Edit tour

Windows Analysis Report
adaFirmar.exe

Overview

General Information

Sample name:	adaFirmar.exe
Analysis ID:	1545329
MD5:	6c3d86b342f768fdb57e3d1fcf543cce
SHA1:	a449043e7eae780a0b9a66dc995cdb612cf4c41d
SHA256:	95a8277f391d876e1c6686ff255a123573bf4649f8600160e155ef325c1f2b55
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

adaFirmar.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\adaFirmar.exe" MD5: 6C3D86B342F768FDB57E3D1FCF543CCE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: adaFirmar.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\adaFirmar.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: adaFirmar.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: R:\TTelecomunicaciones\COITT_macFirmar\obj\Release\adaFirmar.pdb source: adaFirmar.exe

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: adaFirmar.exe	String found in binary or memory: http://albertmonter.com
Source: adaFirmar.exe, 00000000.00000002.3310227325.0000000001186000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://albertmonter.com-0b2b9608ed53ToD
Source: adaFirmar.exe	String found in binary or memory: http://albertmonter.comD
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://albertmonter.comH
Source: adaFirmar.exe	String found in binary or memory: http://albertmonter.comX
Source: adaFirmar.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: adaFirmar.exe	String found in binary or memory: http://www.color.org;colorspace.rgb.is.not.allowed_all.the.fonts.must.be.embedded.this.one.isn.t.1Mt
Source: adaFirmar.exe	String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: adaFirmar.exe	String found in binary or memory: https://?1.not.found.as.file.or.resource_you.can.only.add.a.writer.to.a.pdfdocument.once

Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_055C06E0		0_2_055C06E0
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_055C06D8		0_2_055C06D8

Source: adaFirmar.exe, 00000000.00000002.3310429531.000000000132E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs adaFirmar.exe
Source: adaFirmar.exe, 00000000.00000000.2045045375.00000000007E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameitextsharp.dll4 vs adaFirmar.exe
Source: adaFirmar.exe	Binary or memory string: OriginalFilenameitextsharp.dll4 vs adaFirmar.exe

Source: adaFirmar.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\adaFirmar.exe

Mutant created: NULL

Source: adaFirmar.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: adaFirmar.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\adaFirmar.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: adaFirmar.exe	String found in binary or memory: codabar.must.have.one.of.abcd.as.start.stop.character=Codabar must have one of 'ABCD' as start/stop character.
Source: adaFirmar.exe	String found in binary or memory: codabar.must.have.one.of.abcd.as.start.stop.character=Codabar must have one of 'ABCD' as start/stop character.
Source: adaFirmar.exe	String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar worden start/stop karakters enkel toegelaten bij begin en einde van de string.
Source: adaFirmar.exe	String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar worden start/stop karakters enkel toegelaten bij begin en einde van de string.
Source: adaFirmar.exe	String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar, start/stop characters are only allowed at the extremes.
Source: adaFirmar.exe	String found in binary or memory: in.codabar.start.stop.characters.are.only.allowed.at.the.extremes=In codabar, start/stop characters are only allowed at the extremes.

Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\adaFirmar.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\adaFirmar.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: adaFirmar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: adaFirmar.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: adaFirmar.exe

Static file information: File size 6352896 > 1048576

Source: C:\Users\user\Desktop\adaFirmar.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: adaFirmar.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5e6800

Source: adaFirmar.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: adaFirmar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: R:\TTelecomunicaciones\COITT_macFirmar\obj\Release\adaFirmar.pdb source: adaFirmar.exe

Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_015213C8 push ds; iretd	0_2_015213E5
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_01520F60 push ds; iretd	0_2_01520F85
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_01521296 push ds; iretd	0_2_015212FD
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_01520F04 push ds; iretd	0_2_01520F15
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_01520F20 push ds; iretd	0_2_01520F3D
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_015209A0 push ds; iretd	0_2_015209CD
Source: C:\Users\user\Desktop\adaFirmar.exe	Code function: 0_2_01521328 push ds; iretd	0_2_01521345

Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\adaFirmar.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\adaFirmar.exe	Memory allocated: 5410000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\adaFirmar.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\adaFirmar.exe

Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
adaFirmar.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://albertmonter.com-0b2b9608ed53ToD	adaFirmar.exe, 00000000.00000002.3310227325.0000000001186000.00000004.00000010.00020000.00000000.sdmp	false	unknown
http://www.color.org;colorspace.rgb.is.not.allowed_all.the.fonts.must.be.embedded.this.one.isn.t.1Mt	adaFirmar.exe	false	unknown
http://www.aiim.org/pdfa/ns/id/	adaFirmar.exe	false	unknown
https://?1.not.found.as.file.or.resource_you.can.only.add.a.writer.to.a.pdfdocument.once	adaFirmar.exe	false	unknown
http://albertmonter.comH	adaFirmar.exe, 00000000.00000002.3311601309.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://albertmonter.comX	adaFirmar.exe	false	unknown
http://albertmonter.com	adaFirmar.exe	false	unknown
http://albertmonter.comD	adaFirmar.exe	false	unknown
http://www.xfa.org/schema/xfa-data/1.0/	adaFirmar.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545329
Start date and time:	2024-10-30 12:49:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	adaFirmar.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: adaFirmar.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.156470591632779
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	adaFirmar.exe
File size:	6'352'896 bytes
MD5:	6c3d86b342f768fdb57e3d1fcf543cce
SHA1:	a449043e7eae780a0b9a66dc995cdb612cf4c41d
SHA256:	95a8277f391d876e1c6686ff255a123573bf4649f8600160e155ef325c1f2b55
SHA512:	210f6cdcb5656c794429b177f3d57ece10a80934e356d78c388d7ddd9122364311443d8d6d23a2ea88f75a355d9c448b345efdac3f4aac52e54706a83daa6738
SSDEEP:	98304:pbtkC76Ouj7Fn0vWwgh9nkW1PvbfXwHiRNgII7:xqvFn0Jgh1/1PvjXwHiRNg
TLSH:	B356AE1833E89A26C57B4672D0F2C53292E5F91B66ABF74F64FCB96D1C43B00D902927
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yy.^.................h^.........~.^.. ....^...@.. .......................`a...........@................................

File Icon


Icon Hash:	074775496592d623

Static PE Info

General

Entrypoint:	0x9e877e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E9D7979 [Mon Apr 20 10:29:13 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5e8730	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ec000	0x27e18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x614000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5ea000	0x1c	.sdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5e6784	0x5e6800	1ea62a6f330f0a9976d4d8a3a8132d63	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x5ea000	0x138	0x200	925ac460d37a5796e004c44d4f0f53b2	False	0.232421875	data	1.7140550286115854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5ec000	0x27e18	0x28000	00e6b696a58858bc8e3f47057b4de8ca	False	0.48763427734375	data	5.2846177678652575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x614000	0xc	0x200	2df17c137799002be87a5061c3efe3bb	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5ec5e0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	0.4072814385425293
RT_ICON	0x5fce08	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	0.49747740172377547
RT_ICON	0x6062b0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 0	0.5728743068391867
RT_ICON	0x60b738	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.6052196504487483
RT_ICON	0x60f960	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.6379668049792531
RT_ICON	0x611f08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.7080206378986866
RT_ICON	0x612fb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.7766393442622951
RT_ICON	0x613938	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7225177304964538
RT_GROUP_ICON	0x613da0	0x76	data	0.7627118644067796
RT_VERSION	0x5ec238	0x3a4	data	0.41416309012875535

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 12:51:21.272356033 CET	53	49265	162.159.36.2	192.168.2.5
Oct 30, 2024 12:51:21.936968088 CET	61714	53	192.168.2.5	1.1.1.1
Oct 30, 2024 12:51:21.955127001 CET	53	61714	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 12:51:21.936968088 CET	192.168.2.5	1.1.1.1	0x1532	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 12:51:21.955127001 CET	1.1.1.1	192.168.2.5	0x1532	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: adaFirmar.exePID: 1996, Parent PID: 1028

General

Target ID:	0
Start time:	07:50:46
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\adaFirmar.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\adaFirmar.exe"
Imagebase:	0x7e0000
File size:	6'352'896 bytes
MD5 hash:	6C3D86B342F768FDB57E3D1FCF543CCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: adaFirmar.exePID: 1996, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	30.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	134
Total number of Limit Nodes:	14

Executed Functions

Function 055C06E0 Relevance: 10.4, Strings: 5, Instructions: 4146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 055C3FE4
", xrefs: 055C2462
z, xrefs: 055C3E75
0 k, xrefs: 055C1277
}, xrefs: 055C3492

Memory Dump Source

Source File: 00000000.00000002.3312655308.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_adaFirmar.jbxd

Similarity

API ID:
String ID: "$0 k$e$z$}
API String ID: 0-4228288086
Opcode ID: 8e688f89a9c6a4bf0c2fb61b5958384d1530bdd037f167efe6f8f81815aad664
Instruction ID: 66af8adfb0864a0795ffdcf9606f36e0a3a463c888c82aa4b72c44125d28769f
Opcode Fuzzy Hash: 8e688f89a9c6a4bf0c2fb61b5958384d1530bdd037f167efe6f8f81815aad664
Instruction Fuzzy Hash: D4939D347002148FCB199B78C458AAD7BF6AF8A309F2540FAE40ADB7A1DB769D45CF41

Function 055C06D8 Relevance: 10.4, Strings: 5, Instructions: 4145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 055C3FE4
", xrefs: 055C2462
z, xrefs: 055C3E75
0 k, xrefs: 055C1277
}, xrefs: 055C3492

Memory Dump Source

Source File: 00000000.00000002.3312655308.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_adaFirmar.jbxd

Similarity

API ID:
String ID: "$0 k$e$z$}
API String ID: 0-4228288086
Opcode ID: a1f953da831cccdfa98f22dc0a0dd11bca5716421ace2b6c97aeca1b71adb399
Instruction ID: 787350222a24f3119e3478d0ff87fe8139c4690ae60057ce83fb20685bf5fd55
Opcode Fuzzy Hash: a1f953da831cccdfa98f22dc0a0dd11bca5716421ace2b6c97aeca1b71adb399
Instruction Fuzzy Hash: AF939D347002148FCB199B78C458AAD7BF6AF8A309F2540FAE40ADB7A1DB769D45CF41

Function 055C57E0 Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 055C57FF

Memory Dump Source

Source File: 00000000.00000002.3312655308.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_adaFirmar.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7187cf236627c6da32301040e0e47987b5144e0dd87c990d4ed89b5fa71ef075
Instruction ID: fbd0937699906928aeebc11353a86a79507aca1b83dc23533ca71c8f330a1cd4
Opcode Fuzzy Hash: 7187cf236627c6da32301040e0e47987b5144e0dd87c990d4ed89b5fa71ef075
Instruction Fuzzy Hash: 8B816E30A042048FDB04DBF9C9506EE7BF2BFC9319B1041A9D105EB764EB75AC49CB91

Function 0170AB26 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0170ABD5

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 130ca9238f8feeeec20930e8a356215c058a31f56abc479fe709fd75524d6fc1
Instruction ID: 0d2e35bbdcd9a0152917a0b5c38df456cdeff4e77be5574612b5ef605f20c824
Opcode Fuzzy Hash: 130ca9238f8feeeec20930e8a356215c058a31f56abc479fe709fd75524d6fc1
Instruction Fuzzy Hash: DE31A472404384AFE7228B15CC45FA7BFFCEF06210F04859AE9858B653D264A54DCB71

Function 0170AC1D Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9D8490EF,00000000,00000000,00000000,00000000), ref: 0170ACD8

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f11725b2428b6b29758db3156afd3eb178ac5a6bcebe7fffc7b3ef2d48827442
Instruction ID: 4ffe54a33fc271b3d0d70383fb746f0ec5e637804394bd882fc97d46d18f8f3c
Opcode Fuzzy Hash: f11725b2428b6b29758db3156afd3eb178ac5a6bcebe7fffc7b3ef2d48827442
Instruction Fuzzy Hash: F53181755093849FE722CB25CC44FA6BFFCEF06214F08849AE985CB293D264E549CB71

Function 055C5769 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 055C57FF

Memory Dump Source

Source File: 00000000.00000002.3312655308.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_adaFirmar.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8a127769906fe7a58ac764ac5a0f04134a41748af4f81bbdbff3b483e4d9db3a
Instruction ID: d790bf23f957f1ab668487223b16303a10d12edd34aeed5538e2d0ce837f7ba5
Opcode Fuzzy Hash: 8a127769906fe7a58ac764ac5a0f04134a41748af4f81bbdbff3b483e4d9db3a
Instruction Fuzzy Hash: 15314D31F042048FDB04DBF8D554A9EBBF2FB89318F2481A9D105EB391EB75AC468B91

Function 05A72046 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?), ref: 05A720D8

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1606eba6a1fdbeb68949068e68d6d5907f9527d0c31fe232c3e82abd87d2ffb2
Instruction ID: 66b30a7c3a772506d3bf64889bfc81243258a045a5f7d85690a5fa0961014f29
Opcode Fuzzy Hash: 1606eba6a1fdbeb68949068e68d6d5907f9527d0c31fe232c3e82abd87d2ffb2
Instruction Fuzzy Hash: B5315C7550E3C05FD7138B259C65A92BFB4AF03210F0A84DBDD85CF2A3D229A849C772

Function 05A71E30 Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileW.KERNEL32(?,?), ref: 05A71ECB

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 370c61364ea60cdf5e511f7aa3cde3c8780f5e4c30d68a88dbc774bd8cd3d0ad
Instruction ID: 7138db27e04ca0b681003188bb7133f2d6560a68f31f551d830b54ced03ac3db
Opcode Fuzzy Hash: 370c61364ea60cdf5e511f7aa3cde3c8780f5e4c30d68a88dbc774bd8cd3d0ad
Instruction Fuzzy Hash: 26312A7150E3C59FDB138B25DC55A62BFB8AF03220F0D84DBD885CF1A3D6689848CB62

Function 0170B074 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0170B109

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fbb8bc12d7de2e9ed19b4965a062a37fe2cb51890840e5d89c337577f61c4675
Instruction ID: 48c3eb244c1ed345b4a1259abb088658a7f0c3372a375d36d98ed001b57366f6
Opcode Fuzzy Hash: fbb8bc12d7de2e9ed19b4965a062a37fe2cb51890840e5d89c337577f61c4675
Instruction Fuzzy Hash: F82195754493C06FD3138B259C51B62BFB8EF47610F0A41DBE884DB653D229A919C7B2

Function 05A739EC Relevance: 1.6, APIs: 1, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05A73A86

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bea5d463927d9a709b237e553cf4a0de0412eddae098fe5398566253569a97ec
Instruction ID: 602208e453404373df7fa5c56d5fa2885adcf64a830a750559efdcd1b4812c63
Opcode Fuzzy Hash: bea5d463927d9a709b237e553cf4a0de0412eddae098fe5398566253569a97ec
Instruction Fuzzy Hash: 6C21C5755093C06FD3138B25CC51B72BFB8EF87610F0985CBE8849B693D2256919C7B2

Function 0170BB68 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 0170BC02

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: bbf56187d807fdfe82a3189d8aada8f12fd652371199a5c17c0fd478c86895c7
Instruction ID: e29a5d9c82df9cf684b6ed0c3cfe5456f3ba4545336cd49b33dfb02ab27133ce
Opcode Fuzzy Hash: bbf56187d807fdfe82a3189d8aada8f12fd652371199a5c17c0fd478c86895c7
Instruction Fuzzy Hash: E721D77540D3C05FC3128B25CC55B62BFB4EF87624F0981DFD8848B693D224A919CBA2

Function 0170AB56 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0170ABD5

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b475c7ace67d57ad35d55ae8f44a4e7aa43ebab69a87b71216e8e609c235f00
Instruction ID: d8aec04286cbae0f3c38454207ef9fec40fd566c4006d3f813850618eccd0997
Opcode Fuzzy Hash: 8b475c7ace67d57ad35d55ae8f44a4e7aa43ebab69a87b71216e8e609c235f00
Instruction Fuzzy Hash: 78218E72500744AEE722DB15CC44FBBFBECEB04214F04885AEA459B692D374E54C8AB5

Function 055C57D1 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 055C57FF

Memory Dump Source

Source File: 00000000.00000002.3312655308.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_adaFirmar.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f063ee04d756450eefbd6d89ea7caf7ff18f19a1b6306b54a0285003cc8b849
Instruction ID: 109bb7250ca6cb6d7577269c6d303e7e8f1cfa7ea533d69718b0e1d5b4546024
Opcode Fuzzy Hash: 0f063ee04d756450eefbd6d89ea7caf7ff18f19a1b6306b54a0285003cc8b849
Instruction Fuzzy Hash: 79212B70E042048FCB04DBF8C994ADEBBF1BB89324F2482A9D404E7751DB35AD45CB91

Function 0170AC5E Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9D8490EF,00000000,00000000,00000000,00000000), ref: 0170ACD8

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1ec9f129336304a7342586d86d4561578ab880cc10c782cccc04e6023d37c5ca
Instruction ID: b6a19c8598f6971fa76a3e49ba505498e1c2db7b132df50987529dc4db4320ca
Opcode Fuzzy Hash: 1ec9f129336304a7342586d86d4561578ab880cc10c782cccc04e6023d37c5ca
Instruction Fuzzy Hash: E8216D755003049FE722CF15CC44FA7FBECEF04614F04845AEA45DB692D764E848CA71

Function 0170BD39 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0170BDBB

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 614580341868a98b361a46b9c35fd63bacf5ec6f9b7065ee5fa891cba2e6393f
Instruction ID: de2799e95fb39dfe340f87c7b2bbfbf974dbb78c8c078ae24f61fcea901d5bc6
Opcode Fuzzy Hash: 614580341868a98b361a46b9c35fd63bacf5ec6f9b7065ee5fa891cba2e6393f
Instruction Fuzzy Hash: CC218E755087849FDB22CF65D844B52FFE8EF06310F09849AE9848B663D325E908CB61

Function 05A72AF4 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,9D8490EF,00000000,?,?,?,?,?,?,?,?,6CAB3C58), ref: 05A72B6D

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 87fc8ecdca51ea8718466d99d36f1c0845b9acb3835123af9ec29e8140b0a33b
Instruction ID: ddad9fe140c3491c33b7bdc96911255e3595a3614db589770be5adca964019ab
Opcode Fuzzy Hash: 87fc8ecdca51ea8718466d99d36f1c0845b9acb3835123af9ec29e8140b0a33b
Instruction Fuzzy Hash: 2F21A1751097C09FDB238F25CC84A62BFB4EF47220F0984DEE9858F663C265A80DCB61

Function 0170B46D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0170B4E9

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 50e347ff9a4a15b5705331aa2c5951a4f8d96e90cde8a31b16815bc84f8b3913
Instruction ID: 036d66f802520208675aeb5f7e530eaab5f85694b5f801c7d8af0d3609b35de7
Opcode Fuzzy Hash: 50e347ff9a4a15b5705331aa2c5951a4f8d96e90cde8a31b16815bc84f8b3913
Instruction Fuzzy Hash: CF218EB55093809FEB228B15DC45B62FFE8EF46610F09849AE9848B293D265E908CB71

Function 05A72A42 Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 05A72AB8

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 150be255e99187cfb223875425217b3c8b4812a86c4242718a08af0742c66d89
Instruction ID: 3c4a9c5ba5fe5421488a53fe40e995ebd4d68b349ae2992649ff1e902ef713a2
Opcode Fuzzy Hash: 150be255e99187cfb223875425217b3c8b4812a86c4242718a08af0742c66d89
Instruction Fuzzy Hash: 1421AE765097849FDB228F25DC40BA2BFB4EF06310F0884DAE9858B663D265A818DB61

Function 05A726BE Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05A72731

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 838f770127c5a186b73473e7488c4c015227c8cba137963f089ed4c2b39d57fc
Instruction ID: b71447e1526c0639e5ea74e97b2cd13c8529d11be34b735d0801b1b186cc1b36
Opcode Fuzzy Hash: 838f770127c5a186b73473e7488c4c015227c8cba137963f089ed4c2b39d57fc
Instruction Fuzzy Hash: 762190754097C09FDB228F25DC45A52FFB4EF07220F0884DEED858B563D265A858DB62

Function 0170A65A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0170A6CC

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: aeeb44c406bc021cd958ad00b40fd66fbb5f2f560c4b6ec5c9bdc2ebed893846
Instruction ID: 2cc4c9384e5eccb485071b8e41445d62f2f643126221dcad45b3c6846826520b
Opcode Fuzzy Hash: aeeb44c406bc021cd958ad00b40fd66fbb5f2f560c4b6ec5c9bdc2ebed893846
Instruction Fuzzy Hash: 7721367540A3C49FDB138B25DC54662BFB8DF47624F0980DBE9848B2A3D2696908CB72

Function 0170A5AF Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170A61A

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c4de92ca239606fc6a304dc76431a54c637c0cae0a3ad9cf5269932c1ef9834
Instruction ID: 92a06e1dc417d154574b4116ca6d8f6a572f14fa837a9926581ab38ac6bb8830
Opcode Fuzzy Hash: 8c4de92ca239606fc6a304dc76431a54c637c0cae0a3ad9cf5269932c1ef9834
Instruction Fuzzy Hash: 08114271409780AFDB228F55DC44A62FFF8EF4A710F0888DAED858B663D275A418DB61

Function 05A718A9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 05A7191B

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: bf2966b30bbcba90849d28f0fd89f9d75c5eb45027c5e8737b73ef70bd73a838
Instruction ID: 71ca36e0ea7b5baf3dce6026ba386f06133e3332696867b802b1bf0b5efd1d83
Opcode Fuzzy Hash: bf2966b30bbcba90849d28f0fd89f9d75c5eb45027c5e8737b73ef70bd73a838
Instruction Fuzzy Hash: 0F21A2725083849FDB11CF15DC45B62BFE8EF12324F0980DAE9858B263D265E919CB61

Function 05A7211F Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 05A7218F

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: fcbec82e44104afa8b70ca25963ede38150b857be3ff497df49ecb1d6a8389d4
Instruction ID: 7ebafd334ec4366c859078eca463e915454379f50b68f9acc17da1d1273b6b47
Opcode Fuzzy Hash: fcbec82e44104afa8b70ca25963ede38150b857be3ff497df49ecb1d6a8389d4
Instruction Fuzzy Hash: 7F219D755093849FD722CB25CC85B56BFF8EF46210F0984DAE9858F263D378A808CB62

Function 05A721E0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 05A72245

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: d89ea2daea0a2d754aed0805ef36200720d3114a573c83874967eec801dac697
Instruction ID: 20033eab40108fdf0aa4c7c8763e49723fb54fceaae3ccc23564be19a9cd9ba5
Opcode Fuzzy Hash: d89ea2daea0a2d754aed0805ef36200720d3114a573c83874967eec801dac697
Instruction Fuzzy Hash: C21181755093449FDB218B15DC45F62BFB8EF46610F08809EED858B663D261E808CB61

Function 0170BDFF Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,9D8490EF,00000000,?,?,?,?,?,?,?,?,6CAB3C58), ref: 0170BE6C

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c4d063bc04a6c39ef4b15d6aaffde0d399d9dbd55b421cdca9c41901353a0669
Instruction ID: d5199fa06ea197d843f3e64b06781845d29595bf5231a5ff3e5c0a5395f88d1e
Opcode Fuzzy Hash: c4d063bc04a6c39ef4b15d6aaffde0d399d9dbd55b421cdca9c41901353a0669
Instruction Fuzzy Hash: B011B1754097C09FD712CB25DC85A52BFF8EF07210F0980DAE9858F2A3C274A948CB71

Function 05A72BAD Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 05A72C18

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 4895e95e8b8d8a170655b2a2b4fe0f51b01ea894dc2afab9308b2e5b3a48c7a6
Instruction ID: 09ae586f68c272f0f61615930cd639bfea03c90d54dda997b268a1d4f62d3549
Opcode Fuzzy Hash: 4895e95e8b8d8a170655b2a2b4fe0f51b01ea894dc2afab9308b2e5b3a48c7a6
Instruction Fuzzy Hash: 5C1181754093C49FDB228B15DC44B62BFB4EF47624F0984DEED854F263D2656808CB72

Function 0170AA7D Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(?,?), ref: 0170AAEB

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: AutoComplete
String ID:
API String ID: 4247635402-0
Opcode ID: 46ba1bcc0f0d54a2ac02895a2b4015e989732bf300358b626e5f5973f4b01317
Instruction ID: 5880f05ed1852d830fb6afe2326fe048a4ded5f64a0a123409b1cb7859c844bb
Opcode Fuzzy Hash: 46ba1bcc0f0d54a2ac02895a2b4015e989732bf300358b626e5f5973f4b01317
Instruction Fuzzy Hash: F3117C7540D7C09FCB138B259C45A52BFB4EF07220F0984DEE9844F2A3D265A948CB62

Function 0170A87F Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0170A8E0

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 19db1c8ed6fefae217d14e0d4b991d8d4e813afdd13541423d7dae21b6f73059
Instruction ID: 4d19e50fca2f6d86062c0e2629473036065c13ddba7013daeff7d963ddfd52c5
Opcode Fuzzy Hash: 19db1c8ed6fefae217d14e0d4b991d8d4e813afdd13541423d7dae21b6f73059
Instruction Fuzzy Hash: A611BF715493849FDB12CF15DC45B52BFB4EF06224F0884DAED858F293D275A808CB62

Function 0170BD6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0170BDBB

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b19039a86350ce8b12914f632711f4ee6746429d7396b0934bdc43fb01dafe8d
Instruction ID: 6154ca560d97fe475e80cc3c0a01f02b19f7aa155b087a78338c37ef74d84970
Opcode Fuzzy Hash: b19039a86350ce8b12914f632711f4ee6746429d7396b0934bdc43fb01dafe8d
Instruction Fuzzy Hash: 2A115E75504344DFEB21CF65D944B62FBE8EF04320F08C4AADE458B652D375E548CB62

Function 05A71E86 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(?,?), ref: 05A71ECB

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 55fb0670b0050819f9c48a46cfb81e67ab03bd76adff676f40fd459c9308f930
Instruction ID: 46c4a92dcbece13a1d5d9b5e6dca44ea3285c657ec3d47a7aa1c464d8546219b
Opcode Fuzzy Hash: 55fb0670b0050819f9c48a46cfb81e67ab03bd76adff676f40fd459c9308f930
Instruction Fuzzy Hash: 021165716042488FEB10DF15DC85F76BBE8EF05620F08C4AADD55CB742D374E444CA61

Function 05A71A08 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05A71A65

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 62c797e35859e219349e31260cff088be8e40b2bad8e08fbb3c74d6435029126
Instruction ID: c486ba15d741517eb61af72bf7d20d1eb94a31fab5f6c5074a0f529305a2acc7
Opcode Fuzzy Hash: 62c797e35859e219349e31260cff088be8e40b2bad8e08fbb3c74d6435029126
Instruction Fuzzy Hash: D711AC71409784AFDB228F15DC44E62FFF4EF06220F08C49EEA844B663D275A858CB62

Function 0170A9F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0170AA4A

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 08e276226d2fe210ce5259482aa101784a18f8c4eb26a5d6e9b249560ba37de0
Instruction ID: 241d04e05c957f82d909898d7e46ffd45c397bae95c2d607f4563cab7fe5546a
Opcode Fuzzy Hash: 08e276226d2fe210ce5259482aa101784a18f8c4eb26a5d6e9b249560ba37de0
Instruction Fuzzy Hash: E011AC714097849FCB22CF15DC84A52FFF4EF06220F08C4DAE9854B2A3C275A948CB62

Function 05A7209E Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05A720D8

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 302e4b51e3ccc3f3cde938f9dffcb0c9b0e5136446bc601c7c0502543c57251b
Instruction ID: bc185129fbfc8c5417f268e129aed4658d39fa38ce53b027104f02b23a9d4565
Opcode Fuzzy Hash: 302e4b51e3ccc3f3cde938f9dffcb0c9b0e5136446bc601c7c0502543c57251b
Instruction Fuzzy Hash: 340152756042488FDB10DF25DD85B66FBE8EF05220F08C4AADE46DB752D375E848CA61

Function 0170B49E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0170B4E9

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 076c2a5355f33f563562c1673645e85a5310d058ed689d564b81a8ceabf9c326
Instruction ID: a88bc2f28d1459d4969b12de7b88452cb16e5d97a714f9b350dcff4b16e6638e
Opcode Fuzzy Hash: 076c2a5355f33f563562c1673645e85a5310d058ed689d564b81a8ceabf9c326
Instruction Fuzzy Hash: 19019275500304DFEB21CF1AD885B22FBE8EF54620F08C499ED498B792D375E608CA71

Function 05A72202 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 05A72245

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 28daec63f979ff11344fce1fbba9722e44c620c93d033ca528081dfd32d98267
Instruction ID: 33c385129c325dbd187f24d96a0feb4812eb0a75778316f264372f6891d7a665
Opcode Fuzzy Hash: 28daec63f979ff11344fce1fbba9722e44c620c93d033ca528081dfd32d98267
Instruction Fuzzy Hash: 100192765042488FDB20CF16DD44B66FBE8EF04220F08C09EDE458B762D375E448CEA1

Function 0170A5D6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170A61A

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d78ccaf29e23cd87e4feef76df814669b82029eefce743b2606f94a629c6810f
Instruction ID: d975be847537d4cc2305a5ca366394a31abfaec374a68891642e0c6d77104b76
Opcode Fuzzy Hash: d78ccaf29e23cd87e4feef76df814669b82029eefce743b2606f94a629c6810f
Instruction Fuzzy Hash: 97013972404744DFDB228F55D944B62FFE4EF48720F08C89AEE494B652C375A418DB62

Function 05A718DE Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 05A7191B

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 6fb443ce389fe3dc1eb1dbcbc42ed057d0d0580240ad31d074691d5ef5d6cb85
Instruction ID: c274588163288a83b1786e88cfd5f623b8ca184867da1138380a09f9aa7e5620
Opcode Fuzzy Hash: 6fb443ce389fe3dc1eb1dbcbc42ed057d0d0580240ad31d074691d5ef5d6cb85
Instruction Fuzzy Hash: 250188765042488FDB10DF16DD45B72FBE8EF05620F08C0AEDD458B752D275E459CA61

Function 05A72152 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 05A7218F

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 9c8a5cee3b3771cb8dae7ffc748df76089d091223ec9a122bf9a70a2f5319ffe
Instruction ID: aebf979108b49007e883c88edf644f45820fe2bcceb0026a59edb91d711a74fb
Opcode Fuzzy Hash: 9c8a5cee3b3771cb8dae7ffc748df76089d091223ec9a122bf9a70a2f5319ffe
Instruction Fuzzy Hash: 7901B1755042489FEB20CF15DC84B6AFBE8FF44220F08C4AADE499B342D374E448CA61

Function 0170BBB2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 0170BC02

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: fc6d94b0800d8b5b89dee15524ae2732d78b6a1e4a0acc73e7356c0d2b81cbb8
Instruction ID: 7be950dad997bc9781906c35e1c8508641fc772543c5772de8d82ab4a4a742fc
Opcode Fuzzy Hash: fc6d94b0800d8b5b89dee15524ae2732d78b6a1e4a0acc73e7356c0d2b81cbb8
Instruction Fuzzy Hash: 2B016271540600ABD310DF16DC46B76FBE8FB88A20F14815AED089BB42D775F925CBE6

Function 0170B0BE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0170B109

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5c066829412df91503db16d22e07845c11ae511dd1ce4d507562d13cdd3b43f4
Instruction ID: e1f1051db6885f838c95c3faa298e2e38690b963df6a21596220e6a622ed5ce2
Opcode Fuzzy Hash: 5c066829412df91503db16d22e07845c11ae511dd1ce4d507562d13cdd3b43f4
Instruction Fuzzy Hash: F2018671540600ABD310DF16DC46B76FBE8FB88A20F148159ED089BB42D775F915CBE6

Function 05A73A36 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05A73A86

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ec39e6166273020fc4b701d143725ed512a101f50070ec682f8b6cae14d4d2a6
Instruction ID: 0b53b80df03a3651cd4b80879a61c97dcfa4f40a86ee0fe95bc4b888e43892c2
Opcode Fuzzy Hash: ec39e6166273020fc4b701d143725ed512a101f50070ec682f8b6cae14d4d2a6
Instruction Fuzzy Hash: E701A271540200ABD310DF16CC46B76FBE8FB88A20F14811AED089BB42D775F925CBE6

Function 05A72A7A Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 05A72AB8

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: b52a4be3422aa5a120eeeadce5cc84eb2a68810577a10916a6d115bc3046367e
Instruction ID: a15f313aec343f7d0b51193036ccf9966e6692fd985418b1f44c7684c4d7dee7
Opcode Fuzzy Hash: b52a4be3422aa5a120eeeadce5cc84eb2a68810577a10916a6d115bc3046367e
Instruction Fuzzy Hash: 6F0192365006449FDB308F15DD45B62FBE4EF04220F08C49EDE454A652D375E458DB61

Function 05A726F6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05A72731

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 48278d595a253b708f352525a9714ed5bd2b223e9fb772698b55594aa4b390d1
Instruction ID: 0782b9c151d4c00d2fb60160a15651e19e946be28f7ffceec7dd01c279de67c8
Opcode Fuzzy Hash: 48278d595a253b708f352525a9714ed5bd2b223e9fb772698b55594aa4b390d1
Instruction Fuzzy Hash: 4201B13A5002048FDB20CF15DD44F66FBE5EF04220F08C09EDE454A762C375E458CB62

Function 05A72B32 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,9D8490EF,00000000,?,?,?,?,?,?,?,?,6CAB3C58), ref: 05A72B6D

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c9a20d61837b8839ca8b6768ca4adb4be117de96fdd06c9dcf1448a9af76dd57
Instruction ID: 4eba13bf41900d7a5caa4ef5417230981408b174ca56059a419ea06fcfe0159e
Opcode Fuzzy Hash: c9a20d61837b8839ca8b6768ca4adb4be117de96fdd06c9dcf1448a9af76dd57
Instruction Fuzzy Hash: DE0171365006449FDB20CF15DC84F66FBE4EF44220F08C49EEE454A762D375E458DB61

Function 0170BE3A Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,9D8490EF,00000000,?,?,?,?,?,?,?,?,6CAB3C58), ref: 0170BE6C

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 343124d1b3f76ef69d856f732471d8670cef7abe90d4665f2f4ae119b123f1ac
Instruction ID: f71e69bf94a29fec9b74f5809a18da332362835799c40d5689be38699296559c
Opcode Fuzzy Hash: 343124d1b3f76ef69d856f732471d8670cef7abe90d4665f2f4ae119b123f1ac
Instruction Fuzzy Hash: 9601D139500344CFDB21CF19D984762FBE8EF09220F08C0AADE498B792C374F948CA62

Function 0170A8AE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0170A8E0

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c9fe96ab548546ad27faa3ac4859f8248227105045ab5be35bb36a9527e23362
Instruction ID: a913a00e79d93bd43a1344be495db6dff56aec02da2645db22a003e5ec2469c8
Opcode Fuzzy Hash: c9fe96ab548546ad27faa3ac4859f8248227105045ab5be35bb36a9527e23362
Instruction Fuzzy Hash: C3018B75904344CFDB21CF19D984762FBE4EF04220F08C4AADD499F392D379A548CAA2

Function 05A71A2A Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05A71A65

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 69a71eb44592fc1745e98614766ef9cfc3200b4258b8ff5bdf4a60102752148d
Instruction ID: 9c2d509c95c246612975994bdcd48e0242847fc19700895ec9dffd1cddbce0b5
Opcode Fuzzy Hash: 69a71eb44592fc1745e98614766ef9cfc3200b4258b8ff5bdf4a60102752148d
Instruction Fuzzy Hash: 8E018B36404B489FDB20CF05EC84F61FBE5EF08220F08C49EDE494A662D375A458CFA2

Function 0170AA12 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0170AA4A

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2c016809d054a5ddf3275984dbd08c617a8ed9f79aff7bc47322632fcbab3e15
Instruction ID: 6dc8888dadfa429116559f7fa15d8e35cd27f39ee54788bef0d112203830f37d
Opcode Fuzzy Hash: 2c016809d054a5ddf3275984dbd08c617a8ed9f79aff7bc47322632fcbab3e15
Instruction Fuzzy Hash: F601AD76400744CFDB21CF05DA84B62FBE4EF04720F08C09ADE454B792C375A588CEA2

Function 0170AAB6 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(?,?), ref: 0170AAEB

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: AutoComplete
String ID:
API String ID: 4247635402-0
Opcode ID: 7a613bbc950417e98e42fa91f635f090d8045924e52f9ef298311c6cca5386ec
Instruction ID: 35e64fa3a9485e2e56899a3d52207a6e792ce7f9f7cfb7af057e86f279f5771c
Opcode Fuzzy Hash: 7a613bbc950417e98e42fa91f635f090d8045924e52f9ef298311c6cca5386ec
Instruction Fuzzy Hash: C1018C75904744CFDB21DF0AD984B62FBE4EF04624F08C49ADE494B792C375A588CEA2

Function 0170A69A Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0170A6CC

Memory Dump Source

Source File: 00000000.00000002.3311051085.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170a000_adaFirmar.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 181021485f3e801ce33a6bef7a00a5089bcb2663aa71b260443897d285067c03
Instruction ID: 5a3826d8ce2624876ebdade9146b879425374f504ea23a0c8e6d298054a054cb
Opcode Fuzzy Hash: 181021485f3e801ce33a6bef7a00a5089bcb2663aa71b260443897d285067c03
Instruction Fuzzy Hash: 7DF08C35804344CFDB21DF09DD84761FBE4EF44324F08C09ADE494B796D279A448CAA2

Function 05A72BE6 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 05A72C18

Memory Dump Source

Source File: 00000000.00000002.3313101656.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_adaFirmar.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 423de44f90df86ca90e3fca4d6f0bc157c29ef15424baa3f3f33dcd1a200cd41
Instruction ID: b3708adf7febc638cbb3b021fbc456b24ddc003370b02bb40d1022e26a1004ac
Opcode Fuzzy Hash: 423de44f90df86ca90e3fca4d6f0bc157c29ef15424baa3f3f33dcd1a200cd41
Instruction Fuzzy Hash: C4F0AF794042488FDB20CF05DD85B72FFE8EF14220F08C4AADE494B752D379A448CAA2

Function 0152076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3310845255.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1520000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccb6ab207d7f9db62ca9c0502b6e18f231e7b8cccc4e61b521c2507785bb6d3
Instruction ID: c367417d2cd65e4fad7d35bf1725ed61ffaedb0c699fc2e92e5606d41dcfaa4c
Opcode Fuzzy Hash: bccb6ab207d7f9db62ca9c0502b6e18f231e7b8cccc4e61b521c2507785bb6d3
Instruction Fuzzy Hash: 3611D232205280DFD715CB14C980B26BBE5EB8A708F28C99CF5491BAD2C777D803CA91

Function 0152075F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3310845255.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1520000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85b9c7f64c778c39299ce3663d208794cb9b2525211c8cf0f05265b18245d19
Instruction ID: 2cad30597880f2facedec2f3d76d37a70f67d8835a201070c5aba0713757ca08
Opcode Fuzzy Hash: a85b9c7f64c778c39299ce3663d208794cb9b2525211c8cf0f05265b18245d19
Instruction Fuzzy Hash: 341130355492849FC716CB10C590B15BFB1FB46704F18C6DEE4495B6A3C33A9817CB41

Function 015205E7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3310845255.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1520000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14664d08f64560456c85160eeae124181e4e9735a85c5977854710a13c91930c
Instruction ID: 56373f8b0b7327a7694bc66b097b88bf136853ef22382364d695e796aff134d9
Opcode Fuzzy Hash: 14664d08f64560456c85160eeae124181e4e9735a85c5977854710a13c91930c
Instruction Fuzzy Hash: 9EF044B65097846FD7118F06AC40862FFE8EB86620749C49FED498B652D235B908CBB2

Function 01520828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3310845255.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1520000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a11042dbb76d8c4b470108bb827fa426ec514a798d586de0fb5dc0e7223f307
Instruction ID: 00c882aa9db264e68678db60d2e1632d1ca8e287ce5ca12ee277436e4926ff25
Opcode Fuzzy Hash: 8a11042dbb76d8c4b470108bb827fa426ec514a798d586de0fb5dc0e7223f307
Instruction Fuzzy Hash: 82F01D35144644DFC306CB44D980B16FBA2FB89718F24CAADE9490B792C737E813DE81

Function 01520606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3310845255.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1520000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71ae4db147db07f07f6c92666816a75bc9718c42950f272f0d4a336f9a9531f
Instruction ID: bfb1fc02864d8466cc1f7abbc37b5be31a3c77602a871c519d3cfe638e14a799
Opcode Fuzzy Hash: c71ae4db147db07f07f6c92666816a75bc9718c42950f272f0d4a336f9a9531f
Instruction Fuzzy Hash: 7AE092B66006044B9650DF0BEC41462F7D8EB84630708C47FDC0D8B702D639B508CAA6

Function 017023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3311028013.0000000001702000.00000040.00000800.00020000.00000000.sdmp, Offset: 01702000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1702000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2298747550c3a46d8bbff0371af62921bc6c53c599ad1b4a2600534d8b9b148
Instruction ID: 49da3b59825d0992fbab4dfc260f918fd28d34ad30eed8e86fcb939add19a757
Opcode Fuzzy Hash: b2298747550c3a46d8bbff0371af62921bc6c53c599ad1b4a2600534d8b9b148
Instruction Fuzzy Hash: 74D02E3A3017C08FE3138A0CC2ACB853BE4AB40704F0B00F9AC008B7A3CB68D8C0E600

Function 017023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3311028013.0000000001702000.00000040.00000800.00020000.00000000.sdmp, Offset: 01702000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1702000_adaFirmar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3850322a9bf7c0977d44663cf6115ca40fb7fd971ae894870c9b71f5e4f5dc80
Instruction ID: b9e725c7952f69e79450b74abfc7331983490142bf0b07ea2ad460c20294ab15
Opcode Fuzzy Hash: 3850322a9bf7c0977d44663cf6115ca40fb7fd971ae894870c9b71f5e4f5dc80
Instruction Fuzzy Hash: FFD05E352006818BDB16DA0CD2D8F59BBD8AB44714F0644E8AC108B7A2C7B4D8C4DA40

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report adaFirmar.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: adaFirmar.exePID: 1996, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: adaFirmar.exePID: 1996, Parent PID: 1028COMMON

Execution Graph

Graph

Windows Analysis Report
adaFirmar.exe

Function 055C06E0 Relevance: 10.4, Strings: 5, Instructions: 4146
COMMON

Function 055C06D8 Relevance: 10.4, Strings: 5, Instructions: 4145
COMMON

Function 055C57E0 Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Function 0170AB26 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Function 0170AC1D Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 055C5769 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 05A72046 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Function 05A71E30 Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Function 0170B074 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 05A739EC Relevance: 1.6, APIs: 1, Instructions: 76
registryCOMMON

Function 0170BB68 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 0170AB56 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Function 055C57D1 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 0170AC5E Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 0170BD39 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON