xrefs: 066124EC

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: ResumeThread
String ID: -?`
API String ID: 947044025-1721009604
Opcode ID: 74142c841bf65e93ab5208214f074fa27ff4b82a335575b6a12548d7203f10d2
Instruction ID: 726f728999b5bc04f697c8d47f839122efcf143825721f13bd910a326f7b93c5
Opcode Fuzzy Hash: 74142c841bf65e93ab5208214f074fa27ff4b82a335575b6a12548d7203f10d2
Instruction Fuzzy Hash: 011138B0D002489BDB14DFAAC484A9FFBF8EF48320F14842AD519A7240DB74A944CFA5

Function 066124D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0661253E

Strings

-?`, xrefs: 066124EC

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: ResumeThread
String ID: -?`
API String ID: 947044025-1721009604
Opcode ID: a139ba96d1c22edb46e5f7904f137bc0d3e7f286d4e6878c4e16aa980edd1019
Instruction ID: 1e12c411f617691e22ba69a5ec7fd8906790dc8912552887f5519d9197872a7a
Opcode Fuzzy Hash: a139ba96d1c22edb46e5f7904f137bc0d3e7f286d4e6878c4e16aa980edd1019
Instruction Fuzzy Hash: E41129B1D003488FDB14DFAAC48469FFBF8EF48320F54842AD519A7240CB74A945CFA5

Function 06612120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 0661218D

Strings

-?`, xrefs: 0661213F

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: SectionUnmapView
String ID: -?`
API String ID: 498011366-1721009604
Opcode ID: 7fd01719c63d6be8e3758acc6aac26e901fe479068d8872e8edcae98fad2c20b
Instruction ID: 1b9050f43e85afc62ed3a5f769c6d303aa5a6a45b126d7f9e3f06b1eeaf8f99c
Opcode Fuzzy Hash: 7fd01719c63d6be8e3758acc6aac26e901fe479068d8872e8edcae98fad2c20b
Instruction Fuzzy Hash: 9F1149B19002489FCB20DFAAC845BDFFFF9EF88320F148419E519A7240CB75A944CBA5

Function 06612128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 0661218D

Strings

-?`, xrefs: 0661213F

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: SectionUnmapView
String ID: -?`
API String ID: 498011366-1721009604
Opcode ID: 4eb680d81f2b38af54bc6d09fff0993906db141f069559e36b711f777cd13b19
Instruction ID: 205fe6f2fae9925c5a9c9c98d4b04bd11116ed7350b920c5e086e465e6d4cf3e
Opcode Fuzzy Hash: 4eb680d81f2b38af54bc6d09fff0993906db141f069559e36b711f777cd13b19
Instruction Fuzzy Hash: A51128B1D003498FDB14DFAAC8457DEFFF9EB88320F248419D519A7250CB75A944CBA5

Function 064B9980 Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

Tedq, xrefs: 064B9B46
/t5s, xrefs: 064B9A11

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: /t5s$Tedq
API String ID: 0-4229416159
Opcode ID: 099c0aac55a71241194f8efbd7f630fd0a9553a75a6695ab38ff27bcc2e5d2d7
Instruction ID: d6d701f479c8159026de47d425d283145f28dd85352519cc2e25f1ffd9312ab0
Opcode Fuzzy Hash: 099c0aac55a71241194f8efbd7f630fd0a9553a75a6695ab38ff27bcc2e5d2d7
Instruction Fuzzy Hash: 4AA1C470E05218CFDB94CFA9D984BEEBBF6BB4A300F20A06AD509A7351DB745985CF50

Function 064B9990 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

Tedq, xrefs: 064B9B46
/t5s, xrefs: 064B9A11

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: /t5s$Tedq
API String ID: 0-4229416159
Opcode ID: c910e1fc5483a79c550c07c12989663fe19afd687976bf36af542847d34d844d
Instruction ID: 8dc67cc8e07763b110f3ec7d5ca48d091622edc98f89181e3aff763cb35d77c7
Opcode Fuzzy Hash: c910e1fc5483a79c550c07c12989663fe19afd687976bf36af542847d34d844d
Instruction Fuzzy Hash: 5CA1C670E05218CFEB94CFA9D984BEDBBF6BB4A300F20A06AD509A7351DB745985CF50

Function 065CE1E2 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

fiq, xrefs: 065CE307
h, xrefs: 065CE2E8

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: fiq$h
API String ID: 0-25203802
Opcode ID: 6a509cc4aa84959a4b352712918057fa69f43cf2a0e4db6d1def2afdaa307a38
Instruction ID: 91632bd2874ac52c3ca1dd48d06ae90fdac50a7b4570e4529a446ea3f1f1dfd7
Opcode Fuzzy Hash: 6a509cc4aa84959a4b352712918057fa69f43cf2a0e4db6d1def2afdaa307a38
Instruction Fuzzy Hash: 8C61D571D006299FEB64CF6ACC50BD9BBB2BF89310F14C2AAD40DA7254DB305A85CF50

Function 065F18A7 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

Tedq, xrefs: 065F1AB7

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 52eec533930c3debc4163d38f21d17263c94fffd74bfc6f6c1d3f250eb79e205
Instruction ID: 5cda1e701debf8bbfd103d3dcc182ef01fcfd95a3810558c3fb20eb8fd69ed53
Opcode Fuzzy Hash: 52eec533930c3debc4163d38f21d17263c94fffd74bfc6f6c1d3f250eb79e205
Instruction Fuzzy Hash: A0E1F274E15618CFEBA4CF69C994BA9BBF6BB49300F1094A9D60DA7250EB305E84CF40

Function 066121D1 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 0661218D

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 91c4b9909d923d12b56eaa0baee0d690c5711eaddce3690cb95540bc8e1fe51d
Instruction ID: 4624ff6f40cbaf629bf2e48cde6f40aa026048918101a3d7f797bded0931f9ca
Opcode Fuzzy Hash: 91c4b9909d923d12b56eaa0baee0d690c5711eaddce3690cb95540bc8e1fe51d
Instruction Fuzzy Hash: 67017B314053445FC751EB68EC657EABFECAF42314F04404AE2485B1A1CA791E98C7A1

Function 06612581 Relevance: 1.5, APIs: 1, Instructions: 44nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0661253E

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bd6801e7325769f156c372707d93c1495b1a87c75cff8be7906f676583967a58
Instruction ID: fc2925941bc84e1b8ad6ad3dbf13b3d2cab226ff7a87f4fc8feb41098937e8af
Opcode Fuzzy Hash: bd6801e7325769f156c372707d93c1495b1a87c75cff8be7906f676583967a58
Instruction Fuzzy Hash: A4012B718003049BD754EF69E8643AAFFACEF85324F148059D0585B1A1DA795994CBA1

Function 065CBE01 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

PHdq, xrefs: 065CC135

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 57d0c58ac42e43a20b58e3eb1458673229a482f059d258c7751b31bf8dfbc9cd
Instruction ID: 7f393ebb1da4f5b2e4ed042e390c327da40d708a65caab374a23928a5d908a28
Opcode Fuzzy Hash: 57d0c58ac42e43a20b58e3eb1458673229a482f059d258c7751b31bf8dfbc9cd
Instruction Fuzzy Hash: 2AC1F274D01218CFEB94CFA9D895BADBBF2FB49320F10A4AAD409A7351DB745985CF40

Function 065CBE58 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

PHdq, xrefs: 065CC135

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 408ef507a3d34dd2772150db7614ab9b1cad71c52d060cf79011e81d4dd1b643
Instruction ID: a31ab11ef9160923cb073daa10a0b0ebc9a9717ea5d12e1b064d14c65af1cbe3
Opcode Fuzzy Hash: 408ef507a3d34dd2772150db7614ab9b1cad71c52d060cf79011e81d4dd1b643
Instruction Fuzzy Hash: 4EC11474D04218CFEB64CFA9D855BADBBF2FF4A320F10A4A9D409A7251D7745985CF40

Function 065F1916 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

Tedq, xrefs: 065F1AB7

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: b1c04f297e1e380a4f115903c337d401b78a46de7165e6bae6286a0cca8c3569
Instruction ID: d7f1f1569287ead01fb6ce44d8201c24e5290655a43db83a04e8033f714c995d
Opcode Fuzzy Hash: b1c04f297e1e380a4f115903c337d401b78a46de7165e6bae6286a0cca8c3569
Instruction Fuzzy Hash: ACD1C274E15619CFEBA4CF69C984BA9BBF2BB49300F1095AAD50DA7350EB305E84CF41

Function 065CBE48 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

PHdq, xrefs: 065CC135

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 457cadd9e872c85a9fba8fa451038e798e0c69ed86824cba04473289a6ed0a41
Instruction ID: 00474e043a034683b86ca7a054de50aa00d28bba37d511d23f10f9131771147d
Opcode Fuzzy Hash: 457cadd9e872c85a9fba8fa451038e798e0c69ed86824cba04473289a6ed0a41
Instruction Fuzzy Hash: 5CC11274E01218CFEB64CFAAD855BADBBF2FB49320F10A4A9D409A7251DB745985CF40

Function 0696D848 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dkq, xrefs: 0696D94D

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Dkq
API String ID: 0-2786294174
Opcode ID: b25dcb41ab2c7b97609149a68dfd0447b3c631ecc6123020dd40e115525f56c2
Instruction ID: 57d90e22bbff5e1fdcb16b081464c78bfe7036b52c95f7a677e1b59071f20694
Opcode Fuzzy Hash: b25dcb41ab2c7b97609149a68dfd0447b3c631ecc6123020dd40e115525f56c2
Instruction Fuzzy Hash: F1D1D474E00219CFDB54DFA9D990A9DBBB6FF88310F1080A9E409AB365DB34AD85CF50

Function 065CEE21 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00834c51701d330d9caea2cb3a2d2d5c8da537266ee505aeb4fcf0cb96e64d1f
Instruction ID: 0665dee698e0fba3b318f9e79baffd8205b4370db80a0db2bbd559b36091dde3
Opcode Fuzzy Hash: 00834c51701d330d9caea2cb3a2d2d5c8da537266ee505aeb4fcf0cb96e64d1f
Instruction Fuzzy Hash: D0F1E674E00219CFDB64CFA9C840B9DBBB2FF89310F1485AAD909A7351DB74AA85CF51

Function 065CEE80 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bf4da6b4dd323957224dd61c5e8be7d7f024722eba608fe3a4192eec7bba74
Instruction ID: 32a0ddfcd56a186b7ed211703f5ba2f9ebe98d4f73aa65bb051b04d2c12f92a2
Opcode Fuzzy Hash: 92bf4da6b4dd323957224dd61c5e8be7d7f024722eba608fe3a4192eec7bba74
Instruction Fuzzy Hash: 8CF1B474E0021ACFEB64CFA9C844B9EBBB2FF89310F1095A9D509A7350DB74A985CF51

Function 06620B68 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab1939baff3dad090962b6ab41816b17cbada5e4f1c5a051f459e237958dad0
Instruction ID: 6ae78e85395a8a001402f311d6d55b208fe5ee93af4be3ebb500a51d1088da09
Opcode Fuzzy Hash: eab1939baff3dad090962b6ab41816b17cbada5e4f1c5a051f459e237958dad0
Instruction Fuzzy Hash: 19B15A74D05619CFDB98CFA8D888BADBBBAFB49305F10A069D409A7391DB745C85CF40

Function 06620B78 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c850471f8b5590a2170670e8d9e7069c5c14d7c6c8db546e746d10771dbb988
Instruction ID: b1694ea2002e352a59d18e4dedeeba7b3aa6d0aebc63cea2128f1f87faa31115
Opcode Fuzzy Hash: 1c850471f8b5590a2170670e8d9e7069c5c14d7c6c8db546e746d10771dbb988
Instruction Fuzzy Hash: F4A15A74D05219CFEB98CFA8D488BADBBBAFB49305F10A069D40AA7391DB745C85CF40

Function 064B0D50 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439d98fa7e9085537aad6b6cec08f99b05c263ad511736d4aea92cc0b9159791
Instruction ID: 52ac6633d6042f9d9660d453c1e3eaa61e629ca0c2c024dceae1bc496ab620c7
Opcode Fuzzy Hash: 439d98fa7e9085537aad6b6cec08f99b05c263ad511736d4aea92cc0b9159791
Instruction Fuzzy Hash: E8912670D05218CFEB65CF6AD9847DEBBF6BB89301F10A0AAD40DAB291C7745A85CF50

Function 064B0D3F Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a25b3f3d9611e1ec28b2cc82c49b68161872001911b8087c38507862eb265a
Instruction ID: 8c5204cd5e97694ba367ef189c3118933970bf7b2341233718fc866c42b46d20
Opcode Fuzzy Hash: 30a25b3f3d9611e1ec28b2cc82c49b68161872001911b8087c38507862eb265a
Instruction Fuzzy Hash: 9E911470E05218CFEB64CF6AD9447DEBBF6BB89301F10A0AAD409AB294D7745A85CF50

Function 066100D0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b8b4fe8c7035447eaf0fee1172335d2ba9071e02343d244e0e0d89131bede6
Instruction ID: 39c7a7439032dfeb547aec2c2ecce5d1437fb87e13888e2b63c79dbe8ac7501a
Opcode Fuzzy Hash: 89b8b4fe8c7035447eaf0fee1172335d2ba9071e02343d244e0e0d89131bede6
Instruction Fuzzy Hash: 7A81F274D04219CFEB64CFA5C844BEEBBB6BB89304F1490AAD519AB340DB745A85CF90

Function 066100C1 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875802e1f610438207f3e739ac5b53a5b5f6877295697efca6f0a5fb5eda7bd6
Instruction ID: 527f8369c09721b6e91ae5ebc5286cfdfae74fe0e28aec6d99095a81e3755db9
Opcode Fuzzy Hash: 875802e1f610438207f3e739ac5b53a5b5f6877295697efca6f0a5fb5eda7bd6
Instruction Fuzzy Hash: 30611370D04259CFEB64CFA6C844BEEBBB6BB89304F0481AAD519BB251DB741985CF90

Function 06611AF4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06611CDA

Strings

-?`, xrefs: 06611B4B
-?`, xrefs: 06611B2B

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: CreateProcess
String ID: -?`$-?`
API String ID: 963392458-1026355562
Opcode ID: 2f6468ed853b9b3120fc47669df23a99d320921ebe65ee113a5045ac03a77323
Instruction ID: c4094c1eef9da7ad3ae586465c7612deb5ba93f6adc2b8a22854e8010fcc67fb
Opcode Fuzzy Hash: 2f6468ed853b9b3120fc47669df23a99d320921ebe65ee113a5045ac03a77323
Instruction Fuzzy Hash: 118148B5D006499FDB50CFA9C9817EEFBF6BF49310F188529E919AB350DB748881CB81

Function 06611B00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06611CDA

Strings

-?`, xrefs: 06611B4B
-?`, xrefs: 06611B2B

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: CreateProcess
String ID: -?`$-?`
API String ID: 963392458-1026355562
Opcode ID: af4432a548b265ce1a594844a0fd27f9ba6cb256cfff3496989f3a885766d59f
Instruction ID: 6994fb994befd1342e343d87a39af5d880285289aa791327d987d782f247e2a4
Opcode Fuzzy Hash: af4432a548b265ce1a594844a0fd27f9ba6cb256cfff3496989f3a885766d59f
Instruction Fuzzy Hash: E48126B1D006499FDB50CFA9C9817EDFBF2BF49310F188529E959AB390DB749881CB81

Function 065FB708 Relevance: 4.2, Strings: 3, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 065FBBDD
Hhq, xrefs: 065FBC0C
Hhq, xrefs: 065FBC5C

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq
API String ID: 0-327223379
Opcode ID: ad4203cd5d30bcc5754d4b595092cace7dabdf88a9730783fb818aadcbba69bb
Instruction ID: d06b43c36a4f4466c87f9f7bee70ac9f2e45483dd5262e6e27067fc7fa04b789
Opcode Fuzzy Hash: ad4203cd5d30bcc5754d4b595092cace7dabdf88a9730783fb818aadcbba69bb
Instruction Fuzzy Hash: C0127E70A10205DFCBA5DFA5D894A6EBBF2FF88300F148929D6069B354DB35EC45CB50

Function 065FD3C8 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'dq, xrefs: 065FD741
4'dq, xrefs: 065FD5E2
4'dq, xrefs: 065FD6C1

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq
API String ID: 0-2431816566
Opcode ID: 6bbe79cfdbc78ccd699f93a17125ff7268dfcd41648a210b07472f1fd3aa24b0
Instruction ID: 6176ad7eb8e3d3f8bed1a7b303a55c84cd6e5db38cea7f1ac21e10cd3c7dfc1e
Opcode Fuzzy Hash: 6bbe79cfdbc78ccd699f93a17125ff7268dfcd41648a210b07472f1fd3aa24b0
Instruction Fuzzy Hash: 3EF1DC34A10219DFCB44DFA4D998AADB7B2FF88301F158154E906AB3A5DB71EC46CF90

Function 0320B6A8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-?`, xrefs: 0320B8B7

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID: HandleModule
String ID: -?`
API String ID: 4139908857-1721009604
Opcode ID: 0a9b17836a46ada6ae6de0d6044e612034acf1bfd589de86fc826718807bba86
Instruction ID: 6b49c4282c5a1ee7c5a78b574fce24df58818705da2060badcbfbb9c6e404dda
Opcode Fuzzy Hash: 0a9b17836a46ada6ae6de0d6044e612034acf1bfd589de86fc826718807bba86
Instruction Fuzzy Hash: 1D715574A10B058FD724DF2AD44575ABBF5FF88300F048929D49ADBB91DB74E889CB90

Function 065CDECA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 065CDFC7

Strings

-?`, xrefs: 065CDF6F

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID: Sleep
String ID: -?`
API String ID: 3472027048-1721009604
Opcode ID: b8a02c4bc862e6b622df62c1f48f0ae9512845f4dfd99a37ede473c2d0e9572a
Instruction ID: aa0e7649648cb9deada26ce94261b60c9b11c267a5b52c9d3c13c139b3a58c27
Opcode Fuzzy Hash: b8a02c4bc862e6b622df62c1f48f0ae9512845f4dfd99a37ede473c2d0e9572a
Instruction Fuzzy Hash: AC31BB70908348DFCB21DFA9D8446AEFFF8FF45320F5484AEE485A3281C634A954CBA5

Function 06612319 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066123B0

Strings

-?`, xrefs: 0661233F

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: -?`
API String ID: 3559483778-1721009604
Opcode ID: c3620f0bf47fe2721bda285e49be86c0a8aa755c2c5b8f3a02b4707649565e6d
Instruction ID: dd98f550807b989d46c9356140e4630a17c52913cd339a1e10663c705bb967fc
Opcode Fuzzy Hash: c3620f0bf47fe2721bda285e49be86c0a8aa755c2c5b8f3a02b4707649565e6d
Instruction Fuzzy Hash: 7A2126B59003499FCB10CFA9D885BDEBBF9FB48310F148429E958A7240C778A955CBA1

Function 06612320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066123B0

Strings

-?`, xrefs: 0661233F

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: -?`
API String ID: 3559483778-1721009604
Opcode ID: 7bf72198075afe9b26eea904ea71a3854fe11560917b2c42c45284c48d563bbb
Instruction ID: 4b30aa45be997022c7a7df17bb5c5f5ad88487469a87499d1fdaca5cf344402b
Opcode Fuzzy Hash: 7bf72198075afe9b26eea904ea71a3854fe11560917b2c42c45284c48d563bbb
Instruction Fuzzy Hash: 162127B19003499FCB10DFA9C885BDEBBF5FF48310F14842AE919A7340C7789955DBA5

Function 06611DF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06611E7E

Strings

-?`, xrefs: 06611E1C

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: ContextThreadWow64
String ID: -?`
API String ID: 983334009-1721009604
Opcode ID: a0bbd34eb25da53ffe2cba10bd8aa7c0793504b31e2b04d56d33cb53d131ee6a
Instruction ID: 902f3d36a04ae2b83320574424d8614da6cb2e99c0e1590fe32d9fa71aec556a
Opcode Fuzzy Hash: a0bbd34eb25da53ffe2cba10bd8aa7c0793504b31e2b04d56d33cb53d131ee6a
Instruction Fuzzy Hash: 852159B19003099FDB50DFAAC4857EEFBF5EB48320F148429E519A7240CB789944CFA1

Function 0320C090 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0320DF46,?,?,?,?,?), ref: 0320E007

Strings

-?`, xrefs: 0320DF9F

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID: DuplicateHandle
String ID: -?`
API String ID: 3793708945-1721009604
Opcode ID: 90544401be254297e25d7bed1f63cb81c750d945fab1557ad9a13baf11245aaa
Instruction ID: e8dd868a2f96c726582c70eed21aab4f3fbf1883e7f5aa83b1d71166ff882723
Opcode Fuzzy Hash: 90544401be254297e25d7bed1f63cb81c750d945fab1557ad9a13baf11245aaa
Instruction Fuzzy Hash: DE2114B5910308DFDB10CF9AD984AEEFBF5EB48310F54841AE918A3351D374A984CFA1

Function 06611E00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06611E7E

Strings

-?`, xrefs: 06611E1C

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: ContextThreadWow64
String ID: -?`
API String ID: 983334009-1721009604
Opcode ID: aaace71e2ad75c34776f486b8bd6fff3385887bb093bab77e22aee5845c2c20b
Instruction ID: 29755737df9e1e72e3de99a2b59e646c090e9ed6ad22db699c7f621a824b9edc
Opcode Fuzzy Hash: aaace71e2ad75c34776f486b8bd6fff3385887bb093bab77e22aee5845c2c20b
Instruction Fuzzy Hash: 642137B19003098FDB50DFAAC4857EEFBF5EB48324F148429D519A7240CB789A45CFA5

Function 065CDF50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 065CDFC7

Strings

-?`, xrefs: 065CDF6F

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID: Sleep
String ID: -?`
API String ID: 3472027048-1721009604
Opcode ID: 42e947c6284acb11e45bd669cf04bad5e65479cc9df82992b0df87c49e285146
Instruction ID: 03791693f2a60723a7c3a59fa0407d813ca32703be53ecde2cb0970b3aca3c20
Opcode Fuzzy Hash: 42e947c6284acb11e45bd669cf04bad5e65479cc9df82992b0df87c49e285146
Instruction Fuzzy Hash: 2A112CB19003499EDB24DFAAC845BDFFFF9EF54320F14841AE455A7240CA74A944CBA5

Function 06612218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0661228E

Strings

-?`, xrefs: 06612237

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: AllocVirtual
String ID: -?`
API String ID: 4275171209-1721009604
Opcode ID: 8e586632c085c8e199edc2aff378ca5a770c45264061f454a7815b9c5b2d230e
Instruction ID: 5cc3288416ea1fb2be3d6746aec9c267cbe247c50d17f8de5a7a370df009757d
Opcode Fuzzy Hash: 8e586632c085c8e199edc2aff378ca5a770c45264061f454a7815b9c5b2d230e
Instruction Fuzzy Hash: 80115C758002489FCB10DFAAC845ADFBFF9EF48320F148419E559A7250C7759940CFA1

Function 065ED990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 065EDA04

Strings

-?`, xrefs: 065ED9AC

Memory Dump Source

Source File: 00000000.00000002.1897334607.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_21FuuTyh3g.jbxd

Similarity

API ID: ProtectVirtual
String ID: -?`
API String ID: 544645111-1721009604
Opcode ID: 4b4da6954a5e2a8e5e6f27b8aedc16b1ea225a7d735cec71438f2382b7048da0
Instruction ID: 6850f1770898d61817089788ff2e7da233449af05ef1fecac32f49a619dc5978
Opcode Fuzzy Hash: 4b4da6954a5e2a8e5e6f27b8aedc16b1ea225a7d735cec71438f2382b7048da0
Instruction Fuzzy Hash: F31124B1D003489FCB14DFAAC844A9EFBF4FF48320F14842AE429A7240CB74A944CFA5

Function 0320A1A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0320A21D

Strings

-?`, xrefs: 0320A1CF

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: -?`
API String ID: 2492992576-1721009604
Opcode ID: 28aeffe9d02dd302ebbcd45a975e2bebd5f2b9df49b5a04a002e0bdd1a7f0ec8
Instruction ID: f60879f45e366c13b0b2d978820ed819151271b3ae78b221ddd5bd05ec84a883
Opcode Fuzzy Hash: 28aeffe9d02dd302ebbcd45a975e2bebd5f2b9df49b5a04a002e0bdd1a7f0ec8
Instruction Fuzzy Hash: 3811B1B1810389CFDB10CF59D4093EABFF4EB05311F548069E959A7282C77AAA48CFA1

Function 065CDF58 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 065CDFC7

Strings

-?`, xrefs: 065CDF6F

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID: Sleep
String ID: -?`
API String ID: 3472027048-1721009604
Opcode ID: b4f5e5272b3aa29687a15a1a08343151331672c4bb9f149e9ae4ace22bce0591
Instruction ID: be6f6adc113b1514459d49bea8f34ac97f7aa4cdcb91270105be1f326f8be0df
Opcode Fuzzy Hash: b4f5e5272b3aa29687a15a1a08343151331672c4bb9f149e9ae4ace22bce0591
Instruction Fuzzy Hash: 5E113AB19003498FDB14DFAAC8457EEFBF8AF88320F14841AD459A7240CA389944CBA5

Function 06612220 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0661228E

Strings

-?`, xrefs: 06612237

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID: AllocVirtual
String ID: -?`
API String ID: 4275171209-1721009604
Opcode ID: e614918640d83df9fa7c18eb745e79b4e4018d9a646037a988e196a0f123c5ca
Instruction ID: 5d153299d3c92c16a556d003ef431c24758bc80a878407599207d5b645fc6d7f
Opcode Fuzzy Hash: e614918640d83df9fa7c18eb745e79b4e4018d9a646037a988e196a0f123c5ca
Instruction Fuzzy Hash: 8B1137719002499FCB14DFAAC845ADFBFF5EF88320F148419E529A7250CB75A954CFA1

Function 0320AA04 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0320B6C4), ref: 0320B8FE

Strings

-?`, xrefs: 0320B8B7

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID: HandleModule
String ID: -?`
API String ID: 4139908857-1721009604
Opcode ID: 89f75ad8821c59b7424c20eee244885316a87660ecdc9b9ad88555b05ae1b37e
Instruction ID: 9c4c2281c76d5db2b892edc35a8bb5c0dda93fc361d448f3c8573b59c8b2dce0
Opcode Fuzzy Hash: 89f75ad8821c59b7424c20eee244885316a87660ecdc9b9ad88555b05ae1b37e
Instruction Fuzzy Hash: 101132B5C0034D8FCB20DF9AD444A9EFBF4EB88310F14842AD829A7251C374A588CFA1

Function 0320A1B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0320A21D

Strings

-?`, xrefs: 0320A1CF

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: -?`
API String ID: 2492992576-1721009604
Opcode ID: 856576a251d054da511fc9c48f84d727ec9adbfccc5576b5859ad4cea9734cc4
Instruction ID: 62fd0367aa7f80faed697ba362601e1bb60a8c756116fe14ff37574fe55f9030
Opcode Fuzzy Hash: 856576a251d054da511fc9c48f84d727ec9adbfccc5576b5859ad4cea9734cc4
Instruction Fuzzy Hash: BD11B2B1810389CFDB10CF99D5097DEBFF4EB05310F148059E959A7282C779AA48CB61

Function 064C0D98 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C1549
4'dq, xrefs: 064C1559

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: cd291d25760710200b3b44f00337ade32ad75a27a152ccdabc53bfb62938757a
Instruction ID: 9c93be79fc15392234392bf789d810e1084b41a36e0359dd0d8fb74b50403991
Opcode Fuzzy Hash: cd291d25760710200b3b44f00337ade32ad75a27a152ccdabc53bfb62938757a
Instruction Fuzzy Hash: AE42F678E04209CFDBD5CB99C4986AEBBB2FF49321F10801AD9166B351CB385D86CF95

Function 065EEA08 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 065EEA73

Strings

-?`, xrefs: 065EEA1F

Memory Dump Source

Source File: 00000000.00000002.1897334607.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_21FuuTyh3g.jbxd

Similarity

API ID: AllocVirtual
String ID: -?`
API String ID: 4275171209-1721009604
Opcode ID: 25eadb7f6f7ffc09a1ce96c6cf3e46b429d8b674266e78950037feead8dca56f
Instruction ID: 299bd317ddfb36207ef00b610dedcb5726b66edd9c9f8e729c311e62acc9d675
Opcode Fuzzy Hash: 25eadb7f6f7ffc09a1ce96c6cf3e46b429d8b674266e78950037feead8dca56f
Instruction Fuzzy Hash: 361137759002489FCB14DFAAC845ADEFBF5FB88320F148419E529A7250CB75A944CF95

Function 065F7BFA Relevance: 3.0, Strings: 2, Instructions: 526COMMON

Download Yara Rule

Strings

$dq, xrefs: 065F7F83
$dq, xrefs: 065F7F73

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: da52ff44c59f874df51e4189aa5061bc3dc1f6f2ea095235f5c284e6c56c0df0
Instruction ID: 56428b6c14cd06e766abac88e83391bba9c7ba44543b0bdce4fd6361cd00d1bd
Opcode Fuzzy Hash: da52ff44c59f874df51e4189aa5061bc3dc1f6f2ea095235f5c284e6c56c0df0
Instruction Fuzzy Hash: 70225870E1022ACFDB51CFA4D854ABEBBB6FF88310F148155EA12A7294DB389D45CF90

Function 064C1DA8 Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C244B
4'dq, xrefs: 064C243B

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: 4b999e14e63db96645825529709aeaaaa5f257f94eb55654922f373b589947ab
Instruction ID: 61ae9ca31ed09b3d8558e0080cb2e1ce9292eab1f98dcec9b204afbbc039fe1b
Opcode Fuzzy Hash: 4b999e14e63db96645825529709aeaaaa5f257f94eb55654922f373b589947ab
Instruction Fuzzy Hash: A922E238D01259CFCB95DFE4C5586ADBBB2BB89311F20806ED41AAB354DBB85E49CF40

Function 065FF120 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

$dq, xrefs: 065FF26F
U, xrefs: 065FF145

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: U$$dq
API String ID: 0-3227295396
Opcode ID: d20d39cae4a15191c9b2fa31680245dfaf394e2cb68c16fb95b6287f755eda3f
Instruction ID: 231b410f6bff5a6b189f017da9ce6ffebcb71bc06f2504b9072c5e1291faa20c
Opcode Fuzzy Hash: d20d39cae4a15191c9b2fa31680245dfaf394e2cb68c16fb95b6287f755eda3f
Instruction Fuzzy Hash: 2CE1BE717102128FE7959F68D42867E7BE2FFD4200F25492AEA82CB7A1DE34CC45CB65

Function 064C18C0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C1D56
4'dq, xrefs: 064C1D66

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: 3f52386a3774e4d4e5cc856a546184e11a88371c6743b5754521040afab11567
Instruction ID: 61bea0422a7dc36da72db8c53b18cb26fe441ae034b36a396482bcb8845d3637
Opcode Fuzzy Hash: 3f52386a3774e4d4e5cc856a546184e11a88371c6743b5754521040afab11567
Instruction Fuzzy Hash: 80F1C438D01209DFDB95DFA4E4986ADBBB2FF89321F60412EE406A7351DB316986CF40

Function 065FADB8 Relevance: 2.9, Strings: 2, Instructions: 356COMMON

Download Yara Rule

Strings

d, xrefs: 065FB019
(hq, xrefs: 065FADCC

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq$d
API String ID: 0-2835645469
Opcode ID: 0a43175e095494d7e4404fcd47a4f5adb1cae925fe2b9614740d0800d0e6f53e
Instruction ID: dc8710ab14a4c80b1996c23c33b76a2df302476fbc04393980d188efcbfa2ab7
Opcode Fuzzy Hash: 0a43175e095494d7e4404fcd47a4f5adb1cae925fe2b9614740d0800d0e6f53e
Instruction Fuzzy Hash: FDD18B34610606CFCB54CF29C48496ABBF6FF88310B25C969E65A8B365DB31FC46CB91

Function 064C2490 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C281F
4'dq, xrefs: 064C280F

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: aaf45e544033a40ac9bb947026c3d9f771ff3890c8caed12e847b586cde72b5e
Instruction ID: 0ea25c321b4fb3f786a2e4ba7a9a50595f1562098523ee316cc5c79b6d4e245d
Opcode Fuzzy Hash: aaf45e544033a40ac9bb947026c3d9f771ff3890c8caed12e847b586cde72b5e
Instruction Fuzzy Hash: 89C1C678E01219CFDB95DFA4D4586EEBBB2FB89311F10802ED81667354CBB85A46CF90

Function 065F97E8 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

(hq, xrefs: 065F990C
(hq, xrefs: 065F9963

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq$(hq
API String ID: 0-2483692461
Opcode ID: 77602e60f9468ab4aaf8e9140b623ae5ce91c96552fbb41f939be9bfc0487ac1
Instruction ID: 3a494960f92c72dec3ee6470d9edf5e98520a16f8feae17ae3af5410d408d50e
Opcode Fuzzy Hash: 77602e60f9468ab4aaf8e9140b623ae5ce91c96552fbb41f939be9bfc0487ac1
Instruction Fuzzy Hash: 6761F031B006159FCB559F28D854AAE3BA6FF84311B11816AE905CF3A2CA35DC46CBE1

Function 065F7228 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

(hq, xrefs: 065F732E
Hhq, xrefs: 065F73BD

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq$Hhq
API String ID: 0-2633903351
Opcode ID: eb8a11fc4352f9da105f8f1066c87ab4b6020993a6ac639f58d7d7c7b860b624
Instruction ID: 106bfa149676f76540f542280486b79f3c14aea7700d8296d3f29cbe37c3cf03
Opcode Fuzzy Hash: eb8a11fc4352f9da105f8f1066c87ab4b6020993a6ac639f58d7d7c7b860b624
Instruction Fuzzy Hash: 4B516B34B006059FC799AF78D46852E7BA6FFD9310711446DD90A8B3A4DF35EC06CB91

Function 065F4E20 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

,hq, xrefs: 065F4E93
U, xrefs: 065F4E2D

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ,hq$U
API String ID: 0-2089847517
Opcode ID: 929fd9d785cf431903795f93d87d8b100d69bb5a793793f6e129c4c74357eba2
Instruction ID: 856e4e0a89b42e21703c15adac2dd53950204599d3c450595a0c9d98d97d8afc
Opcode Fuzzy Hash: 929fd9d785cf431903795f93d87d8b100d69bb5a793793f6e129c4c74357eba2
Instruction Fuzzy Hash: DB114C35B002059FCB04DF69D8949AABBF6EF85301F158165EA05DF3A6D730DD01CBA1

Function 064B2CEC Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

\, xrefs: 064B2D51
;, xrefs: 064B2D25

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ;$\
API String ID: 0-1145712410
Opcode ID: bfa15061fac1dc975994b19e4b302af5465042214aecc7a7df1266889b92c7e5
Instruction ID: 5c6d73b81b10c09dc1ea9253bb14123d866c4649c32a881152839daff347f4b7
Opcode Fuzzy Hash: bfa15061fac1dc975994b19e4b302af5465042214aecc7a7df1266889b92c7e5
Instruction Fuzzy Hash: 2201BD74911218CFCBA0DF28D988BEEBBB1FB08311F14A596D50DA7240CB70AAC0CF60

Function 065FE2A0 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,hq, xrefs: 065FE61B

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ,hq
API String ID: 0-1771677546
Opcode ID: eb837fd6203463dbd1eca0b550a890eeb244e1eb0e3664fe230d875fc10d395b
Instruction ID: 60cbcf5f65dacd26371ff6031a42618b994934e545adbe7cb5fb6087601761de
Opcode Fuzzy Hash: eb837fd6203463dbd1eca0b550a890eeb244e1eb0e3664fe230d875fc10d395b
Instruction Fuzzy Hash: 2E522B75A102289FDB64DF68C955BDDBBF2BF88300F1541D9E609AB3A1DA309D80CF61

Function 065F87E0 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_dq, xrefs: 065F8A70

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (_dq
API String ID: 0-95542857
Opcode ID: 30f4caa0fc69b25ab314de0c93925a81ecf6eb421cbb31dc8391aa2e81d7df77
Instruction ID: 0fa6ff96355b5c896202cddfebedad37871772931e6bea3a583a2a3f2d995147
Opcode Fuzzy Hash: 30f4caa0fc69b25ab314de0c93925a81ecf6eb421cbb31dc8391aa2e81d7df77
Instruction Fuzzy Hash: CB228C75A102159FDB84DFA4D894AADB7F6FF88310F188469EA05DB3A1CB71ED40CB90

Function 064B5286 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

OTK, xrefs: 064B5344

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: OTK
API String ID: 0-1866517443
Opcode ID: c442e5ee41ceb4940f749cbfaafb5eab581037be4850686d9edaceed7e22c5b1
Instruction ID: 2c99336d94fd50bf9c2b9fca20d975432c7e8db07261502d64d2802236b6718f
Opcode Fuzzy Hash: c442e5ee41ceb4940f749cbfaafb5eab581037be4850686d9edaceed7e22c5b1
Instruction Fuzzy Hash: 72C10274D05208DFDB89DFA8D5446EEFBB6EB48301F20A02AD419AB344D7746E42CFA1

Function 065FFD40 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

U, xrefs: 065FFD4D

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 57b8bdf34ce173c966edf0595a15a0e17cdc24a0f688fd8c7e3d8e34a6b32927
Instruction ID: 1e2eff0dbe3c2e7e0f826732c4c82059c0bafac80c884cda914de856df9ffdf2
Opcode Fuzzy Hash: 57b8bdf34ce173c966edf0595a15a0e17cdc24a0f688fd8c7e3d8e34a6b32927
Instruction Fuzzy Hash: 8E71B236A102189FDF55DF54D804EAABBB6FF89310F0580E5E609AB262C731ED55CF90

Function 065F8F68 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Pldq, xrefs: 065F9150

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Pldq
API String ID: 0-2367098355
Opcode ID: a904d2e5e606134721bb2e47e7150574264f55e125bff7f78943b2b71a186fb8
Instruction ID: ca48048b2aca0d371a8d3a1df11e1faee6dbe58f7450c16a8d02c249974cd1b3
Opcode Fuzzy Hash: a904d2e5e606134721bb2e47e7150574264f55e125bff7f78943b2b71a186fb8
Instruction Fuzzy Hash: 5B911574B106158FCB54DF28C884AAA7BFABF89710F1140A9E605DB3B5DB71EC41CB91

Function 065FD3B8 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

4'dq, xrefs: 065FD5E2

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 3472a6b3a314d3e5ac1af7e6a4c5efb53128841181607d5eda0de7155aa28243
Instruction ID: 63c1fa72468c7b34b805b763142a16f51569a9a489cbff719e250f67b3155d55
Opcode Fuzzy Hash: 3472a6b3a314d3e5ac1af7e6a4c5efb53128841181607d5eda0de7155aa28243
Instruction Fuzzy Hash: FBA10D34A10219DFCB44EFA4D89899DB7B6FF88300F558258E905AB3A5DB70EC46CF90

Function 065F3F50 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

(hq, xrefs: 065F3FC4

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: d1fb56e4d03126ea18c2962806c0eea2fb0d88c6c891bff9c7ff2b29ca1a548f
Instruction ID: 64d9f826ba6487b71ad925eda750b7f250d646c753e15044e04de310f4f65a65
Opcode Fuzzy Hash: d1fb56e4d03126ea18c2962806c0eea2fb0d88c6c891bff9c7ff2b29ca1a548f
Instruction Fuzzy Hash: AC51E031A002169FCB00CF68D8809ABFBB9FF89320B158565EA159B342D731FC91CBE5

Function 065F4E30 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

,hq, xrefs: 065F4E93

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: ,hq
API String ID: 0-1771677546
Opcode ID: c03562763798ed8b3f0a7542af449ac44aab5ad6a41c15ef35d1c2d8dcb13237
Instruction ID: 63b085bbdb61e747ef4810def58aca476ee5b1d81ced11e908b6049a341c3376
Opcode Fuzzy Hash: c03562763798ed8b3f0a7542af449ac44aab5ad6a41c15ef35d1c2d8dcb13237
Instruction Fuzzy Hash: DA517B35B002158FCB44DF69D89096EBBE6FFC9211B2181A9EA05DF366DB31EC01CB91

Function 065F2F98 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

phq, xrefs: 065F3048

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: phq
API String ID: 0-315977702
Opcode ID: 3b4fd275b1cbb1dc7297d5d9fe4289add38d98f2e1790e15dd9927e797267b06
Instruction ID: c2db6ca1d3dfa82636d62d6a336e82ff594890b6364334f0194695e2e760854a
Opcode Fuzzy Hash: 3b4fd275b1cbb1dc7297d5d9fe4289add38d98f2e1790e15dd9927e797267b06
Instruction Fuzzy Hash: 28514F76600104AFCB459FA8D815D6A7FF7FF8D3147168098E6098B372DA32DC11EB91

Function 065FC430 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

4'dq, xrefs: 065FC479

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: a78449e08f8e3461c5cac20086179c08e2a64812206597920321e800784a0dc4
Instruction ID: 83d7a07b8ab1d773511493f598100c086ba86dcafb4418e41a6ad5703daebeac
Opcode Fuzzy Hash: a78449e08f8e3461c5cac20086179c08e2a64812206597920321e800784a0dc4
Instruction Fuzzy Hash: AC3185357102049FCF558FA4D868DAA7BF7FF8C310B1540A9EA0A9B361DA31DC52DB91

Function 064C246F Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C280F

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 6a6c666d47592eb20180fdc01aa940f3f5eb0cda99005e43371e8285d8ec7f33
Instruction ID: aec69e686c77e9cb76c1fbbb665e2758a48b8c940d7ffeacc88dbf410f0be770
Opcode Fuzzy Hash: 6a6c666d47592eb20180fdc01aa940f3f5eb0cda99005e43371e8285d8ec7f33
Instruction Fuzzy Hash: 9B313B78D09349CFDB85CFA6C8146EFBBB2BB85310F04806AD415AB350D7B81A41CFA5

Function 064C0D7B Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

4'dq, xrefs: 064C1549

Memory Dump Source

Source File: 00000000.00000002.1891178090.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 65924ca73d60a46a3ac5e63f63fcecb0689a532f8839f61271dd3cd4d3dd3de0
Instruction ID: 97e151c61dbaea28cb2600e736bfff2e84d3960358d130f1e48408d14119b656
Opcode Fuzzy Hash: 65924ca73d60a46a3ac5e63f63fcecb0689a532f8839f61271dd3cd4d3dd3de0
Instruction Fuzzy Hash: 2F314938D08249DFDB96CBA5D4546EEBBB2FB45320F10806FD411AB392C7355A45CF91

Function 065F7B2F Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

p<dq, xrefs: 065F7B7A

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: p<dq
API String ID: 0-1100582013
Opcode ID: 0eb7b77f19e2dcf8b7e62221b24930b9aff107b449221bc93c9f894c1600a0c0
Instruction ID: d245add69f12efe5fae1abb17e3125c179f99b632deac668a952b837b49dee6d
Opcode Fuzzy Hash: 0eb7b77f19e2dcf8b7e62221b24930b9aff107b449221bc93c9f894c1600a0c0
Instruction Fuzzy Hash: 4B217F30308285AFCB41DF2AD894DAA7FEABF8E250B094495F945CB371DA31DC41CB60

Function 065F7B40 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<dq, xrefs: 065F7B7A

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: p<dq
API String ID: 0-1100582013
Opcode ID: a1d30a24ec51376c3f1e79a30914f2627f7128b1f4bc9d0c086820461ff2d3b3
Instruction ID: b6a6f1e053048fcb22919156fb5ad606a16221d93338b1853c473b8d951974c8
Opcode Fuzzy Hash: a1d30a24ec51376c3f1e79a30914f2627f7128b1f4bc9d0c086820461ff2d3b3
Instruction Fuzzy Hash: 00214C703042559FDB41DF2AD890EAA7BEABF8E240B054495FE54CB3B1EA31DC51DB60

Function 064B3121 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

#, xrefs: 064B3143

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 32bad3e1753145747a5b9a8e77f346cb238ea7829f6c32c479237466ac6dd29e
Instruction ID: 0dc54d39b89b0ccdb13e0c83d9c5f1c85ba032e6f0760ab3b16412bc9ee08207
Opcode Fuzzy Hash: 32bad3e1753145747a5b9a8e77f346cb238ea7829f6c32c479237466ac6dd29e
Instruction Fuzzy Hash: 63F07F74D04208CFEBA0DFA5C488BDEBBF0AB08311F20696EC415B3241CB749A84CF64

Function 065F0176 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

Tedq, xrefs: 065F01A5

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: b9d757c483340e01f3bd8b2de0c24c6c549a00ef09ccdcfb6e1535a9998ff8ce
Instruction ID: 34c1d4290c97af32d2e08da9556edc241aa797f3a5e0eee6350bd77a396b9adb
Opcode Fuzzy Hash: b9d757c483340e01f3bd8b2de0c24c6c549a00ef09ccdcfb6e1535a9998ff8ce
Instruction Fuzzy Hash: D2F098B8A15358DFDB64DF24D895BDEBBB2FB44300F1051959609A7385CB705E848F82

Function 064BAE60 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

4, xrefs: 064BCD8E

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 8b19c9fe1fc545d2115ade9032764bc3d80cd3a0f5e29ca20afbd399f16305b4
Instruction ID: 14c99290bea60a628179ba0416a062be75cc71a13f7d6b63f04b1f8e6f7c6f2e
Opcode Fuzzy Hash: 8b19c9fe1fc545d2115ade9032764bc3d80cd3a0f5e29ca20afbd399f16305b4
Instruction Fuzzy Hash: 51E08C7084522ACFEB21CF28D8447ED7BB8FB01304F0021A5A00967241C3B01BC8CF81

Function 065F87D0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0208a29959a25458b280259fa3c257a86273e1d5f798eca02ee2ee4a4115bd
Instruction ID: 8c57157e867d8e80e56543d5b3e536d1087538f97afcd8547fe32e66a69e8984
Opcode Fuzzy Hash: 1f0208a29959a25458b280259fa3c257a86273e1d5f798eca02ee2ee4a4115bd
Instruction Fuzzy Hash: C1E17731A102159FEB84DF64D894BAA77F6FF88310F188469EA059F3A1CB75ED44CB90

Function 065F42C8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1445842a5e0e85fdd6400e584aeb2ee9b4049f77203d93630ecd36fa5109af9b
Instruction ID: 171f88a2e4fe0a8b1c15bea94927d3a2149ee3de108b464d76378fed42ae2410
Opcode Fuzzy Hash: 1445842a5e0e85fdd6400e584aeb2ee9b4049f77203d93630ecd36fa5109af9b
Instruction Fuzzy Hash: 12818B35A113058FCB05DF64E858AAEBBF2FF88311F10806AEA11AB391DB35DD85CB50

Function 065F9CC8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abc626f345f8a472281afcf14a3dc515ef01dc3525a95d7409c411ce5ba0e7a
Instruction ID: 2e2f539d9ad123ce99af14fb268ee74af11ca02687fef4e269ea0d4f80bdb09c
Opcode Fuzzy Hash: 8abc626f345f8a472281afcf14a3dc515ef01dc3525a95d7409c411ce5ba0e7a
Instruction Fuzzy Hash: BA812574A10619CFCB54DF68C484A9EB7F5BF88350B1585A9EA16DB360DB30ED41CF90

Function 066210EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce194fe909b7fd878ac3642c5490ef839c8124cadeee9225998df846d9b5966
Instruction ID: 368d8282b37e813b817e7ae4ff7db5811571a350a13196036300fca8b13c0241
Opcode Fuzzy Hash: 1ce194fe909b7fd878ac3642c5490ef839c8124cadeee9225998df846d9b5966
Instruction Fuzzy Hash: 3D817874A09319CFDB54CFA4E458BADBBB6FB4A300F106069E50AAB391DB355D86CF40

Function 064B0EDB Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9272074f6dcc15a6f6dc7221dd15bd856b734c63e9dfdeb3f76d792e3e859c
Instruction ID: 694e481bf7f2ff6ab54908eed1fd47a38d38e4ff4ad216ec0d78bd736ac203b3
Opcode Fuzzy Hash: 2c9272074f6dcc15a6f6dc7221dd15bd856b734c63e9dfdeb3f76d792e3e859c
Instruction Fuzzy Hash: 7671E274A05218CFDB61CFA8D984BDEBBF5BB09301F10A09AD509AB291C7749E85CF50

Function 064B9630 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815a26004468c700760bc7740633ce01da9e2b36feaa8710eeeaa6825f627434
Instruction ID: 1447d9142f23f3dcef23c713ef2b6c182d8f42a42c31bc13c47840c011889dce
Opcode Fuzzy Hash: 815a26004468c700760bc7740633ce01da9e2b36feaa8710eeeaa6825f627434
Instruction Fuzzy Hash: 70614B70D05208DFCB59DFB9D544AEDBBB6BF4A300F20916AE905AB361DB309941CFA0

Function 064B0F9F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b004f62bd0f3a44be46ccb1edd6f7b48e1b7857683697b8fb3fec374c301d2
Instruction ID: 1316f392dfa24c174eb59f69cf90c8a3988fb18cc1c435f43070188c0b12efd5
Opcode Fuzzy Hash: 63b004f62bd0f3a44be46ccb1edd6f7b48e1b7857683697b8fb3fec374c301d2
Instruction Fuzzy Hash: BF713574D05218CFEB61CFA8D9847DEBBF5BB49301F10A0AAD509A7291C7749E85CF50

Function 064B102F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fcc5a233d03611f34200de3ea7967b6d3735885ee3e1c86451e1b3b3e83295
Instruction ID: 2804b651bf5e44ac0df73daa0fdfa0a9aa4f4b7e6fd92ad16e63b8d42a0b5e07
Opcode Fuzzy Hash: 09fcc5a233d03611f34200de3ea7967b6d3735885ee3e1c86451e1b3b3e83295
Instruction Fuzzy Hash: E9711374D05218CFEB51CFA8D9847DEBBF5BB09301F10A19AD50AA7291C3749E89CF50

Function 064B10BB Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9236bd061685122696fc42667987a56ba4c1e319d459f073af1cf896ecbd2b2c
Instruction ID: 1cb8d71adc2ae4df066e5906f407a57b05f8678530c794838d556f112c23b30a
Opcode Fuzzy Hash: 9236bd061685122696fc42667987a56ba4c1e319d459f073af1cf896ecbd2b2c
Instruction Fuzzy Hash: 18711474D05218CFEBA1CFA8D9847DEBBF5BB09301F10A19AD509A7291C7749E89CF50

Function 064B8CC3 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e054b49a2bedd7136cc752dc4903f44b8de0254bf0319b31ec7cd4b7494e3afe
Instruction ID: 02438f1b7d04e0cc4efbcc198182abcded5d52706a9b80cfaf6ee4f9060f3767
Opcode Fuzzy Hash: e054b49a2bedd7136cc752dc4903f44b8de0254bf0319b31ec7cd4b7494e3afe
Instruction Fuzzy Hash: 7F613670D05218CFEB94CF68D984BEDBBFABB4A300F10A4AAD509AB251D7744E85CF50

Function 064B63D1 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ef50ba44e9fc8cf142e1c1213e0ab70e8839c24415fde3afa1c55e8c98badf
Instruction ID: b7b052c226a092bac7689bdfab600b9abb9ec6e04043133bc4d6a5855c82078e
Opcode Fuzzy Hash: 04ef50ba44e9fc8cf142e1c1213e0ab70e8839c24415fde3afa1c55e8c98badf
Instruction Fuzzy Hash: 3B81C474D01228DFDB62DF68C848BDDBBB1FB09305F1055EAE909A7251EB705A84CF91

Function 065FCF98 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60c2e1f9a96d63fd5cd4cb5d2b20440c57fc5f1d7ec8ef7807fbcded435be9b
Instruction ID: fd5094916d59eafa8d8f80f2273e4719d232250a5629fb445de12d7539a1d864
Opcode Fuzzy Hash: d60c2e1f9a96d63fd5cd4cb5d2b20440c57fc5f1d7ec8ef7807fbcded435be9b
Instruction Fuzzy Hash: D9517A34B10609DFCB14AF64E46CAAEB7BBFF88711F008119E60697364DF74990ADB91

Function 065F49E8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8f3c65a5284157b3f7cc51d276a016ddc571f929a44ae91f60e28cea73496e
Instruction ID: 150077246306838c44bbeeb6def109ec28fd2cb61c2d6d1aa56e2d93f7b078cf
Opcode Fuzzy Hash: 7f8f3c65a5284157b3f7cc51d276a016ddc571f929a44ae91f60e28cea73496e
Instruction Fuzzy Hash: 24416A30A10306CFDB549B68D858B6BB7F6FB88301F148429EA169B252DB30E845CB90

Function 064B96D8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24af660646d61cefc4701cf24eb6f9b8a67ac344c3b3732f978cb5e6c85e818
Instruction ID: 87a3d7805e895e589b38656c6174c2f697deaed7d84dbcd7571241de6fdee64a
Opcode Fuzzy Hash: b24af660646d61cefc4701cf24eb6f9b8a67ac344c3b3732f978cb5e6c85e818
Instruction Fuzzy Hash: 9251D274E01208DFDB58DFB9D584AEDBBB2BF89304F20912AE905AB360DB709941CF50

Function 064B96C8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b4e7e779b5b431f3a6407a0386207997f17127d6a0bc14eb69d27620b18bfa
Instruction ID: 8eff7cd55c5ac55cd2739552a314435d85357b76a0851d5c731f89f45da08315
Opcode Fuzzy Hash: 42b4e7e779b5b431f3a6407a0386207997f17127d6a0bc14eb69d27620b18bfa
Instruction Fuzzy Hash: 5D41D374E01208DFDB58DFB9D554ADDBBB2BF89304F20912AE905AB360DB319942CF50

Function 065FFB62 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1dd076bec3ac1c373676bc510f2f07a52fb8e72cb5ba73c623ecc8c6e462d0
Instruction ID: 221afdccb635e4ebfef6cc3e9b2a907b50ef00a6e5ccd3c83b81cab2bc0932be
Opcode Fuzzy Hash: 4c1dd076bec3ac1c373676bc510f2f07a52fb8e72cb5ba73c623ecc8c6e462d0
Instruction Fuzzy Hash: C1311936A111149FCB45CF58D898EA9BBB2FF48320B1640A9E6099B372C731ED55CF40

Function 065F4B78 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7936ede74a36f13d63aeda242dfba27ab39bbdef8eec087340918eb741b5b8
Instruction ID: bea918b1d85ec9159f9f5f7c3ca9872ec04be07030d45e2e05cd2f631e902ce4
Opcode Fuzzy Hash: ce7936ede74a36f13d63aeda242dfba27ab39bbdef8eec087340918eb741b5b8
Instruction Fuzzy Hash: 3D416B71A103198FDB54CFA5C8446BFBBF5FF88300F009429D616E7262E7359949CB91

Function 065F0DA1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb8ab4a4d8d6dd347a060f8da0f7aa7aa51d6ad417a4cfd2bfa9f282ba7c02e
Instruction ID: 751e8077750c163a6c25ac40660176b96a2fdb3f59c19fda030314e86b78c368
Opcode Fuzzy Hash: 1fb8ab4a4d8d6dd347a060f8da0f7aa7aa51d6ad417a4cfd2bfa9f282ba7c02e
Instruction Fuzzy Hash: 41414470E10209DFDB44CFAAD4946EEBBF6FB89300F188065DA14AB281D7746945CF91

Function 065FDCE0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78f9e8b204bc7942f5ddd9e7667e9523f933eee26b69ba8c0d173a052eb7f0e
Instruction ID: b6f7eb6aa822aabf8361d64044d68bd0239b64304848407df5d30909ce80f731
Opcode Fuzzy Hash: a78f9e8b204bc7942f5ddd9e7667e9523f933eee26b69ba8c0d173a052eb7f0e
Instruction Fuzzy Hash: D221F7327052045FC7649B6DE884A5A7BF9FFC1364B1585BAE10ECB251CB31EC41CBA0

Function 065F7218 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c8f36c17ee740a948242655f9201fbef099238600f4c30547df0cf65f17e12
Instruction ID: 79fc054ea9197f68312752916835fd129cfe0d53ab0cecc2d4aaea369f125518
Opcode Fuzzy Hash: e1c8f36c17ee740a948242655f9201fbef099238600f4c30547df0cf65f17e12
Instruction Fuzzy Hash: 813190357003019FC7269F35E85856ABBB6FF8A315B14446DE9478B3A1DB31EC46CB50

Function 065F0DB0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7ad291f3efa43e46ef164830e1040564c74de1d6bae2f62eac19382eab9523
Instruction ID: 28261a93b952028974d8c2cca028a006ae0bc1e7a43b5e5ae8ebce54c711f6ba
Opcode Fuzzy Hash: cc7ad291f3efa43e46ef164830e1040564c74de1d6bae2f62eac19382eab9523
Instruction Fuzzy Hash: 70311370E10209DFDB44CFAAD4946EEBBF6FB88300F149469DA14A7381D7746945CF91

Function 0696F3D8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c128bbc9a8398221ab9e42c2e7293c65951477fe0a651783b3b7d224e668507e
Instruction ID: 76c1ded4a91dd7b990dcd376638c1066a5e90f5c96fac31561de29857550f05a
Opcode Fuzzy Hash: c128bbc9a8398221ab9e42c2e7293c65951477fe0a651783b3b7d224e668507e
Instruction Fuzzy Hash: 92311874E05209CFDB44DFAAE5486EDBBF6BF88310F149429E414B7A90D7B05941CF90

Function 064B9DBA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0701dc5031fa0a6409aab8c312bcda6f663bfbcafcbf41f6593e633e9d2d65af
Instruction ID: bd2ffb3a2baed728a3dba5c88710b9d327c8f413e9c53057025e7ce9ab7ccc43
Opcode Fuzzy Hash: 0701dc5031fa0a6409aab8c312bcda6f663bfbcafcbf41f6593e633e9d2d65af
Instruction Fuzzy Hash: 8931EE70D05209DFDB84CFA9D4416EEBFF9FB4A310F1495AAE80897391D7316A81CBA1

Function 065F062F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec79c785b9b84f415ac967a9879c95ef8a5d4f749ee244be7eedb2be3fbb32f4
Instruction ID: f190fb42c35bfc9c31eb63a7b3a3899b87cd0610b26b0c9a07cb3b4196c9d130
Opcode Fuzzy Hash: ec79c785b9b84f415ac967a9879c95ef8a5d4f749ee244be7eedb2be3fbb32f4
Instruction Fuzzy Hash: 29315A70D26218CFEBA4CF55C864BAEBBF6FB89300F1894A5D509A7286D7345D85CF40

Function 065F6F92 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3609deea4bc406100c256ae1130db036c870dd5bfc8d2e989d63e6e73c588b6d
Instruction ID: a7e1c43c717b1a3f2a25fd174a3cba8bb5b8620f21150e614fd1e3052abfba0d
Opcode Fuzzy Hash: 3609deea4bc406100c256ae1130db036c870dd5bfc8d2e989d63e6e73c588b6d
Instruction Fuzzy Hash: FB212772C1A3899FCF41CBB4AC405EFBFB8EF06291F144097E244C7192D2269A45CBE1

Function 0696EA90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f63796cdb5d436c7bf30031e94a9344611f41d9c0d83f0ac03a62c004267d06
Instruction ID: ed97d9835ecc51d6ead3ea902c44b888ba4600cea374e9bf415ffc9fc27320d4
Opcode Fuzzy Hash: 9f63796cdb5d436c7bf30031e94a9344611f41d9c0d83f0ac03a62c004267d06
Instruction Fuzzy Hash: 1831D375E00208AFDB44DFA5D454AEEBBF6FF88311F14802AE916A73A0DB315945CF91

Function 065F3341 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cd97d902031156801fea65b1ade3303a5b23739039455a5839f85e7ed9f243
Instruction ID: adc12b2b03a6431360fd1a0c91c1a88e9fb60b14a5a9ceb6084385df05d40474
Opcode Fuzzy Hash: 73cd97d902031156801fea65b1ade3303a5b23739039455a5839f85e7ed9f243
Instruction Fuzzy Hash: F3213075A00208DFDB15DF54C4589EEBBB6FB8C321F148229E515A7390DA329C45CBA0

Function 065F2CC8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f1bc502b7f1793cb83194d110386adc7aefc254764b76cf32ed7585eb25d72
Instruction ID: 6988357b26140ad7cf7b028b80aa292a39dd373a4de770bc7ce97fe447e0de27
Opcode Fuzzy Hash: c4f1bc502b7f1793cb83194d110386adc7aefc254764b76cf32ed7585eb25d72
Instruction Fuzzy Hash: 0521F2706003066FD744AB69E8587AEBBEAFFC4341F104929E10ECB641EB715D498BE0

Function 064B0B90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f019e13bfcd0952760b08b00f6516085a8c03fad054a0c05961cc61512c480
Instruction ID: a9fc50e5898cf64c675fb6834827ee9b559e5fec76d0115f25105d47ec96bd12
Opcode Fuzzy Hash: 73f019e13bfcd0952760b08b00f6516085a8c03fad054a0c05961cc61512c480
Instruction Fuzzy Hash: 45219CB0D09209DFEB04CFA9C8442EFBBB6FB89315F14A826D401B7250DB741A45CBA1

Function 065F7000 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8159dc7408ec6f67b2483ad88d96d96b1b3bde053aeea1f38a534b5d55b6a4b
Instruction ID: 8973253102805f925b2f4d522f52acc5e95c7770bc0a02a663dc7249d42add31
Opcode Fuzzy Hash: e8159dc7408ec6f67b2483ad88d96d96b1b3bde053aeea1f38a534b5d55b6a4b
Instruction Fuzzy Hash: 5A216931E10209DFEB90DB78E504BAEBBF9AF48340F108466D605D7290E7B6CA40CF91

Function 0198D104 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876682399.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6015882dde892849356f71341e23bd990d4a8d61f220a26da034a26c6c8562
Instruction ID: d043c2658aa8fe1f276143b977cbc5dbfc7ae06d32e9ef039852bddb6bbec237
Opcode Fuzzy Hash: 0f6015882dde892849356f71341e23bd990d4a8d61f220a26da034a26c6c8562
Instruction Fuzzy Hash: 3621D6755042449FDB09EF98D9C4F26BBA5FF84315F24C569E90D4A282C33AD416C7A1

Function 0198D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876682399.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5214bcbc92af7fc6e73bb1af2d5a1a5e3397016cc60c834b956c2fe2ea4ed1
Instruction ID: 745a79db908208c073e38ae1f4164fc2698c9398144ab53a467d87d288db5292
Opcode Fuzzy Hash: 4d5214bcbc92af7fc6e73bb1af2d5a1a5e3397016cc60c834b956c2fe2ea4ed1
Instruction Fuzzy Hash: D0210371604200DFDB15EF58D884B26BBA5EB84314F20C96DD80E4B382C33AD407CA61

Function 065FFB70 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f622ff895860e9f8a14408b5f2e83343b4b302c2b747490e68c8a74c388709a
Instruction ID: 819d81ab7d9fc09feebfc08a7019a2c735ea0cd723829f30b6c70b75d65d8244
Opcode Fuzzy Hash: 1f622ff895860e9f8a14408b5f2e83343b4b302c2b747490e68c8a74c388709a
Instruction Fuzzy Hash: 6B211736A10108EFCB05CF99D998E99BBB6FF48320B0644A9F6099B372D731EC15DB40

Function 065FB1D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07be6c232947eec14e9e7d80bfa3f691252b2221567786c8ce86be224408c7a
Instruction ID: effc8f5229397e3c85055ca7d4f875b1c42c4810e972860031f7439b8394f009
Opcode Fuzzy Hash: f07be6c232947eec14e9e7d80bfa3f691252b2221567786c8ce86be224408c7a
Instruction Fuzzy Hash: D921F371A10219CFDB44DF98C994ADDB7F2FF8C301F2045A5E505AB2A1CB72AD44CBA0

Function 064B0BA0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a28f8ef1654984c5d6013df131095d405c7601ea2942496f5de251e3eed3b94
Instruction ID: 17dd1e61fcf9177b0d7eed52ebde0d08c9e640842a3d43fa6f11c69bd60644b2
Opcode Fuzzy Hash: 8a28f8ef1654984c5d6013df131095d405c7601ea2942496f5de251e3eed3b94
Instruction Fuzzy Hash: F2218970D08209CFEB44CFA9C4442EFBBB6FB88716F10A82AC505B7250DB744A40CBA0

Function 064B9E18 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ebe352cd9fb5486ebf9c9770c90d4d4787e4f162a512e9a2437c764b1354b5
Instruction ID: e4012ecb433a8aa0debb29de15a92857254a52e7f8ec8c26ce82bd85036d43f6
Opcode Fuzzy Hash: 76ebe352cd9fb5486ebf9c9770c90d4d4787e4f162a512e9a2437c764b1354b5
Instruction Fuzzy Hash: C3213BB4D04209DFDB44CFA9C0446EEBBB6FF49311F14A56AD904A7390D7346A81CFA1

Function 065F3DB8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8e0eff4ed4ba5ed70275580363bf86d8a87efc4d8348a4e4c50593a7258e90
Instruction ID: 30b7695d2d650a0048cca780e0907394764d4fbc07eda4a2781cc6b9940f6f42
Opcode Fuzzy Hash: 2a8e0eff4ed4ba5ed70275580363bf86d8a87efc4d8348a4e4c50593a7258e90
Instruction Fuzzy Hash: 35215971A12209EFEB14DBA4E994ADEBBB6FF88320F104125E604A7390D7719D01CBD0

Function 0198D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876682399.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4c27934709ca257754ff76411c9f525c783023b8003ed1d7b3bd62ad1ffb1f
Instruction ID: b23b78b012c1e13c421b9f108efb888b35365e8f0593ac05f31856a08904ebc8
Opcode Fuzzy Hash: aa4c27934709ca257754ff76411c9f525c783023b8003ed1d7b3bd62ad1ffb1f
Instruction Fuzzy Hash: F0219F755093808FDB03DF64D994715BFB1EB46214F28C5EAD8498F6A7C33A980BCB62

Function 065F0F01 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367a407a99bdadf66dd8618ec69a33da287f18af27b3733112b35853cf95add3
Instruction ID: 9d00633a0d354560e130d7233c2887a3cc185f0ac139da3ccadcc195b681c2d3
Opcode Fuzzy Hash: 367a407a99bdadf66dd8618ec69a33da287f18af27b3733112b35853cf95add3
Instruction Fuzzy Hash: 3E11E93491A348AFC782DFB4D855AA9FFF8AF07200F1840D6E848DB253D9315E44C7A2

Function 06968E18 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51be5421d4411ae495a33983d5d6f8ecaa7ce4b2c5687df3b826bcbf250802f5
Instruction ID: 10818112fceb478ffd6941d9ddfd990aab07834058aca37931a1f45d82760823
Opcode Fuzzy Hash: 51be5421d4411ae495a33983d5d6f8ecaa7ce4b2c5687df3b826bcbf250802f5
Instruction Fuzzy Hash: DC21BF74E0120ADFCB44DFA9D588AEEBBF5EB48311F10846AE919A7350D734AD40CFA1

Function 065F6F40 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7a4a3e21f9a366b0445c7c35e93547484664a47a158f356f91a8a564539a69
Instruction ID: 5a360776d52c551d857ff06f635dce43e3fe37b541ae6edc7a9d2868b02f57d1
Opcode Fuzzy Hash: af7a4a3e21f9a366b0445c7c35e93547484664a47a158f356f91a8a564539a69
Instruction Fuzzy Hash: 3201F73440F3C66FCF438B308D218967F25AF4325470944C7F488DB197D2158A56C3B2

Function 0198D0FF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876682399.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_198d000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cca3b6083d3cd9d5895b52ac11f54ed2289ca6e68c0d87637972eb0d922851
Instruction ID: 654b08d7c8dab0e602d9da6fda8cd0654ad50fe86cf333ab78cc176fc1552821
Opcode Fuzzy Hash: f5cca3b6083d3cd9d5895b52ac11f54ed2289ca6e68c0d87637972eb0d922851
Instruction Fuzzy Hash: 6D11B176504284CFDB0ADF54D9C4B16BFB2FB84314F24C1A9DC094B696C33AD51ACBA2

Function 065F4100 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acdf95c8ff488a13a2be69d493d55274d3f703768478a28f309c71290ddec32
Instruction ID: e90753780819a7f8a2912447982c23605b0bc1ba8ed4b67e2444a2476d784377
Opcode Fuzzy Hash: 9acdf95c8ff488a13a2be69d493d55274d3f703768478a28f309c71290ddec32
Instruction Fuzzy Hash: 3011A031B102059FDB909F698818BAB7BF6BB88341F04402AEA19D7381EB71C945CBA0

Function 065F3E69 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246cf07146e9648184deb4f96c1cca6e521c27174bf5e32e51a4d3da140a1fab
Instruction ID: 14fe5be183b134f1215c2baf8447d4f38857afd3914136c5b801af3341fb4e0b
Opcode Fuzzy Hash: 246cf07146e9648184deb4f96c1cca6e521c27174bf5e32e51a4d3da140a1fab
Instruction Fuzzy Hash: 9F216279A52219DFDB44DFA8D594EADB7F2BF49300F104058EA05AB361CB34AD45CF90

Function 06957CAF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c17a081a6166113a4f3d82bbe66a33fa7b504b94ccaa1a77f53765745678f32
Instruction ID: 648edc32c7d4249876e44a3a69829e22e806f8471c44e6f0eadedbaf0527a68b
Opcode Fuzzy Hash: 0c17a081a6166113a4f3d82bbe66a33fa7b504b94ccaa1a77f53765745678f32
Instruction Fuzzy Hash: E621E678A05268DFCB64DF18D998ADAB7F5FB88300F1051E9E909AB344D7709E80CF40

Function 065F02A1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e330bc7e5b2ca0a5eadb8f9dea5541de6a2e1b0297adb38fa3d55804527c05
Instruction ID: a3fdd061720d06fbea11f731ad513842deaea2eed419d7c1160aeba312193834
Opcode Fuzzy Hash: e6e330bc7e5b2ca0a5eadb8f9dea5541de6a2e1b0297adb38fa3d55804527c05
Instruction Fuzzy Hash: FC11F670E11209DFEB58DF69E4A47ADBBF6FF89300F5494659109AB291DB305880CF40

Function 064B9E08 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08190bc2d384bc4940f2a1588defc94552e749fd285a4423f6eb0f7b478ffaf8
Instruction ID: 3657375cc8d6349287f2dd53946e79ae81fe390da7baeb2ba93364c0991ca72e
Opcode Fuzzy Hash: 08190bc2d384bc4940f2a1588defc94552e749fd285a4423f6eb0f7b478ffaf8
Instruction Fuzzy Hash: 4011E3B0D052499FCB44CF69C4412EEBFB9BF07310F14926AE01496391D7305582CBA0

Function 065F4DA0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8307e00211120d73db2bf37634da6a1dc68219a2fd9109bfdc109e07f78070c
Instruction ID: e3787f5803de8613c0ad04afc170e62879c308e84447c0d6461655dea6fc87c9
Opcode Fuzzy Hash: a8307e00211120d73db2bf37634da6a1dc68219a2fd9109bfdc109e07f78070c
Instruction Fuzzy Hash: 7601B5326142585FD794DBD9E440AEBBFE8FF55220F1480ABE684C7291D631D994CB60

Function 065F3D48 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f842f50f1739995a5e0f8d3b0674574fe73ca5d9ee8377613d8bf99d6c27faf6
Instruction ID: 66c90d2b71f92792aa782d1711dfe396f4ab742b3d850c872d94e97a1b398a0b
Opcode Fuzzy Hash: f842f50f1739995a5e0f8d3b0674574fe73ca5d9ee8377613d8bf99d6c27faf6
Instruction Fuzzy Hash: DD018436340215AFDB008F59DC94F9F77A9FF88761F10806AFA14CB290D6B1D8108B90

Function 065F044D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040d1dee8fb6b104c321c2c3fc1fa598b8a48feb5f6f476db9387ac260df66e6
Instruction ID: 24367346519d38274a9ad492fbfc09ef4cc6d118143e2073adececbb3e3e90cc
Opcode Fuzzy Hash: 040d1dee8fb6b104c321c2c3fc1fa598b8a48feb5f6f476db9387ac260df66e6
Instruction Fuzzy Hash: DA21E074A10219CFEB64DF24E8A87E9B7B6FB48304F0040A9D609A7384D7745E84DF51

Function 065F02EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ffc626d114f6935cf0eab641b43dca8dcb0bada57ce710c388219833c50711
Instruction ID: 82d68733a6bacdaece1b9dbdb550555ff24fd16a8c5b3c3f3dc028f017ba8b8e
Opcode Fuzzy Hash: 72ffc626d114f6935cf0eab641b43dca8dcb0bada57ce710c388219833c50711
Instruction Fuzzy Hash: CE110670E10209CFDB58DF6AE4A46ADB7F6FF89300F64A469D109A7292DB705840CF41

Function 064B9D78 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e27849de7b85075edc5c844fd080a437b27819cb1de965efda1376d7f75cc9e
Instruction ID: 6685cd837bffdbb9d8a50d85d8cd8497e4b9798e4c0c5a3b7f2001abc410a365
Opcode Fuzzy Hash: 0e27849de7b85075edc5c844fd080a437b27819cb1de965efda1376d7f75cc9e
Instruction Fuzzy Hash: EC010074D16209EFC780DFAAD444ADEBBF8EB0A300F11959AE904D7251D6305E50DBA1

Function 065F0040 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c63edd171b51c33faebd231ccf57b49943356288ce8435dd173d4a18760bbe
Instruction ID: 1112abfe12cbee06acb9d6f28ccdd9a1ae19643c5f5abe4b441d4f38366d2860
Opcode Fuzzy Hash: f3c63edd171b51c33faebd231ccf57b49943356288ce8435dd173d4a18760bbe
Instruction Fuzzy Hash: F9115170D14208CFD744DF6AD8687EDB7FABB8A301F44C4A5D509A7381DBB018848F91

Function 0696DCD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5e3ec490797ed68026fb3ba65d45d9e4f22820e4a7abba66b35196bb8ee27c
Instruction ID: fb99a05d4086b8b3600208fdee564c9b0bebe48167e6bba429e979cbd3b00a1d
Opcode Fuzzy Hash: 6f5e3ec490797ed68026fb3ba65d45d9e4f22820e4a7abba66b35196bb8ee27c
Instruction Fuzzy Hash: CE11B7B0E0021A9FCB44DFA9D8457AFBBF5BF88300F60846A9918A7350DB345A419B91

Function 065F3170 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c349cf266c364e9dae9c84b2f17587d3363bd2724f88cb9840ec4d83b0ad3b
Instruction ID: a9d507f9fda754da6c950ae332a754c34be7c248692e16baeafcf37b506f2acd
Opcode Fuzzy Hash: c1c349cf266c364e9dae9c84b2f17587d3363bd2724f88cb9840ec4d83b0ad3b
Instruction Fuzzy Hash: DFF0F431B093502FF7158B689810B67BBADEFC9320F1484AAE5049B352CA62AC45C7E0

Function 064B9910 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e37dca1daa67a0c8a20583f8a25d3103cfad341c1788775e127cccc85080294
Instruction ID: 95af2066e193e63de615a11033702edc2a4191dc9942be18900e8fe633ebcd3d
Opcode Fuzzy Hash: 0e37dca1daa67a0c8a20583f8a25d3103cfad341c1788775e127cccc85080294
Instruction Fuzzy Hash: A9011A70D05209EFCB91DFB8D8446EEBBB8EB4A204F2045AAE409E3351E7305A41DBA1

Function 065FDD81 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec952adf38008197984c30382590996e2d6e0922f14a6d9061be2411ca363b1
Instruction ID: 1569fe61731e38e314912792f28f9861ce6266d07c05fe48e0bedfde01a81dd8
Opcode Fuzzy Hash: 3ec952adf38008197984c30382590996e2d6e0922f14a6d9061be2411ca363b1
Instruction Fuzzy Hash: 58F0A4323256009FC7719B18D884A6A7BF5FFC035171AC666E25ACB256C721F846CF50

Function 065FB1C2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb1b0b15f3fbf06d6dce6e028c7e641dd1584f4ef97be0fa27217b1397190c6
Instruction ID: 804b24f7c7d94f32a78bdc2fc3ec9a64201b5b9fbbdde5aad4ada98f30f9573e
Opcode Fuzzy Hash: ffb1b0b15f3fbf06d6dce6e028c7e641dd1584f4ef97be0fa27217b1397190c6
Instruction Fuzzy Hash: 30012575A1120ACFDB45DF64D9849EE7BB2FB4C316B204591E505AB262CA32DD81CFA0

Function 065FCF89 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a384778f2de76bc0d256465b51f44a3b4850c38b4b1c3f80f284a40ed65d01d8
Instruction ID: cf8027e3db7a98ab4dd3be2b42d6873d19f6ac00788ad0bd2b4c7247d743d292
Opcode Fuzzy Hash: a384778f2de76bc0d256465b51f44a3b4850c38b4b1c3f80f284a40ed65d01d8
Instruction Fuzzy Hash: B8F0F6327100186BC7189A19D8449AFB7AEEFC4360B098026FA19D7360DE719C17CAD1

Function 065F3D39 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068489ddf59c6c7bab9b1f26e0af3c9b2284b811ed511949e8cf0fce80ce8e2a
Instruction ID: 8919d99fde30fc2511392808a53c494afb6a6265c3363d40be62e0c21917ec5e
Opcode Fuzzy Hash: 068489ddf59c6c7bab9b1f26e0af3c9b2284b811ed511949e8cf0fce80ce8e2a
Instruction Fuzzy Hash: 8CF09036305345AFD7018F29EC94C9BBBBDFF9A66431540AAF604CB221CA21DC04CBA0

Function 065F4F78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3eca9b8bd7fb8dd5f0dbdd19ed49b6ab91fe626f8c844b3ab5b0936547fb2de
Instruction ID: 98ae8ef81f22fd3b8349c1671a75228999c0cc2ab36d47df12fc00d42cabaee8
Opcode Fuzzy Hash: b3eca9b8bd7fb8dd5f0dbdd19ed49b6ab91fe626f8c844b3ab5b0936547fb2de
Instruction Fuzzy Hash: D0F06D317100215FC7449A1AD994E2AF7DAFBC8A61B2480B9EA09CB366DA21EC0187E0

Function 065FDDCA Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27cbde47c4cfa81262e9db7014c202e3f07587f5bd4df8208f2ca4b410ef527
Instruction ID: 0d7beca317cd1a8d52efe5d87c05bd899bc174aa7d4551eb5071e9b58e1e7673
Opcode Fuzzy Hash: e27cbde47c4cfa81262e9db7014c202e3f07587f5bd4df8208f2ca4b410ef527
Instruction Fuzzy Hash: 30F0E2323152041FC7A0166DB8506A77BADEFC51A5F198277EA0AC7285C922DC06CBF5

Function 06952ED5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b138a1e0fbab0c158d6ab885255c6110ac86a48c6b8dbbfe75276181a56aec
Instruction ID: 6ea7a0e689cfd31b3c769fec09653c1aa7eed1817afa751214d0666958bf3b55
Opcode Fuzzy Hash: a0b138a1e0fbab0c158d6ab885255c6110ac86a48c6b8dbbfe75276181a56aec
Instruction Fuzzy Hash: CA11D474A00229EFCB64DF18D994ADAB7B5BF48304F5184E9E909A7760D7309EC0CF61

Function 064B5211 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e99efee3e89865d9b2adc426fbd7047658c4358f8738cd3037b69aec4364909
Instruction ID: 2bc3522ec07d39e7ed311c20777439f8b717f50a74b5bc2bab8643e093a196bb
Opcode Fuzzy Hash: 1e99efee3e89865d9b2adc426fbd7047658c4358f8738cd3037b69aec4364909
Instruction Fuzzy Hash: C1F04F30909248BFC785CFA9C800AFDBFB8EB4A311F14C19AB858D6251C6359E51DB61

Function 065F31D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810687cba3b65c80ff95dd508fefb51d49e5e45892f4381c6ba348fa7e577d2a
Instruction ID: e37de47c690d640b8534f38a9ef8c6e04ba677b85c0a176521b4ab879b704d8a
Opcode Fuzzy Hash: 810687cba3b65c80ff95dd508fefb51d49e5e45892f4381c6ba348fa7e577d2a
Instruction Fuzzy Hash: 46F02462F0E3804FF75207681C24729BBE2EFC6212F18449BC2868F2A2DA56C806C3D0

Function 065F3180 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66760da413bed7871aec628124646d36c127d509d8f8589485adfef83b36f7a2
Instruction ID: 5febc49adf53b360fbeba780ffe51e4736868c72292320815755ae4d83ed2c36
Opcode Fuzzy Hash: 66760da413bed7871aec628124646d36c127d509d8f8589485adfef83b36f7a2
Instruction Fuzzy Hash: CFF0B471B043115FF71597189814B2BF7A9EBC8720F14442AD6099B341DA76EC4187C0

Function 065F3F40 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb74d13c2a529bc5730c909c96a5ae40fd1a8537f6638415aa7ae7c8db0fa3f
Instruction ID: a91671829a04d4bd351415798b4a5ff297063f3dcce8e90d3e614b54d58fa668
Opcode Fuzzy Hash: 1cb74d13c2a529bc5730c909c96a5ae40fd1a8537f6638415aa7ae7c8db0fa3f
Instruction Fuzzy Hash: C4F0A7362056562FC7518B1DEC40CA77B6EEBD23607068166FA059B241CA26BC85C6F5

Function 065F5430 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8622ecd06529d7890a376a0a1ce7973639a0ca880616efee7ad9af3c4a17fff
Instruction ID: b9012bc10391a6ff5abe37a40f993f03759adbd8f311d6d1c13a447dc9960e75
Opcode Fuzzy Hash: c8622ecd06529d7890a376a0a1ce7973639a0ca880616efee7ad9af3c4a17fff
Instruction Fuzzy Hash: 55F024309083846FCB06CBA4A45D6DEBFF6EB45225F0880CEE08593182EB700B88C791

Function 064BDA88 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a2350a1e736b059c923d14cbce3b1690973c6838871f5a3d4b527dbd94a632
Instruction ID: c926e88252313ec36167c43e84e26b096d1bf7453b30b77d67fb60150db5269e
Opcode Fuzzy Hash: 48a2350a1e736b059c923d14cbce3b1690973c6838871f5a3d4b527dbd94a632
Instruction Fuzzy Hash: D511E574A042188FCBA5DF24C884A9ABBF9FF49204F0050DAE54AA7350DB315F85CF41

Function 065FC390 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd72fcda0fa07a6fddaf6941017f2cd4d041fc4367b1bab9457dec0b89e066c6
Instruction ID: fe9bb2d7bb11e22a2ddd657924de651eb789fcb075a871a483258aff4b8897d0
Opcode Fuzzy Hash: fd72fcda0fa07a6fddaf6941017f2cd4d041fc4367b1bab9457dec0b89e066c6
Instruction Fuzzy Hash: 61F0E53170A2669FD756021D2C6895BAED8BB87954705017FFA41CB346C9149C0183E2

Function 065F16D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9515e08e216af8070eed08638d1bd6fdbd4fd12004614470f63b76f111f225
Instruction ID: cc2e6150d79fb802df837a39d74f2318520183f3ff3052e1d5404882e4e48938
Opcode Fuzzy Hash: 6f9515e08e216af8070eed08638d1bd6fdbd4fd12004614470f63b76f111f225
Instruction Fuzzy Hash: 5AF05E75D06248AFC744DBA8D8419ADBFB4EB49200F1480DAE81897342D6355E41CFA1

Function 065F0B1C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15c52533b8d1b04ba0d2f75db957b5e19cb1d982a9126becb2a01e97c53a236
Instruction ID: 94d17d6a0edf366107590715a427146eda43a7c6662c99df342f3868525e2d3d
Opcode Fuzzy Hash: a15c52533b8d1b04ba0d2f75db957b5e19cb1d982a9126becb2a01e97c53a236
Instruction Fuzzy Hash: E6012870A01208DFEB90DF68D898BADBBB6FB09304F1050A9E509E3391DB745D89CF41

Function 065F05AE Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132e86381364ec8a5a3d7c3ded3c92ef1c78cb8396a37cdb4ceaba3bb426c656
Instruction ID: fe5390a753bec70346aee09a5b8a1264a3b7348d1c8deb0c5aac967d0e8794af
Opcode Fuzzy Hash: 132e86381364ec8a5a3d7c3ded3c92ef1c78cb8396a37cdb4ceaba3bb426c656
Instruction Fuzzy Hash: 770128749062089FDB50DF64E8A87ADBBB6FB45300F5440E5D605AB291D7741D88CF40

Function 065FFD50 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34fb45299e374101e00e825f3666e75cacfdf3c96b38f1b7b1559b1c2acfc1b
Instruction ID: 96d7a0e769a92e3137658ba40fe85e4256a9e8892356874e46e877f088b156df
Opcode Fuzzy Hash: e34fb45299e374101e00e825f3666e75cacfdf3c96b38f1b7b1559b1c2acfc1b
Instruction Fuzzy Hash: 08F03A353103009FC7149B19D868D3A77ABEFC8721B104069EA468B760CA31EC42DB90

Function 065F09F1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b933a826989a0481e9787b6900497ab91879d9b95f1e513639c541cc9475a18b
Instruction ID: 4f6bf317725321ca858e20b4087ad893e59a4a854bcafc58a1559f51142bda09
Opcode Fuzzy Hash: b933a826989a0481e9787b6900497ab91879d9b95f1e513639c541cc9475a18b
Instruction Fuzzy Hash: C8011630901208CFD7909F64D898BADBBB6FB45311F0441A5E509AB292CB741C88CF45

Function 065F21D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998d9cbbfff69f1b80b81a4019b4706d8363206088425c5e2c5c77d9479eae1c
Instruction ID: b73f6b3a46b64cb5ede0920dbd2c4c38c3ed1894bd604b98ce4702d327a93159
Opcode Fuzzy Hash: 998d9cbbfff69f1b80b81a4019b4706d8363206088425c5e2c5c77d9479eae1c
Instruction Fuzzy Hash: 23F08C74D19208AFC740CFA8D8416ACBBB4EF8A310F14C4DAE819D7342D6355E42CF92

Function 066201F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6a561fd464ffd5b857eb3962058bc384342d97dc635974f80ac8c9585a1d40
Instruction ID: aab3cf0863df9672f2391b2e065c30396670d3548133eb602bb91801c07253ca
Opcode Fuzzy Hash: de6a561fd464ffd5b857eb3962058bc384342d97dc635974f80ac8c9585a1d40
Instruction Fuzzy Hash: 7FF03034905208FFCB01CFA4D840AADBF75EF49310F14819AF84897352C3329A62DF91

Function 065FC3E1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6fddc7c308250058ba4bc16e9dc8f3cc6dacfecd10e1b071883becf819482e
Instruction ID: 9e3d831e6037ccbbc0f056d1d1f9484277eeeec5f607e314c6335617e2f33668
Opcode Fuzzy Hash: aa6fddc7c308250058ba4bc16e9dc8f3cc6dacfecd10e1b071883becf819482e
Instruction Fuzzy Hash: A4E037713003195BC7155A1AEC5885BBB9BEBD1256700993AB10E47155DD709D4587A0

Function 065F0C88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff9a54c28b7ba6eef6726a62fa21707b6000036bdcf3c069dfe6c51c5938d06
Instruction ID: 337bce693209ef9d020674066840fe85574ab97f0224a616a2c6b7e8302e0057
Opcode Fuzzy Hash: cff9a54c28b7ba6eef6726a62fa21707b6000036bdcf3c069dfe6c51c5938d06
Instruction Fuzzy Hash: A4F037749193449FC741DFB49451698FFB4AB46210F18C0EEDC489B353D6315D45D771

Function 064B6510 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f2c596b72b1143f2b86d05ba8f7010bc5ceb3059c246c403c3f7f5152ad6f8
Instruction ID: b95be781b6fa39e828eaffb2878f89d353e1e2301078982cb7cb37919d3f8f1f
Opcode Fuzzy Hash: 25f2c596b72b1143f2b86d05ba8f7010bc5ceb3059c246c403c3f7f5152ad6f8
Instruction Fuzzy Hash: 8E01C974D01318CFEB55CFA8D5887EDBBB2BB08305F15645AD506B3280D7740A88CF65

Function 064B6B92 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db04a8329174741a4ced9dbd3528ded67926d441073d3afdb792813c58140cd6
Instruction ID: 629aa5032e633502ee6f72d65f2183848e7a413fe45214b680a467c07b1ddc0f
Opcode Fuzzy Hash: db04a8329174741a4ced9dbd3528ded67926d441073d3afdb792813c58140cd6
Instruction Fuzzy Hash: 5D01B670C01359DFEB55CFA4D5887EEBBB2AB08305F25345AE006B7280D7754A84CF65

Function 06620B28 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d10be9dca40465e1f1922991b666e9c420c5e7cf11dea8f6600da32384e889
Instruction ID: 0f2e5e99a1c48c9f5a4e1ea0d49800b16349bfbbb77ef5eed66d9ee91b643ba0
Opcode Fuzzy Hash: 62d10be9dca40465e1f1922991b666e9c420c5e7cf11dea8f6600da32384e889
Instruction Fuzzy Hash: 3FF0E534809608EFCB00CFA4D8404A8BFB8EB4B319F2080EAD8049B302CA325D02DB51

Function 065F20CF Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c89a211ace14868746a9dcdf99ac9de7088ad5ddb8dc98c53323dd951e8ea9
Instruction ID: 8332a816fa5a2f40b8490820bdb0294310b947ba254a59ef9383fb2be66a6f7b
Opcode Fuzzy Hash: c1c89a211ace14868746a9dcdf99ac9de7088ad5ddb8dc98c53323dd951e8ea9
Instruction Fuzzy Hash: 9DE0927085E348AFC715DBB8D9115AE7F7DEF42304F10459AE40417142CBB25F84D7A2

Function 065F2C58 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a54d63565f02dbf5bb72a997fcd335ee5f24a6761064f57f23ff857c58d841
Instruction ID: 43e64b79cb11bf32221866f294c091ab6f498a7a7fa0c4883ef036c3dd1f03b9
Opcode Fuzzy Hash: 05a54d63565f02dbf5bb72a997fcd335ee5f24a6761064f57f23ff857c58d841
Instruction Fuzzy Hash: A2F02230506389AFCB02DBB0AC51AAE7FFAEB46300F1044CBE8048B102D9310F50A7A0

Function 065F096A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fac8757518623013b9de1cc141efa2cf6d5897135fae3ee713799eb44f37b1
Instruction ID: 572d9baa124bd8bda6366a65908048b1ddcef9fdd5d1ba7e2b848a35798026f0
Opcode Fuzzy Hash: a7fac8757518623013b9de1cc141efa2cf6d5897135fae3ee713799eb44f37b1
Instruction Fuzzy Hash: E401E470A00204DFDB909F24E898BAD77B6FB44314F4440A4E609AB352DB745CC89F01

Function 069549F2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6c317c5e7528ee0300971313d5fa436b8b230b9554460cf011d148fcf22a34
Instruction ID: 152c3029c2e57f99e777c711269625207432ba1376a4ce658a3921b33669f8dd
Opcode Fuzzy Hash: dc6c317c5e7528ee0300971313d5fa436b8b230b9554460cf011d148fcf22a34
Instruction Fuzzy Hash: DF011978B00214DFD754DF18D898EAAB7B6FB4A304F1040E5D94997794C730AD81CF42

Function 064B1EC8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fce12808d26f7bae00eb1def11e0422ebdcf1d856370c0353fdf82ff19c773
Instruction ID: 7bb93b032d26a7f036667cb8c4247b132cbd67917a67acf6cab870483cf49423
Opcode Fuzzy Hash: a9fce12808d26f7bae00eb1def11e0422ebdcf1d856370c0353fdf82ff19c773
Instruction Fuzzy Hash: 87F06574909308AFD701DF64D8518EEBF75EB46300F1090AAEC045B392D731AE56D7E2

Function 064B0CF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662d3d2156b49e9521b04834a53dcd6fb3b0224581bc201090bef9c56a56c021
Instruction ID: 4d4b87515c71cffd2f7379156f12398a984df29e607c7b636a1522a219042849
Opcode Fuzzy Hash: 662d3d2156b49e9521b04834a53dcd6fb3b0224581bc201090bef9c56a56c021
Instruction Fuzzy Hash: B8F0E534809208AFD705CB64D8408E9BF79EB86311F1490DEE84057382CA325E46D7A1

Function 064B7DB1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb0cf633453f4362e76da8f5f5b255586129bbe074720e909512b0ada63bd3f
Instruction ID: 20b934c2b3d1010f2c0b188b923b7459a0c659b7b3c8b116228a7130ecada7cc
Opcode Fuzzy Hash: 2fb0cf633453f4362e76da8f5f5b255586129bbe074720e909512b0ada63bd3f
Instruction Fuzzy Hash: A3F05838809248AFCB41DFA4D4505FCBFB4EB8A300F24C1ABEC4457352D6318E56EBA1

Function 064B5220 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5e3a8ec90e5a608d8ae9de98b36960ef23d74f38e57e82f5c682b798fa0af0
Instruction ID: 674a5559bdcdb096fac3a8e1c0f503b8b8fa79ab2c850e154d1a4313f01436b9
Opcode Fuzzy Hash: 8e5e3a8ec90e5a608d8ae9de98b36960ef23d74f38e57e82f5c682b798fa0af0
Instruction Fuzzy Hash: 0CF0F874D05248AFCB84DFA9D840AEDBBF8AB49310F14C09AA858D3341D6359A51DF60

Function 0662019F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2405ffa28fa3acd8f24420cc657aac58a3a3d5684a118900c42f75ec1d104961
Instruction ID: 247d92aa49ccdc42672c9ba6ca24fa5267dcfab6045c79d9c4e1a5b2a854269a
Opcode Fuzzy Hash: 2405ffa28fa3acd8f24420cc657aac58a3a3d5684a118900c42f75ec1d104961
Instruction Fuzzy Hash: EFF05E34909208EFC701DFA8D8549ACBFF4AF89304F14C0EAE84457392C6319A55DF52

Function 065F5440 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416a476fd11f2770981b742a47a3a72cd2b9a390e6e7bc6bed56dcf87c40f43b
Instruction ID: d065726e02b488f84b399e88d2af08b17197eb2e393d83de427750e910e768d1
Opcode Fuzzy Hash: 416a476fd11f2770981b742a47a3a72cd2b9a390e6e7bc6bed56dcf87c40f43b
Instruction Fuzzy Hash: DFF03931A04718ABCB09CBA9E05C6DDBFF6AB84222F148099D14993290EB705A89CB84

Function 065F01E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8936fa96f1e71eca36d5bf870e1fd9a0585390938e0fb4ed4239d3451c150633
Instruction ID: 5df459fc43f3e0bdff731f8b7b6de3786d189c3634cb41448e389c63d72b9b42
Opcode Fuzzy Hash: 8936fa96f1e71eca36d5bf870e1fd9a0585390938e0fb4ed4239d3451c150633
Instruction Fuzzy Hash: 27F04970A10208CFCB54DF68E4A87EDBBB6FB44314F4444A5D606A7381CB701D84DF40

Function 065F2808 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db022e627075d0c3eef35b36f68b95bab597bd0fea40b8df3e243f7ee469bbb
Instruction ID: cd1edc53f9fce4769bac3296816104d91eeeb3cb778631e5042e5d37247c338b
Opcode Fuzzy Hash: 9db022e627075d0c3eef35b36f68b95bab597bd0fea40b8df3e243f7ee469bbb
Instruction Fuzzy Hash: ACE09230A0934DAFCB01DBE4E9105EE7BF9EB46244F1041DAE809D7202D5365F14A7A1

Function 064B0B50 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773b17eaeacb7d11f03d686b7a8a857f7510943f8a3044e38bf4a93e20f48b51
Instruction ID: bb683d06771276daba80cfd1c7018392f5bf412310a3c61efeb358f79ca8088d
Opcode Fuzzy Hash: 773b17eaeacb7d11f03d686b7a8a857f7510943f8a3044e38bf4a93e20f48b51
Instruction Fuzzy Hash: C4E0927490D244AFC742CFA0D4905A97FB5AB47305F15A0DAD8455B352C6324E06DBA1

Function 065FC3F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e856040d0a3f4fc801bd26c5fb55f01408cacb2178bd2bfbc562999b9fa73937
Instruction ID: ad6da823d72dd7c443887e94aa6717215a988d2489cfc55c593faa5a64f8f496
Opcode Fuzzy Hash: e856040d0a3f4fc801bd26c5fb55f01408cacb2178bd2bfbc562999b9fa73937
Instruction Fuzzy Hash: 2AE012712003155BC7109A1AEC9885FFBAAEFD0366710C939A10E87219DE70AD4A87A0

Function 064B354A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a3da13f9dd43c3b4558e15c6141c8ac856704f681797eff92b4c4ec7d9f87f
Instruction ID: 9fc65f33c098c3b08716c84d67ebe7e912caa012121a48edc67da624ae278fc0
Opcode Fuzzy Hash: 87a3da13f9dd43c3b4558e15c6141c8ac856704f681797eff92b4c4ec7d9f87f
Instruction Fuzzy Hash: 5EF0AF74D04208CFDF90CFA4D884AEEBBB5BB09311F20646AD809B7240CB749A81CF25

Function 06620200 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da82b02bbac6070c67d106d6ff72f54d2b89c9a532e15f5ff8770d657144d66
Instruction ID: a4ca7e8a082ab9dfeb94bbac0536553e7828564f06d141289e666465ed17c61a
Opcode Fuzzy Hash: 2da82b02bbac6070c67d106d6ff72f54d2b89c9a532e15f5ff8770d657144d66
Instruction Fuzzy Hash: 8CF0157490520CEFCB40CF98D840AACBBB5EB48310F10C0AAEC0857352C7329A62EF90

Function 065F7428 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1f026651a782160adfc1fc872924ac3916475d995981dbb391556690cc7483
Instruction ID: b64bdf894b97807d7a0d47be78ebf6837232bbc1de57a713cee11e1c39afd17c
Opcode Fuzzy Hash: 7d1f026651a782160adfc1fc872924ac3916475d995981dbb391556690cc7483
Instruction Fuzzy Hash: BFE0CD307203185BDBE067B45C05F5276D5BB8D726F114865DB059F381DD72E841C7A9

Function 06964EF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction ID: 3bf019a45150ee911e2482f91e97b19ee54dc530d1b25766230cad178125ee85
Opcode Fuzzy Hash: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction Fuzzy Hash: E5E0C974D05208EFCB84DFA9D541AACBBF5EB49710F10C0AAA818A3341D6319E51EF90

Function 069557D7 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65951ad95c1e3edc622b743eb75100674ef9df4c27f8c0bcc2c75d8aade7bd3d
Instruction ID: 2966ff8a4b22e0e48afc38ff871312712ece1ab439f61df7951e48cd9535c0d5
Opcode Fuzzy Hash: 65951ad95c1e3edc622b743eb75100674ef9df4c27f8c0bcc2c75d8aade7bd3d
Instruction Fuzzy Hash: 42F03A78A00219DFD765DF54D898AAAB7BAFB88300F1041E49909A7344CB30AD80CF91

Function 0696A488 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction ID: 858b85793ef922530a1e92dc228dc3da079923d89961e55f4a8983c31cca893d
Opcode Fuzzy Hash: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction Fuzzy Hash: EBE0E574D05208EFC744DFA9D44559CFBF4EB48310F10C0AAAC08A3345D6715E51DF40

Function 0696BCA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction ID: 1bbc9d65dd8cbf05313b733064463a93cd54b24378a5dbe2291cc4213dc91827
Opcode Fuzzy Hash: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction Fuzzy Hash: FFE0C974D05208EFCB84DFA9D545AACBBF4EB58310F10C1AAA80993345EB359A51DF80

Function 069690E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction ID: 861b3b39c5f3a82466ef08a49197d0b5bbfd2541a94883ab903304d17cb81205
Opcode Fuzzy Hash: 2568ce11976b15f71033e5f4a1100e996496c92c527ef7c5956b12011b21aeb6
Instruction Fuzzy Hash: E4E0ED74D05208EFCB84DFA9D445AACFBF8EB49310F20C0AAAC0893341DA329E51DF80

Function 06621490 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00056ab2c2c59c23ae766cf8220c46b0197ed1d1e4a8bbe1b356d57bc2f5669
Instruction ID: f9e3229216ae7494c0dab4a3b103a00132e95c2a0f6ce612c374dbee82d9a95b
Opcode Fuzzy Hash: a00056ab2c2c59c23ae766cf8220c46b0197ed1d1e4a8bbe1b356d57bc2f5669
Instruction Fuzzy Hash: FCE0263080EA268FC3A5CB30D9106B8BF795B03328B5001AFD9084B391CA324E01CF15

Function 065F16E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26abde2046ba3a149514a793e648520bea880682b9b5a66fd1a47d7fe30b4be4
Instruction ID: 178cb1ad17af307ff486a5df805d732bd99524f1131a7365c60343fcf3a9603f
Opcode Fuzzy Hash: 26abde2046ba3a149514a793e648520bea880682b9b5a66fd1a47d7fe30b4be4
Instruction Fuzzy Hash: 3EE0E574E15208EFCB94DFA8D4416ACBBF4FB48300F14C0AAE81893341E631AA41DF80

Function 065F21E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26abde2046ba3a149514a793e648520bea880682b9b5a66fd1a47d7fe30b4be4
Instruction ID: 10a15fe8d673ba6cfd86a52cf2350ddb519ae7faba70988826acf16e701ebdcc
Opcode Fuzzy Hash: 26abde2046ba3a149514a793e648520bea880682b9b5a66fd1a47d7fe30b4be4
Instruction Fuzzy Hash: 31E0E574E15208EFCB84DFE8D8416ACBBF4EB49300F10C0AAD81997341D632AA42DF81

Function 0696D7F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb5c25d2263844c65752bdeeed62676e4bec51f19574532b054f6b8000fd3eb
Instruction ID: 2a018bc8c528c600cb9376184315c0fe66deb949a2b06411f28acc781b453afd
Opcode Fuzzy Hash: 8bb5c25d2263844c65752bdeeed62676e4bec51f19574532b054f6b8000fd3eb
Instruction Fuzzy Hash: 67E04870E1A209EFD744DFB8D44979D7BF8AB45311F105079A809D3750DA302D48D791

Function 06968DC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244f48095a3dbc341f16960c547cb154977442a8b0d71ce86d816d650c495c8a
Instruction ID: 1b023dfe8291d863ce0cfa26c57996deb51c40178728a2aecb63aaea2e1f2e1a
Opcode Fuzzy Hash: 244f48095a3dbc341f16960c547cb154977442a8b0d71ce86d816d650c495c8a
Instruction Fuzzy Hash: B4E01274D05208EFC784DFA9D5556ACFBF4EB49300F10C0AAE80893741D6315E41DF50

Function 064BC15D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1df3fe1b3312ab512b9e9f30289d378154e8ba155b9899a1b9ba22e2c6b598b
Instruction ID: e4bda7920d0cf2dc65047c1d4b5a65e45a57e7bca871a59021aa1cbfce523ac3
Opcode Fuzzy Hash: c1df3fe1b3312ab512b9e9f30289d378154e8ba155b9899a1b9ba22e2c6b598b
Instruction Fuzzy Hash: 0EF0B7B0906228CFEBA5CE24C994BE97BB5BB44209F0019D5D50E66284D7705E81CF65

Function 0696EA48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1a60a6fe6c9cbd3fdc78b7ef1f7c4eede65526daa3f4f56eea62c2cca74cfb
Instruction ID: 643a930b0c0848754c85b0fd72e83778d3d8fd0471e4464f8c27a5eb6ab8803c
Opcode Fuzzy Hash: 4c1a60a6fe6c9cbd3fdc78b7ef1f7c4eede65526daa3f4f56eea62c2cca74cfb
Instruction Fuzzy Hash: 39E04F78909208ABC744DFA5D5419ADBFB8AB4A310F20C099A84457341DA319E41DBA0

Function 0696F318 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808182995ea78cf1bc24fb54309368c7c4812d795cf304f9236ab50cf2149343
Instruction ID: 2376250a6d5f49a60dd4f69a7f85cfb73c65ff42854517ccc13f043fcbc8d8cc
Opcode Fuzzy Hash: 808182995ea78cf1bc24fb54309368c7c4812d795cf304f9236ab50cf2149343
Instruction Fuzzy Hash: 6AE01A35905209EFCB80DFA9D444DACBBB9AB09311F208099F84417321D6319E55EB91

Function 064B1E80 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ee472188b02f2c93f63a1b021025ae12b4e9ec2cc5b85e31d30ca86a390463
Instruction ID: d475ee9eb26842d7b43948f35e57cf63a6dbfbcada7949a6b2eec6547283fafb
Opcode Fuzzy Hash: d6ee472188b02f2c93f63a1b021025ae12b4e9ec2cc5b85e31d30ca86a390463
Instruction Fuzzy Hash: C6E092B191B2499ED751EFB08414BCE7BB5AF45301F4100DEE4055B152DB710B54D751

Function 064B7DC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa03c41d8fed9ab75ab0f7857042a2d76a18c71a732be8d8729d86d9a391a1b7
Instruction ID: bade1c9cdb8823f07195580bf39ab07b2c6a91b1e0fdce2afe9d828d9ba135c2
Opcode Fuzzy Hash: aa03c41d8fed9ab75ab0f7857042a2d76a18c71a732be8d8729d86d9a391a1b7
Instruction Fuzzy Hash: E0E0E574D09208AFCB44DFA8D4419ACBBB8AB89310F10C0AAAC4467351D6319A52EB90

Function 066201B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e809856b447f33a60eb2942cfa9d5666df4f214ca2732249e97d250c3273f4f9
Instruction ID: 06722e5bdf814b2c6c41cbf326667ef9aa2a4868d0fc28c1b0ec44c0f6dc23db
Opcode Fuzzy Hash: e809856b447f33a60eb2942cfa9d5666df4f214ca2732249e97d250c3273f4f9
Instruction Fuzzy Hash: 44E01A74D05208EFCB44DF98D445AACFBB4EB48314F10C0AAEC0857381D631AE92DF81

Function 065F00A5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74f98a10643c1eaab824e4849f4de65665a56505a21c9aed0b8f911ea509f36
Instruction ID: 895edadc622dced37ad78ba7f5cf794f82a8f1ffb082e963b32f1750d462d28c
Opcode Fuzzy Hash: f74f98a10643c1eaab824e4849f4de65665a56505a21c9aed0b8f911ea509f36
Instruction Fuzzy Hash: F1F0307491020DCFEB54DF14E8A8BED7BB2FB48310F504995D60AA7340C7B05D849F51

Function 065F0121 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbe9e32c7ea468b822f472f143e607dd7d86df5cca15a6061a464b45231134c
Instruction ID: 4b73a5e5f2da658468feee1a98d40b915e2db9de0d5a8faecb1868299e923b2d
Opcode Fuzzy Hash: bdbe9e32c7ea468b822f472f143e607dd7d86df5cca15a6061a464b45231134c
Instruction Fuzzy Hash: C6F01C74A10208DFDB849F54E4A47ED7BB6FB45320F900595D606A7341CB305D84CF52

Function 065F0C98 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35765cf2f2e4842c534f7a30032c79c950ee14c9fe424dd517e3b8a386b9883
Instruction ID: 92ef653c9a386b4dd03c56eb9304bcd04a3f1d1423a50063be0f128a632372e2
Opcode Fuzzy Hash: f35765cf2f2e4842c534f7a30032c79c950ee14c9fe424dd517e3b8a386b9883
Instruction Fuzzy Hash: A7E08670D15208EFC780EFA8C4516ACFBF4EB08304F2480AD9C08D3341E6319E41CB91

Function 06967970 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951aecb0d62a3d9cb7208bc6441d6cd62b2c9a1426f7b9b49ca0176e8722b7d7
Instruction ID: fd8ad0408df206aa009080d9b42e224d334c0d0c4c82dc25c3481c4f19e380b9
Opcode Fuzzy Hash: 951aecb0d62a3d9cb7208bc6441d6cd62b2c9a1426f7b9b49ca0176e8722b7d7
Instruction Fuzzy Hash: 0AE01A34D05208AFC744DFE9D4416ACFBF8EB49308F2084AAA85857341D6315E41DB80

Function 064B8E5B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15251036339d2259628c50f2e01d61110ce4690fd536a50c825d6081c100eb8b
Instruction ID: aa65a1c0bb6eb2d60503ac1d6bd7fb6a6f577eccdbe65f7271840e29ad08310d
Opcode Fuzzy Hash: 15251036339d2259628c50f2e01d61110ce4690fd536a50c825d6081c100eb8b
Instruction Fuzzy Hash: ACF098B4E01208DFDB54CF58E944B9DB7BAFB4A304F505596D904A3251C7755D81CF11

Function 065FDDD8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e8424956e95935e9273bbf11e08b48774ca189e190e6811f36a70f6443b307
Instruction ID: c92595c6bf6848719f6df5ea67d8a5eba32c0e0617de884f46d2630a9a265827
Opcode Fuzzy Hash: 29e8424956e95935e9273bbf11e08b48774ca189e190e6811f36a70f6443b307
Instruction Fuzzy Hash: 9DD0223231022C0B4740A2EDB4000AABBDDDFC91A1B188173EB0DC3300EE32CC0287E8

Function 0696CB50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d3049d9d30c49a10b655d18ca5ce51081414d37ba43c2c2ca407a89a13ffbd
Instruction ID: a484b227aad806e4631f0f932e1088f8fa846cc2d3145be46e0ddf9fbea5ebcf
Opcode Fuzzy Hash: 10d3049d9d30c49a10b655d18ca5ce51081414d37ba43c2c2ca407a89a13ffbd
Instruction Fuzzy Hash: DCE0EC34909208EBCB44DBA5E5419ACBBB8AB45714F209199B84917341DA31AE42DB95

Function 064B1E90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4247a7fd4726dfc466b49f17da1b8f4041bf302ec25ed5029128c4b148786727
Instruction ID: f790281917748f945a94e29e3d9884e1b3c1414c9649375e6f69ca7a78dacda9
Opcode Fuzzy Hash: 4247a7fd4726dfc466b49f17da1b8f4041bf302ec25ed5029128c4b148786727
Instruction Fuzzy Hash: A4E0C27081220CABCB40EFF4C40069E7BF9EB45300F5000A7E80897110EF315E00E7A1

Function 064BFF10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de38db5dc585d838442444c388d91f9e999daed9720dae2e418d8ba3e679a76
Instruction ID: 476eca88c23dbf556fff06c941de85c064f961ef87ffc06056c6273a23ccb2e2
Opcode Fuzzy Hash: 1de38db5dc585d838442444c388d91f9e999daed9720dae2e418d8ba3e679a76
Instruction Fuzzy Hash: 96E0EC70D16208EFCB80DFB8D9456EDBFB9AB09311F1051AAAC08D3341E6705A94DB61

Function 064B2C50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0942ca284dd9d607d167673d4c08f3338db55e37c6558f55100e3ddc6c2035d
Instruction ID: 0b4990a4019ed0143fe9aa7565bf140bf690c8ec331ba4331aab4b22f7d9a73e
Opcode Fuzzy Hash: c0942ca284dd9d607d167673d4c08f3338db55e37c6558f55100e3ddc6c2035d
Instruction Fuzzy Hash: C6F07978E00208CFDF90DFA4D884AEDBBB5BB49311F20A56AD809A7240DB305981CF24

Function 064B0B60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e27a15104117c05cb72ccd3f084fa4953db993d0f09499070e31b18f37ebdde
Instruction ID: a1b7ae180ae89a53c6af4de653da12f7f165641283b06b11fb0e26eefd7e40cf
Opcode Fuzzy Hash: 0e27a15104117c05cb72ccd3f084fa4953db993d0f09499070e31b18f37ebdde
Instruction Fuzzy Hash: 23E01234909108EBC744DFE4D541AADBBB8EB85315F2091DEDC0817351DA316E42DB91

Function 06620B38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849755a49a6637b81248962d55adb39ac5acfe5131ff0e733fab7df0c2dbd9f7
Instruction ID: 9a65f2e9ee0216afaba71da5fe6ccdcc516509abf83226b8bb7d94f1bc28330f
Opcode Fuzzy Hash: 849755a49a6637b81248962d55adb39ac5acfe5131ff0e733fab7df0c2dbd9f7
Instruction Fuzzy Hash: 4BE01238D09108EBCB54DFA4D5919ACBFB8EB46315F2091EDDC0817341DA326E52DB91

Function 065F0256 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d8765d5d6265bc469204c482cb0efaa7360d532cfc7d5292fa2611126ca374
Instruction ID: eccb93fc1504203bdaac09cb52c31d5f39a13498680ab48e7b772a036e588797
Opcode Fuzzy Hash: 65d8765d5d6265bc469204c482cb0efaa7360d532cfc7d5292fa2611126ca374
Instruction Fuzzy Hash: 05E0ED70910244DFEB40DFA4E0987AD7BBBFB04314F545465D601A7385C7B45C888B01

Function 065F20E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0159b3d78b426584ac0c3647d995c74237de8ede682d421c0a0c2218f1c328
Instruction ID: 1dc783559770e418e66d161168c1bb6cacfd4f0ce194fb7cdb2229537671db8c
Opcode Fuzzy Hash: ab0159b3d78b426584ac0c3647d995c74237de8ede682d421c0a0c2218f1c328
Instruction Fuzzy Hash: D1D0127085A208DBC704DBF8D4515AC7B78EB45301F5045A9D80517251D7B15F85EB91

Function 065FDE62 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18180ba8c546d79aff520038b5242b0f97bd883c7471685e78220a0dac0fef3f
Instruction ID: 7f0ec0c4cff0b18de41b0da2bbe5ed3d8a5471db07362d57d2fa8545dfeef79b
Opcode Fuzzy Hash: 18180ba8c546d79aff520038b5242b0f97bd883c7471685e78220a0dac0fef3f
Instruction Fuzzy Hash: 8ED0A730706B725F8751C23DBD1599777D69F88209304462DF109C3304EE20DC0147D0

Function 065F2C68 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7469d4882dc0a117089c24fab7b92d351376a6bf069a4704c236e1b2f6f63f94
Instruction ID: fcd012512ba1817c0f5c7e5746a3f2156f69f0514082c42de011fd8ce6f8d5dc
Opcode Fuzzy Hash: 7469d4882dc0a117089c24fab7b92d351376a6bf069a4704c236e1b2f6f63f94
Instruction Fuzzy Hash: 12E01270A01309EFCB44EFB5E9557AEB7FAEB84301F508599D9099B240D9315F10AB80

Function 0696F168 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc6fa75bb27e2360e4d3adf238a4d4792eb0e6847059e0504ff2594836806c4
Instruction ID: 85873bacf7f7a8f9a8c1fb88ccc426336813685c6655ab99fd2db5dd6d2c2c1a
Opcode Fuzzy Hash: 0cc6fa75bb27e2360e4d3adf238a4d4792eb0e6847059e0504ff2594836806c4
Instruction Fuzzy Hash: D3D05B70C06208FBC704DFA5E6455ADBF7DEB4E301F505199F80523640DB701E91D795

Function 064B8EFD Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47596231f4ec38cf7f8b2d5e56b824db1cfe2024a3dc8ae0ad211763ba3983b5
Instruction ID: 5de0417048b6cef2965a7f4af0a2c97074a46e387f0c1fd864f9d352727f99aa
Opcode Fuzzy Hash: 47596231f4ec38cf7f8b2d5e56b824db1cfe2024a3dc8ae0ad211763ba3983b5
Instruction Fuzzy Hash: 8CF0A5B4D05218DFEB54CF58E984BDCBBB6FB09300F50559AE618A3291C7705980CF11

Function 065F2818 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dda52d0d1552a5c3105e6b899fee41e4bde5dca81a0388955f6def37822cbbe
Instruction ID: 9eea5c1db33040a7a229db50da572970f7dee253311aaae68a935dc9953e2945
Opcode Fuzzy Hash: 1dda52d0d1552a5c3105e6b899fee41e4bde5dca81a0388955f6def37822cbbe
Instruction Fuzzy Hash: CAE0EC70A00209AFCB40EBA4E51569DB7EAFB44301F104599D80997300E9715E14AB91

Function 066210F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4e9591d2b76282e3150f16e8553339732414b7f0a0d9abe3a154135a34ae98
Instruction ID: b84e00939f8352fdbb6e108f06442d60ddd33f59fbc296e9ae8a218965fe5365
Opcode Fuzzy Hash: 3c4e9591d2b76282e3150f16e8553339732414b7f0a0d9abe3a154135a34ae98
Instruction Fuzzy Hash: BFD0A73090D108EFC744CB94D845A79F7BCDB57314F10909DAC0857341DA33AD52DB90

Function 065F07F7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc71aa57dd296a93d8eba719a3f79747f0d2669e972b6c763cb375da29688df
Instruction ID: e293d890a1c3f0fa84fdfd1dbccbba0092234f952e6f916a00e8227a1d24b5c0
Opcode Fuzzy Hash: 7bc71aa57dd296a93d8eba719a3f79747f0d2669e972b6c763cb375da29688df
Instruction Fuzzy Hash: 17E0E534A00214EFD7D49F20E9947AE7ABAFB88310F104099950EA7260CB301D89CF42

Function 065F03F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f518761ee194b57465c1923bedb7aa1b2ffb0921bbe4c3a2a5cb1674b4829895
Instruction ID: 1aae125d39013d389e50dc95c5eee7336eb5521b2be1cdee74a4077cfbd71626
Opcode Fuzzy Hash: f518761ee194b57465c1923bedb7aa1b2ffb0921bbe4c3a2a5cb1674b4829895
Instruction Fuzzy Hash: 7CE01A30A01218CFD794DF60E8A8BAD77BAFB88310F108499850BB7380CB311E899F11

Function 065F03A2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6c10bcde962937de592f62180291443da2f8c4e9b45513317b0a890b785618
Instruction ID: 69ff5ea738b8d3f712e760f6606e34022cda3d8d9d6ad0376dcb0cfcb1ddde54
Opcode Fuzzy Hash: 3c6c10bcde962937de592f62180291443da2f8c4e9b45513317b0a890b785618
Instruction Fuzzy Hash: 3FE0E538A052199FC794EF24D65839DB6B6FB99300F0040998A8AAB340CB701D488F41

Function 065F084D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94eca414091987ba4cab6bfc8206b0d4c51be0b238254cefeadcfed140439904
Instruction ID: a4325bcb8e863291d3024e21e143c05826662181e2521e1e38f4de8bb599b7b8
Opcode Fuzzy Hash: 94eca414091987ba4cab6bfc8206b0d4c51be0b238254cefeadcfed140439904
Instruction Fuzzy Hash: A6E0E534A10216CFD7989F60E8A87AD77B6FB85300F00809A850EA7250CB302E88DF51

Function 065F08A3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5897270c51d7e3354e8e0bfae71c2bbc74d0630116fb90f6fe3e2fb1a89657
Instruction ID: 75e6278133c2cb7b2eef190f75a15c8ce02d3d17db2599d155aab996dbe4853c
Opcode Fuzzy Hash: 6e5897270c51d7e3354e8e0bfae71c2bbc74d0630116fb90f6fe3e2fb1a89657
Instruction Fuzzy Hash: ECE04F74A00219DFD7A4DF60E868BED7BB3FB88301F104199D50AAB380CB301D488F62

Function 066214A0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897527576.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44006239de6a5e10e1612f1f65bd45ad4688862e953712b04627c712bc2d948
Instruction ID: 47c693b81c9090f92f979a82124b81dfe7261a5402e7a145f8239764b4491a2f
Opcode Fuzzy Hash: f44006239de6a5e10e1612f1f65bd45ad4688862e953712b04627c712bc2d948
Instruction Fuzzy Hash: 4ED0A93080A219EBC394DAB4D400AACBB7C9B03318F9001ACA9081A311DA765E40DBA0

Function 065F074B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc0092b0596649594d5fed33780e50a9a2b835a03b766a18a35f489b21f96be
Instruction ID: e4c6105281d50e73d5f73ef86efeb6aeb2a2a387849c3d53d1bc87bcf5b9f266
Opcode Fuzzy Hash: 8fc0092b0596649594d5fed33780e50a9a2b835a03b766a18a35f489b21f96be
Instruction Fuzzy Hash: 93E07574D5522BDFEB64DF24D859BADBBB4FB05310F0000E9A91EA2651EB701A84DF80

Function 064B8F47 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e235bb6f03194435f57e6e06911ed43b1b5cfb805f83a3f4507adb34676631b5
Instruction ID: 9ee0c6a0825d3ebc2de0ff5ce282faf9d9e5c442a3fdfbb18b877df51c3559e0
Opcode Fuzzy Hash: e235bb6f03194435f57e6e06911ed43b1b5cfb805f83a3f4507adb34676631b5
Instruction Fuzzy Hash: 3BD01734E0021CDFDF24CBA5E8487DDB7B1EF89319F0040AAD129A3540C7300985CF91

Function 065F00F8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fafb4d26f44ade485fc4e8250c99ca8b7ca991e22411770bf03cfce898574a
Instruction ID: 37f6df6dbde7619ab39126841872130fa62f0423ff492ce6a3a79ba9c4d04e60
Opcode Fuzzy Hash: 97fafb4d26f44ade485fc4e8250c99ca8b7ca991e22411770bf03cfce898574a
Instruction Fuzzy Hash: 54E01774914144DFEB80EF68E4A82AD7BBAFB48315F549829EA01A6782C7B45C488F51

Function 065FFD18 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7078f9116225f5b5531e0d3ad9c684a6e0d3d1670a08c6f3e64d5c1825d6a0a5
Instruction ID: 8a89413a793acd24dc152e7477bb07cacf2a5ceb429ab2fa29ebe888d387f471
Opcode Fuzzy Hash: 7078f9116225f5b5531e0d3ad9c684a6e0d3d1670a08c6f3e64d5c1825d6a0a5
Instruction Fuzzy Hash: 78D05E312566854FE3118730E954CD33B649B0223072542C3E2558B1F3C22059548760

Function 0696CFA8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23c36260387a90b3a73dd2cca800db27b733363df93bca49cb6a39a610b2a31
Instruction ID: 050070a81a3a082a547b60d847c29841d55714b3ecdfae3897fb02e6b99ad3cf
Opcode Fuzzy Hash: f23c36260387a90b3a73dd2cca800db27b733363df93bca49cb6a39a610b2a31
Instruction Fuzzy Hash: EFC02B3005B304C6D3402266644C371FFBC870F301F903C067D0C01C218FB05840E150

Function 064B98C1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea94a845cbbfe20a79d88f58c8710c564f6314d99f304bd804ea24836dbbede4
Instruction ID: cd16a8c2b4f798a832510fa7ed3fa3daacc73b55fc37468a04e267fb2050aeff
Opcode Fuzzy Hash: ea94a845cbbfe20a79d88f58c8710c564f6314d99f304bd804ea24836dbbede4
Instruction Fuzzy Hash: 0DC0027AE5005A9A8B04DAD9E4508DCB774EB94321B004026D214A6104D63055668B50

Function 065FFD28 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 065FDE4E Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d98143b0f8311f71c9e338337b1b05d6d5a5391060f1bddd84d988357c155ae
Instruction ID: 8cbff9ec198e51fc719cf5ae74357617492c411a9a93e4e07606ab8e89e794a1
Opcode Fuzzy Hash: 7d98143b0f8311f71c9e338337b1b05d6d5a5391060f1bddd84d988357c155ae
Instruction Fuzzy Hash:

Non-executed Functions

Function 065C2EAE Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

(_dq, xrefs: 065C355D
(_dq, xrefs: 065C35A3
(_dq, xrefs: 065C35D9
(_dq, xrefs: 065C3553

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (_dq$(_dq$(_dq$(_dq
API String ID: 0-2092114380
Opcode ID: 070c6cf8b1b615e178983bebe621699831ded6ffeb84bd5739f39a3e87ff5823
Instruction ID: c31273b0dbdbc66a084b53270bd426e7b4e4c8e8a496719842bfd9f23e5ee5ee
Opcode Fuzzy Hash: 070c6cf8b1b615e178983bebe621699831ded6ffeb84bd5739f39a3e87ff5823
Instruction Fuzzy Hash: 1161A074A003089FC754AF78C4648AFBBF6FF8A314B51846DD9469B3A2DA31DC45CB91

Function 065F6B48 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

(hq, xrefs: 065F6EEC
,hq, xrefs: 065F6C3E

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq$,hq
API String ID: 0-261841339
Opcode ID: 9c16b2a05ceabaf235c3ddf6009084696f30347ef1ecf4954aea371fbc3992d5
Instruction ID: e3a2e01e85acf08e593b2f678d2489b113aee3e1f6d38d876186a8c326e2ef8d
Opcode Fuzzy Hash: 9c16b2a05ceabaf235c3ddf6009084696f30347ef1ecf4954aea371fbc3992d5
Instruction Fuzzy Hash: 85D12935A10205CFCB94DF68C984AAAB7F2FF88311F658499E6159B365CB31EC81CF90

Function 06950040 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

<, xrefs: 069500F6
6, xrefs: 06961384

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: 6$<
API String ID: 0-18930961
Opcode ID: ae423c831f1e1bfe33bc258b8300080ebe024fa870e83d11fec53f2526ba3cd8
Instruction ID: c62fae2357adc6fffa01a2d2c0e3f5aef44788eae263baa2d5a5bac2dfb4b505
Opcode Fuzzy Hash: ae423c831f1e1bfe33bc258b8300080ebe024fa870e83d11fec53f2526ba3cd8
Instruction Fuzzy Hash: 9B31F770D05629DFEB68CF66C95479EBAF6BF89300F10C1EAD80DA6654EB300A81CF51

Function 064B2B30 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

v, xrefs: 064B3D40
L, xrefs: 064B2BFF

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: L$v
API String ID: 0-3461322777
Opcode ID: 306bf1f91017c797bcef2ce0c5ec11569b4db34e8c09f9d51cfd6d10cdae19a6
Instruction ID: 2b93296b36fa16cb08e48b70164be98ed4f3febc8ca6d9d8b1bd1998d8779db1
Opcode Fuzzy Hash: 306bf1f91017c797bcef2ce0c5ec11569b4db34e8c09f9d51cfd6d10cdae19a6
Instruction Fuzzy Hash: EB317AB1E056198BEB58DF6BC94469EFBF7BFC9300F14D1BA840CAA254DB704A818F51

Function 065C5258 Relevance: 1.9, Strings: 1, Instructions: 608COMMON

Download Yara Rule

Strings

(hq, xrefs: 065C5328

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 965868080f7dcbcce150061adc385ab72300850251f0e3bf10ab820fc61cc133
Instruction ID: dbc201a7c46eeca99dc582367c22eed60e639b9af9dd641f4b8afda8567f22a9
Opcode Fuzzy Hash: 965868080f7dcbcce150061adc385ab72300850251f0e3bf10ab820fc61cc133
Instruction Fuzzy Hash: 78326870A007168FCB88DFA9C49466EFBF2FF88310F64856DD55A97391EB34A911CB81

Function 065F22F9 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Tedq, xrefs: 065F2653

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: c1336fa1c4a39e0eb918925c5019f62b89479636193ec8f7885a120eaab462de
Instruction ID: 285b58c17381aacc9acbc538596ba987079299bec6878d72a5b36eefddf9df84
Opcode Fuzzy Hash: c1336fa1c4a39e0eb918925c5019f62b89479636193ec8f7885a120eaab462de
Instruction Fuzzy Hash: 14A1E3B4E11218CFEB54CFA9D884BADBBF2FB89300F1094A9D509EB254DB705A85CF41

Function 065C7EE8 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

dhq, xrefs: 065C80B1

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: dhq
API String ID: 0-2324836203
Opcode ID: 886388a8454b5ef274621c042b992ecb7ba6bec0162600470c7bd01026969307
Instruction ID: 490eff805133b779d1e88518df732de34d233aab1f34b3f6df801b81c6e05a52
Opcode Fuzzy Hash: 886388a8454b5ef274621c042b992ecb7ba6bec0162600470c7bd01026969307
Instruction Fuzzy Hash: 30814774D01208CFEB94DFA9D8887ADBBF6FB89314F10A06AD509A7351DB345989CF41

Function 065C7EF8 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

dhq, xrefs: 065C80B1

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: dhq
API String ID: 0-2324836203
Opcode ID: 69db222beebdbf5cc574e19c143504b7c79dbbd75fca66a0c66ad9281f972f29
Instruction ID: 888aeddcf8f16d07437885a76928fea7c72d66d093231c041548e0dc962efaf5
Opcode Fuzzy Hash: 69db222beebdbf5cc574e19c143504b7c79dbbd75fca66a0c66ad9281f972f29
Instruction Fuzzy Hash: 09714674D05208CFEB94DFA9D8887ADBBF6FB88314F10A06AD519A7350DB345989CF41

Function 064B9EF8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

T, xrefs: 064BBFAD

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: ef42d65687bf800d1e6094105bfa0aad9bf0e78dddd340616fa03a8e679e8e7a
Instruction ID: 95e1ac2a5066de794ae85cf416ca5adfed18e661923fa990e2accb29806e927c
Opcode Fuzzy Hash: ef42d65687bf800d1e6094105bfa0aad9bf0e78dddd340616fa03a8e679e8e7a
Instruction Fuzzy Hash: AE416CB1E056588FEB58CF6BCC4079AFAF7AFC9310F14D0BA990CAA215DB3045868F15

Function 06950006 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

<, xrefs: 069500F6

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 72062e0fb282c972024865f4cb8284b0e6418ed9565bc3e583810b1b3944af97
Instruction ID: 9df1d83b72a59893faab90d2b620a5ef1db5219df7f6e707dd87b803e35545b9
Opcode Fuzzy Hash: 72062e0fb282c972024865f4cb8284b0e6418ed9565bc3e583810b1b3944af97
Instruction Fuzzy Hash: 9641C371D093959FD72ACF6ACC4469ABFB6AF86300F15C0EAD408AB152D7320985DF51

Function 064B2B21 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

L, xrefs: 064B2BFF

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: d90595936253e11c57c4b3dbfd5284278de02a3bde68c07be419a3df6486bc2a
Instruction ID: cdc2289e7b817358ec7aa440e1751db8f6c19fc23fc258dcade341bb26c28863
Opcode Fuzzy Hash: d90595936253e11c57c4b3dbfd5284278de02a3bde68c07be419a3df6486bc2a
Instruction Fuzzy Hash: F1319C71E056199BEB59CF6BCC4469AFBF7AFC9300F14D1BA840CAA264DF700A858E51

Function 064B8488 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e4538a9d03483de2b28a2ffb2f50bd375ef5f5c5bb119b101405bd8b930cad
Instruction ID: 0f0f85320e392081ae68decc1587cce331a71dd7cdb156f54630692ca974d7b3
Opcode Fuzzy Hash: 45e4538a9d03483de2b28a2ffb2f50bd375ef5f5c5bb119b101405bd8b930cad
Instruction Fuzzy Hash: FA12B570E016198FDB54CFAAC9806DEFBF2BF88304F24D56AD419AB219D734A946CF50

Function 064B4A4D Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a5405fd7daec2620efa046daa41964ce72fa5c148df7393d5b25ab151030f8
Instruction ID: b89ed5aa9711eaa827cd185216d70aba6c1512dcea8347cc6f19805d49da01c2
Opcode Fuzzy Hash: 06a5405fd7daec2620efa046daa41964ce72fa5c148df7393d5b25ab151030f8
Instruction Fuzzy Hash: 4D811564017D8C7EF7119B70DCD0EF77F6CEA566CD7459B86F8898A216C1248C428AF1

Function 06616B38 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc2428793d6b7633d6f8194805a76d6650afc3e981f232b0da8375a764275d0
Instruction ID: 2f51af7f509ad91e3cb979f844f25b87fbab28b1dcc1ba9028e34e88ce141328
Opcode Fuzzy Hash: 2bc2428793d6b7633d6f8194805a76d6650afc3e981f232b0da8375a764275d0
Instruction Fuzzy Hash: 24E1F274E01218CFDBA4CF68D894BADBBB6FB89300F1490AAD419AB351DB745E85CF41

Function 06616B48 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a368ce63a06d9dae30aee4b9f1e4015f6e3aa0d9cee795e3563ddbc85e7f9603
Instruction ID: 93732c5beb5799e794d8490dfaefe88ef4682e63ed5ac6cd5f92e2a249f397b2
Opcode Fuzzy Hash: a368ce63a06d9dae30aee4b9f1e4015f6e3aa0d9cee795e3563ddbc85e7f9603
Instruction Fuzzy Hash: A2E1F074E01218CFDBA4CF68D894BADBBB6FB49300F1490AAD419AB351DB745E85CF41

Function 06614258 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073d6ab9bf6a00fd0631f85cf18e59942e0b1ca6da6d7f6ed875ed25dc3008b9
Instruction ID: ab308405f180cf1dd4f9c29ce78c47f84a44a99fa6a668038e26c29bb1c45d38
Opcode Fuzzy Hash: 073d6ab9bf6a00fd0631f85cf18e59942e0b1ca6da6d7f6ed875ed25dc3008b9
Instruction Fuzzy Hash: CCE10374E01218CFEB94CFA9D844BADBBF6FB49300F1490A9D409AB291DB745E96CF41

Function 06614268 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5fe85049cf62a15919b362a9b979db72ce50e438443bcedf71fd90a393fa7
Instruction ID: a545c1c750a56da45d7ca5ff589e922923cb6762df75c6e0ac61106cb2f04ce3
Opcode Fuzzy Hash: 69d5fe85049cf62a15919b362a9b979db72ce50e438443bcedf71fd90a393fa7
Instruction Fuzzy Hash: ACE10374E04218CFEB94CFA9D844BADBBF6FB49300F1490A9D409AB291DB745E96CF41

Function 065CD7C0 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e68cf0e91ff3070890f47da311febb7487d68d63e7f31f8c6485be85fe8fc3
Instruction ID: 1465f456b95d34089f38a7269ee6eca280caf6709af257d85d65e6c43c0b8020
Opcode Fuzzy Hash: b3e68cf0e91ff3070890f47da311febb7487d68d63e7f31f8c6485be85fe8fc3
Instruction Fuzzy Hash: 23E10274E05218CFEBA4CFA9D894BADBBF6BF48314F0091AAD409AB350D7745A85CF41

Function 0661920A Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65adddc529829379955aa0baf31afd7836aa0933137de3ccc7008d65522153ee
Instruction ID: 15004e5fbafa4a2c30cf23c76bf92e4ef29bf86f61abdd224a4753af2fd39a8f
Opcode Fuzzy Hash: 65adddc529829379955aa0baf31afd7836aa0933137de3ccc7008d65522153ee
Instruction Fuzzy Hash: 16D1E270905229CFEBA4CF69D8A8BE9BBF6BB49300F1451E6D50DAB250DB305E85CF40

Function 0661A9C8 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eba3eb2127bbe833e8bd33910a0df61530244073d7737b8e577e8c93de37bba
Instruction ID: 9a19a779da13494ccdc8797dd153bd1859305fcf52fd3812d1e0660e15fbbcf2
Opcode Fuzzy Hash: 1eba3eb2127bbe833e8bd33910a0df61530244073d7737b8e577e8c93de37bba
Instruction Fuzzy Hash: 01C13574E01248CFEB54CFA9D984BAEBBF6FB49310F1490AAD409AB381D7745985CF41

Function 06616DF7 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5634ce0443fa791ace1d0c11667d49e2daf83b00232020f176ab988c155675
Instruction ID: cc3ee7f95a72b21d2e7a5f8782ae25f3d0b2dc1ee3638341d04565f3b5bc46bb
Opcode Fuzzy Hash: da5634ce0443fa791ace1d0c11667d49e2daf83b00232020f176ab988c155675
Instruction Fuzzy Hash: 77C1DD74E04218CFDBA4CF68D894BA9B7B6FB49300F1491AAD40EAB351DB745E85CF41

Function 0661A9D8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fc4cd120a526330ef2c6e16efe455aa3cf3d8c95bb5eff2d76fa41a8d5a631
Instruction ID: 386157382a7d51a65370cd3e0f41225a062e85016c1a5bf4e808eec4c34e302d
Opcode Fuzzy Hash: b3fc4cd120a526330ef2c6e16efe455aa3cf3d8c95bb5eff2d76fa41a8d5a631
Instruction Fuzzy Hash: 54C15574E01248CFEB50CFA9D984BAEBBF6FB48310F14A0AAD409AB381D7745985CF41

Function 0320DB6C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1876913126.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62640f9750762b69b70135cc277c1bc607c492fee19c8faee4b87cfdef26a96
Instruction ID: 667710ef998a3570b07d0faa29608e8679a41ee335236c9d15c0f8c15da1602f
Opcode Fuzzy Hash: e62640f9750762b69b70135cc277c1bc607c492fee19c8faee4b87cfdef26a96
Instruction Fuzzy Hash: BFA18136E103099FCF19DFB4C58459EBBB2FF84300B15456AE905AF262EB71E949CB50

Function 06619352 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d78e372391d6745f42203ce5b41b9001e951adf8662cbe7a89ea84b99301141
Instruction ID: 1b53f7091fa2829d768fd5fe46715b9e535b1b331b14a1d5a547393bb3a76bda
Opcode Fuzzy Hash: 4d78e372391d6745f42203ce5b41b9001e951adf8662cbe7a89ea84b99301141
Instruction Fuzzy Hash: 0BB1C374A01219CFDBA4DF19D9A8BE9BBF2BB49300F1451E6D50DAB260DB309E81CF45

Function 066152D8 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f37141bc75d1a7851ee130f2fa129c3073008f46c7747e7aeab7447f729685d
Instruction ID: a3c745f430cb34f158bd89f76938a80bc17547a8e2f1db308b0e5760c6d5f266
Opcode Fuzzy Hash: 7f37141bc75d1a7851ee130f2fa129c3073008f46c7747e7aeab7447f729685d
Instruction Fuzzy Hash: E491E6B0E05218CFEB94CFA9D484BADBBF6FB89304F145069D40AAB251E7749D86CF41

Function 066152E8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897488003.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6610000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9292046ebb5fb434aa7028f6d3c7124b36dcc4539566b173dde96fdd720b3729
Instruction ID: f1892ed8e7ce3dd63d33b98314dc3096bbf4f67645727f91ae8e06ee5a1e94e2
Opcode Fuzzy Hash: 9292046ebb5fb434aa7028f6d3c7124b36dcc4539566b173dde96fdd720b3729
Instruction Fuzzy Hash: 6081F7B0D05208CFEB94CFA9D484BADBBF6FB89304F146069D40AAB251E7745D96CF41

Function 0696CB90 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897894293.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6950000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2291ec3ac09839708b50131121a690af79ded9f41e18c99db45cb82ab08a5c8
Instruction ID: 7c6f27006beb25abe8c527e08b30ee6b6fe96cd493086d00de532b50249b443e
Opcode Fuzzy Hash: f2291ec3ac09839708b50131121a690af79ded9f41e18c99db45cb82ab08a5c8
Instruction Fuzzy Hash: B3811A70D44318CFEBA4DFAAC8447EDBBF5AF89300F20946AE04AAB651DB745985CF40

Function 065C85F0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c2ce824cfb430e8e551c7448c33714e01b302eb9cc1c32e87eaa8e55347da5
Instruction ID: 11730d5fe843eaa16cdd9da0e40d9db40d5a8af4c1d6f8001bd59461a7e471fc
Opcode Fuzzy Hash: e0c2ce824cfb430e8e551c7448c33714e01b302eb9cc1c32e87eaa8e55347da5
Instruction Fuzzy Hash: 7561F270E05208CFEB94CFA9D548BEDBBF6FB49324F10A469D409A7240E7786989CF41

Function 065C8600 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897242323.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868998577286d96f985d491dd6cdaa30c56d4a1f2cd52cf87dad81915cc80d34
Instruction ID: cee445380e7b6b400565616c806017d12181813154a02a6c244671f179917e12
Opcode Fuzzy Hash: 868998577286d96f985d491dd6cdaa30c56d4a1f2cd52cf87dad81915cc80d34
Instruction Fuzzy Hash: 6851F370E05208CFEB94CFA9D5447EDBBFAFB49324F106069D40AA7250E7796989CF41

Function 065E0006 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897334607.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dbc816a8a07634588185f4f7ac6e5c68c7b37922cba96a8e949161ff2cd72d
Instruction ID: 96951fc220e8cac0fa8b5358da767f1a99d40ca109f9b22d0f137fc1c978d0ab
Opcode Fuzzy Hash: 63dbc816a8a07634588185f4f7ac6e5c68c7b37922cba96a8e949161ff2cd72d
Instruction Fuzzy Hash: CC515A71D056648BEB5DCF6B8D406CAFAF3AFC9310F08C1FA944CAA265DB740A858F51

Function 064B8478 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507e28118bed4dbbec99bb498aa16a1a903defddbbe44a1d697f64b6d08b5adb
Instruction ID: b1e01fdd66432d80ee70620195357855daef8e8a5d37dcf91c73d8c6846d9a14
Opcode Fuzzy Hash: 507e28118bed4dbbec99bb498aa16a1a903defddbbe44a1d697f64b6d08b5adb
Instruction Fuzzy Hash: 444176B5E016198BDB08CFABC94069EFBF7BFC8300F14D17AD908AB214EB3459468B54

Function 065E0040 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897334607.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65e0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1c87887a36597c2ec87eaf1852e953e514f32a38297ae378a6d2f84fc19f02
Instruction ID: 645702c48fecec6f12c598017780d41931c4f2410161ec26c2fe6986906e7700
Opcode Fuzzy Hash: de1c87887a36597c2ec87eaf1852e953e514f32a38297ae378a6d2f84fc19f02
Instruction Fuzzy Hash: 18511DB1D056588BEB6CCF6B8D446CAFAF7AFC9300F14C1FA954CA6254EB700AC58E41

Function 064B9EF2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890943730.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd552e001f6755e6aafe1baff40b3fc30e92b29d66b56009d15d6c0ada7eed0
Instruction ID: 002e736c07b804d2105bd9c59cc6792e6bbf1e901ba2eac4aed32d62eda49d7c
Opcode Fuzzy Hash: dfd552e001f6755e6aafe1baff40b3fc30e92b29d66b56009d15d6c0ada7eed0
Instruction Fuzzy Hash: D03145B1E056189BEB5CCF6BCD4069EFAF3AFC9310F14D0BA990CAA225DB3405468F15

Function 065FC9D0 Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

4'dq, xrefs: 065FCAA2
phq, xrefs: 065FCB27
(hq, xrefs: 065FCB9A
4'dq, xrefs: 065FCA54
4'dq, xrefs: 065FCA84
4'dq, xrefs: 065FCB1A

Memory Dump Source

Source File: 00000000.00000002.1897383660.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65f0000_21FuuTyh3g.jbxd

Similarity

API ID:
String ID: (hq$4'dq$4'dq$4'dq$4'dq$phq
API String ID: 0-3112631775
Opcode ID: e4ad04c1e8b0abe0eec4e6a7a035f798d190151279042fa92abc3fd227e81015
Instruction ID: 239f51817a840b3060cc57767b863fa9843b2680cc39f57bd33879dcfc5243e0
Opcode Fuzzy Hash: e4ad04c1e8b0abe0eec4e6a7a035f798d190151279042fa92abc3fd227e81015
Instruction Fuzzy Hash: A6519F70A003098FC745DB69D8507AFBBEBBFD8301F548929C50A9B695DF34A90687E1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 21FuuTyh3g.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
21FuuTyh3g.exe

Function 065CE1E8 Relevance: 4.3, Strings: 3, Instructions: 543
COMMON

Function 06611377 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
nativeCOMMON

Function 06611AF4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213
processCOMMON

Function 06611B00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201
processCOMMON

Function 065FB708 Relevance: 4.2, Strings: 3, Instructions: 482
COMMON

Function 065FD3C8 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Function 0320B6A8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Function 065CDECA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
COMMON

Function 06612319 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
injectionCOMMON

Function 06612320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON