Edit tour

Windows Analysis Report
Xp7zCcGiGj.exe

Overview

General Information

Sample name:	Xp7zCcGiGj.exe renamed because original name is a hash value
Original sample name:	dc17a1ec3a9bb84d21a7f6a7e77133f6.exe
Analysis ID:	1546536
MD5:	dc17a1ec3a9bb84d21a7f6a7e77133f6
SHA1:	2a6c10ea20bff9e297770bca2477a8bb82378c45
SHA256:	82687bbf89460d44b3cef2d06f5d09288c45d787323254026f39cb3421cc3954
Tags:	32exetrojan
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Quasar RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Xp7zCcGiGj.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\Xp7zCcGiGj.exe" MD5: DC17A1EC3A9BB84D21A7F6A7E77133F6)

InstallUtil.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 6532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2128 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

PING.EXE (PID: 3572 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)

InstallUtil.exe (PID: 6768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7032 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Value.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Roaming\Value.exe" MD5: DC17A1EC3A9BB84D21A7F6A7E77133F6)

InstallUtil.exe (PID: 1896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 2408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4708 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

PING.EXE (PID: 5340 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)

InstallUtil.exe (PID: 6004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "panel.o7lab.me:4782;service.o7lab.xyz:4782;underground-cheat.xyz:4782;service.o7lab.com.tr:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "84f88b7e-fbb8-40b1-829a-206ff17d9f29", "StartupKey": "Quasar Client Startup", "Tag": "panel.o7lab.me", "LogDirectoryName": "WinLog", "ServerSignature": "Vl4eiEDymkBZwSm/wQzye1Ki5bNeOIT09xHzu7cjR2rSYVDG3DlFS1uiTz/2n1U0w6wgjC85Yoxtvlkli+YPT7aQ4R9zulkV6My6o2zZKsnmJca438tRP271ijlV58LFGDlepKrrg2I9UODELzrfJLa84l+nqY9iFZN5I1yyONuVNouv5AjS3JRg93l/Hkdw6nxJ0j0g1kog5o0oDeCREH42G1bQwSLT5KUAuMOqNOSN3Bh90Ifxz5E9iKhRqc5FpZH51mtTSTSbL1TYFlYoflGuH8hRr/vNfuGcIHTYJ9W88MDJSdis4XdXAjAdTBC59SHQUbvGSju/YS0mn0eUs1ugIMrRA8ceZij5/E44MpnK74p15WC8dAAOy+oA3S1x44v/XqogmG6aLXZUQXM6/L7UeTL+keCXkClLqta6ArvoK681PW4LfWagSiZDIOBHLJeffKhcd5i9WAi6z2niEhuZQLPOU3cP8/SNAvJnmJPtsGaAOejhCP1IZ19slj0wYf65l2/s2KwRza2UOSfTtaVwEtAhqmx/EaUDNy3REzPzr8IEKqJpNRrzRugAzvRW48YO+nf8z5oEp6/gc6IDKSBlHVfsc/zPAdH+6r0HEvzuTwG85wZVvEuUsfmhW6We53/semN4u4XApkVfV9FCAfk2lGmEmBXXIo4ipNe0q/k=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIx6alf0oehjMcdL/Yx4wzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAxNTExMjQ1OVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlDlZI9Wn4kedgki2D28zMXT1ub8+y/iicI5tzYs2BuvNsk9j+i/kBMZ6/OlVt4b52089u7bXX7C3PCm97NPH4YOyGll3ppAwZe23AbmYyjx0PuSVNpP7DUoVAOY3mdRp1PXz+LgB7mGZw9xtsPYw61IQuShKcZUNzgpjSdyFmc7r/2lZnfFAiakaXj3xRffJOX4gbh588/EAVgiJ3Vr611FJLb71RfmLuWVjVp6xzA3yplsAdiwyHjzeK7/OgoDwK8riD1AaBBC5KJI3uSwZx+QC18TGYck74akDbGbdygsnDeQ4rVdRT3Iv11uUGF+7HJff1z30eg8S8JKTiW3+zgKggaarbE9wPQ1jFBO9C26w7EmGZcrXNZkMQzgA+krphyu8rfW8xi0JBC+AVo09cvz0fXVVBfymuy//80bRuraHSqSi1Fq1nPsz8CC5geVtfEy/GweNj7Eqp5MNizUMv0NIvEz0QYRrbJv8HYkvbzB3ylIIb3umk0pDyCsZSJ7HWdV/99Nqb7rtiWBziyKMeOc0+Tes2Z1Sa7IM6dII8ELUdVXidNQ+ZZomGyyvTm/WJiWST0EquNWJF401X81DROwui0fAInQAcjqaRDGOkhNf2mZCRYpYPPXq8OQ2iUJ2Or22aZXLFXZebSMcJAvRhqvJWMWoj15A3xwELV8uSMcCAwEAAaMyMDAwHQYDVR0OBBYEFOtIWKCjkZJOSJngnUjf+rVOntu1MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADSXKBvVH+lAX7Pmsg7Gt3fCQConage05QEPpk6f1La2SC/z3N00hIegT4bNM2F2ZfIyaGx1YuofGArj7I25+xqu0dU1Ta16tTosvOjqirJrTk6kt0Qpa9AQJzGl8zUVhY3mbYUj+zI2DbczED5cQyslguiK+sTMjOVAGmDFZUu+qgVgOW0KNDufhcIQwActpA0DnecmmQzDxrHibOdAH1GG2zO3pNxpRG9JIru4lSv+cahofgj3bNKm5y1tDCS2QcheI1zoXacGHDRic7Q06dYsgctj0RVGIsXYMTrsysFo1PdMSpe1QehFKnVuf9QE8ta+/O0cwA2H8Ecj88+WHf2xuftk457eUAByobIZjSGaBHbc9DP311Qj58ZmkNgfRosZXg71eMqvBe3fx0Hu/2p7SYZLEBejEcAlzTAYQr9YfZ0Z8Wz+HJJvHKd1I4VrcUg34G5l8Y6HDcATXEGbCn82Ar6CwCTazh+ksB24r/8Sftz8RswhzwvIq7aumoQrfr6vezuFZUjLkzPproK+tW0z7sspnhfCsHjm1rLkpsbQ+gpQXaVMQuUspwUmK7uiGkPn4bbP8fIG4Rm2/XZwXNwg0FvnsKDTN4NzR6+4RWfb34lDBWbHjcFjhS2oJXhhZhEnpJ/erl6Anuz9OFe0v64RNvOhBRww+RcorpLPsCz1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2152190596.0000000006230000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2392682883.000000000456C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Xp7zCcGiGj.exe PID: 7164	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Xp7zCcGiGj.exe PID: 7164	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Xp7zCcGiGj.exe PID: 7164	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 6536	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Value.exe PID: 1272	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Value.exe PID: 1272	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Value.exe PID: 1272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 1896	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Xp7zCcGiGj.exe.6230000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Value.exe.4768dd0.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Value.exe.674be10.6.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.Value.exe.674be10.6.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d7:$x1: Quasar.Common.Messages 0x29d400:$x1: Quasar.Common.Messages 0x2a9a1a:$x4: Uninstalling... good bye :-( 0x2ab20f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.Value.exe.674be10.6.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fcc:$f1: FileZilla\recentservers.xml 0x2a900c:$f2: FileZilla\sitemanager.xml 0x2a904e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a929a:$b1: Chrome\User Data\ 0x2a92f0:$b1: Chrome\User Data\ 0x2a95c8:$b2: Mozilla\Firefox\Profiles 0x2a96c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a981c:$b4: Opera Software\Opera Stable\Login Data 0x2a98d6:$b5: YandexBrowser\User Data\ 0x2a9944:$b5: YandexBrowser\User Data\ 0x2a9618:$s4: logins.json 0x2a934e:$a1: username_value 0x2a936c:$a2: password_value 0x2a9658:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a967c:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
11.2.Value.exe.674be10.6.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b04:$s3: Process already elevated. 0x28cdd6:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb5f:$s5: GetKeyloggerLogsDirectory 0x28cdf9:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
2.2.InstallUtil.exe.920000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
2.2.InstallUtil.exe.920000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.InstallUtil.exe.920000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab81a:$x4: Uninstalling... good bye :-( 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
2.2.InstallUtil.exe.920000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadcc:$f1: FileZilla\recentservers.xml 0x2aae0c:$f2: FileZilla\sitemanager.xml 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09a:$b1: Chrome\User Data\ 0x2ab0f0:$b1: Chrome\User Data\ 0x2ab3c8:$b2: Mozilla\Firefox\Profiles 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d6:$b5: YandexBrowser\User Data\ 0x2ab744:$b5: YandexBrowser\User Data\ 0x2ab418:$s4: logins.json 0x2ab14e:$a1: username_value 0x2ab16c:$a2: password_value 0x2ab458:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab47c:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
2.2.InstallUtil.exe.920000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab904:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
11.2.Value.exe.674be10.6.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.Value.exe.674be10.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Value.exe.674be10.6.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab81a:$x4: Uninstalling... good bye :-( 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.Value.exe.674be10.6.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadcc:$f1: FileZilla\recentservers.xml 0x2aae0c:$f2: FileZilla\sitemanager.xml 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09a:$b1: Chrome\User Data\ 0x2ab0f0:$b1: Chrome\User Data\ 0x2ab3c8:$b2: Mozilla\Firefox\Profiles 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d6:$b5: YandexBrowser\User Data\ 0x2ab744:$b5: YandexBrowser\User Data\ 0x2ab418:$s4: logins.json 0x2ab14e:$a1: username_value 0x2ab16c:$a2: password_value 0x2ab458:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab47c:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
11.2.Value.exe.674be10.6.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab904:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d7:$x1: Quasar.Common.Messages 0x29d400:$x1: Quasar.Common.Messages 0x2a9a1a:$x4: Uninstalling... good bye :-( 0x2ab20f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fcc:$f1: FileZilla\recentservers.xml 0x2a900c:$f2: FileZilla\sitemanager.xml 0x2a904e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a929a:$b1: Chrome\User Data\ 0x2a92f0:$b1: Chrome\User Data\ 0x2a95c8:$b2: Mozilla\Firefox\Profiles 0x2a96c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a981c:$b4: Opera Software\Opera Stable\Login Data 0x2a98d6:$b5: YandexBrowser\User Data\ 0x2a9944:$b5: YandexBrowser\User Data\ 0x2a9618:$s4: logins.json 0x2a934e:$a1: username_value 0x2a936c:$a2: password_value 0x2a9658:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a967c:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b04:$s3: Process already elevated. 0x28cdd6:$s4: get_PotentiallyVulnerablePasswords 0x276e92:$s5: GetKeyloggerLogsDirectory 0x29cb5f:$s5: GetKeyloggerLogsDirectory 0x28cdf9:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab81a:$x4: Uninstalling... good bye :-( 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadcc:$f1: FileZilla\recentservers.xml 0x2aae0c:$f2: FileZilla\sitemanager.xml 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09a:$b1: Chrome\User Data\ 0x2ab0f0:$b1: Chrome\User Data\ 0x2ab3c8:$b2: Mozilla\Firefox\Profiles 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d6:$b5: YandexBrowser\User Data\ 0x2ab744:$b5: YandexBrowser\User Data\ 0x2ab418:$s4: logins.json 0x2ab14e:$a1: username_value 0x2ab16c:$a2: password_value 0x2ab458:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab47c:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab904:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , ProcessId: 7032, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs" , ProcessId: 7032, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Xp7zCcGiGj.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T04:49:18.762810+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49705	TCP
2024-11-01T04:49:57.901706+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49907	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Xp7zCcGiGj.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\Value.exe	Avira: detection malicious, Label: HEUR/AGEN.1329724
Source: C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 11.2.Value.exe.674be10.6.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "panel.o7lab.me:4782;service.o7lab.xyz:4782;underground-cheat.xyz:4782;service.o7lab.com.tr:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "84f88b7e-fbb8-40b1-829a-206ff17d9f29", "StartupKey": "Quasar Client Startup", "Tag": "panel.o7lab.me", "LogDirectoryName": "WinLog", "ServerSignature": "Vl4eiEDymkBZwSm/wQzye1Ki5bNeOIT09xHzu7cjR2rSYVDG3DlFS1uiTz/2n1U0w6wgjC85Yoxtvlkli+YPT7aQ4R9zulkV6My6o2zZKsnmJca438tRP271ijlV58LFGDlepKrrg2I9UODELzrfJLa84l+nqY9iFZN5I1yyONuVNouv5AjS3JRg93l/Hkdw6nxJ0j0g1kog5o0oDeCREH42G1bQwSLT5KUAuMOqNOSN3Bh90Ifxz5E9iKhRqc5FpZH51mtTSTSbL1TYFlYoflGuH8hRr/vNfuGcIHTYJ9W88MDJSdis4XdXAjAdTBC59SHQUbvGSju/YS0mn0eUs1ugIMrRA8ceZij5/E44MpnK74p15WC8dAAOy+oA3S1x44v/XqogmG6aLXZUQXM6/L7UeTL+keCXkClLqta6ArvoK681PW4LfWagSiZDIOBHLJeffKhcd5i9WAi6z2niEhuZQLPOU3cP8/SNAvJnmJPtsGaAOejhCP1IZ19slj0wYf65l2/s2KwRza2UOSfTtaVwEtAhqmx/EaUDNy3REzPzr8IEKqJpNRrzRugAzvRW48YO+nf8z5oEp6/gc6IDKSBlHVfsc/zPAdH+6r0HEvzuTwG85wZVvEuUsfmhW6We53/semN4u4XApkVfV9FCAfk2lGmEmBXXIo4ipNe0q/k=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIx6alf0oehjMcdL/Yx4wzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAxNTExMjQ1OVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlDlZI9Wn4kedgki2D28zMXT1ub8+y/iicI5tzYs2BuvNsk9j+i/kBMZ6/OlVt4b52089u7bXX7C3PCm97NPH4YOyGll3ppAwZe23AbmYyjx0PuSVNpP7DUoVAOY3mdRp1PXz+LgB7mGZw9xtsPYw61IQuShKcZUNzgpjSdyFmc7r/2lZnfFAiakaXj3xRffJOX4gbh588/EAVgiJ3Vr611FJLb71RfmLuWVjVp6xzA3yplsAdiwyHjzeK7/OgoDwK8riD1AaBBC5KJI3uSwZx+QC18TGYck74akDbGbdygsnDeQ4rVdRT3Iv11uUGF+7HJff1z30eg8S8JKTiW3+zgKggaarbE9wPQ1jFBO9C26w7EmGZcrXNZkMQzgA+krphyu8rfW8xi0JBC+AVo09cvz0fXVVBfymuy//80bRuraHSqSi1Fq1nPsz8CC5geVtfEy/GweNj7Eqp5MNizUMv0NIvEz0QYRrbJv8HYkvbzB3ylIIb3umk0pDyCsZSJ7HWdV/99Nqb7rtiWBziyKMeOc0+Tes2Z1Sa7IM6dII8ELUdVXidNQ+ZZomGyyvTm/WJiWST0EquNWJF401X81DROwui0fAInQAcjqaRDGOkhNf2mZCRYpYPPXq8OQ2iUJ2Or22aZXLFXZebSMcJAvRhqvJWMWoj15A3xwELV8uSMcCAwEAAaMyMDAwHQYDVR0OBBYEFOtIWKCjkZJOSJngnUjf+rVOntu1MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADSXKBvVH+lAX7Pmsg7Gt3fCQConage05QEPpk6f1La2SC/z3N00hIegT4bNM2F2ZfIyaGx1YuofGArj7I25+xqu0dU1Ta16tTosvOjqirJrTk6kt0Qpa9AQJzGl8zUVhY3mbYUj+zI2DbczED5cQyslguiK+sTMjOVAGmDFZUu+qgVgOW0KNDufhcIQwActpA0DnecmmQzDxrHibOdAH1GG2zO3pNxpRG9JIru4lSv+cahofgj3bNKm5y1tDCS2QcheI1zoXacGHDRic7Q06dYsgctj0RVGIsXYMTrsysFo1PdMSpe1QehFKnVuf9QE8ta+/O0cwA2H8Ecj88+WHf2xuftk457eUAByobIZjSGaBHbc9DP311Qj58ZmkNgfRosZXg71eMqvBe3fx0Hu/2p7SYZLEBejEcAlzTAYQr9YfZ0Z8Wz+HJJvHKd1I4VrcUg34G5l8Y6HDcATXEGbCn82Ar6CwCTazh+ksB24r/8Sftz8RswhzwvIq7aumoQrfr6vezuFZUjLkzPproK+tW0z7sspnhfCsHjm1rLkpsbQ+gpQXaVMQuUspwUmK7uiGkPn4bbP8fIG4Rm2/XZwXNwg0FvnsKDTN4NzR6+4RWfb34lDBWbHjcFjhS2oJXhhZhEnpJ/erl6Anuz9OFe0v64RNvOhBRww+RcorpLPsCz1"}

Multi AV Scanner detection for domain / URL

Source: panel.o7lab.me

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Value.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: Xp7zCcGiGj.exe	Virustotal: Detection: 59%			Perma Link
Source: Xp7zCcGiGj.exe	ReversingLabs: Detection: 55%

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1896, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Value.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Xp7zCcGiGj.exe

Joe Sandbox ML: detected

Source: Xp7zCcGiGj.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: Xp7zCcGiGj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Xp7zCcGiGj.exe, 00000000.00000002.2144408186.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004401000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: #.PDb?, source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Xp7zCcGiGj.exe, 00000000.00000002.2144408186.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004401000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0541EC5A
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0541EC60
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 0541A010h	0_2_05419F50
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 0541A010h	0_2_05419F58
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 05412001h	0_2_05411BDA
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 05412001h	0_2_05411BE8
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 05421199h	0_2_05420EC0
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 05421199h	0_2_05420EB0
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 4x nop then jmp 05421199h	0_2_0542115C
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_04D6EC5F
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_04D6EC60
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D6A010h	11_2_04D69F50
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D6A010h	11_2_04D69F58
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D6A010h	11_2_04D699D0
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D62001h	11_2_04D61BDA
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D62001h	11_2_04D61BE8
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D71199h	11_2_04D70EC0
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D71199h	11_2_04D70EB0
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 4x nop then jmp 04D71199h	11_2_04D7115C

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: panel.o7lab.me

Performs DNS queries to domains with low reputation

Source:

DNS query: service.o7lab.xyz

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 31.13.224.34:4782

Source: Joe Sandbox View

ASN Name: SARNICA-ASBG SARNICA-ASBG

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49907

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: panel.o7lab.me
Source: global traffic	DNS traffic detected: DNS query: service.o7lab.xyz

Source: Xp7zCcGiGj.exe, 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.00000000049A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2168105851.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2553736595.0000000002932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1896, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541B9E0 NtProtectVirtualMemory,	0_2_0541B9E0
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541D268 NtResumeThread,	0_2_0541D268
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541B9D8 NtProtectVirtualMemory,	0_2_0541B9D8
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541D260 NtResumeThread,	0_2_0541D260
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6B9E0 NtProtectVirtualMemory,	11_2_04D6B9E0
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6D268 NtResumeThread,	11_2_04D6D268
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6B9D8 NtProtectVirtualMemory,	11_2_04D6B9D8
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6D260 NtResumeThread,	11_2_04D6D260

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_01A86B00	0_2_01A86B00
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_01A81CA8	0_2_01A81CA8
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_01A86AF9	0_2_01A86AF9
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_01A8EFC8	0_2_01A8EFC8
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_05415498	0_2_05415498
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541B738	0_2_0541B738
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541F868	0_2_0541F868
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_05418208	0_2_05418208
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541750F	0_2_0541750F
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0541B729	0_2_0541B729
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0542F8D0	0_2_0542F8D0
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_06A3F300	0_2_06A3F300
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_06A3E6D8	0_2_06A3E6D8
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_06A20040	0_2_06A20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0110EFE4	2_2_0110EFE4
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_01086B00	11_2_01086B00
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_01081CA8	11_2_01081CA8
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_01086AEF	11_2_01086AEF
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_0108EFC8	11_2_0108EFC8
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D65498	11_2_04D65498
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6B738	11_2_04D6B738
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6F868	11_2_04D6F868
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D68208	11_2_04D68208
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6750F	11_2_04D6750F
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D6B729	11_2_04D6B729
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D7E528	11_2_04D7E528
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D7DE98	11_2_04D7DE98
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_063CF300	11_2_063CF300
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_063CE6D8	11_2_063CE6D8
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_063B001E	11_2_063B001E
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_063B0040	11_2_063B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0275F03C	12_2_0275F03C

Source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRqvyatzuuyu.dll" vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2144408186.0000000005440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe, 00000000.00000002.2133494928.000000000182E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Xp7zCcGiGj.exe
Source: Xp7zCcGiGj.exe	Binary or memory string: OriginalFilenamequasar.exe. vs Xp7zCcGiGj.exe

Source: Xp7zCcGiGj.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@30/10@2/1

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\84f88b7e-fbb8-40b1-829a-206ff17d9f29
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" "

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs"

Source: Xp7zCcGiGj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Xp7zCcGiGj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Xp7zCcGiGj.exe	Virustotal: Detection: 59%
Source: Xp7zCcGiGj.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File read: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xp7zCcGiGj.exe "C:\Users\user\Desktop\Xp7zCcGiGj.exe"
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Value.exe "C:\Users\user\AppData\Roaming\Value.exe"
Source: C:\Users\user\AppData\Roaming\Value.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Value.exe "C:\Users\user\AppData\Roaming\Value.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Xp7zCcGiGj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Xp7zCcGiGj.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Xp7zCcGiGj.exe

Static file information: File size 2254336 > 1048576

Source: Xp7zCcGiGj.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x225c00

Source: Xp7zCcGiGj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Xp7zCcGiGj.exe, 00000000.00000002.2144408186.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004401000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: #.PDb?, source: Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Xp7zCcGiGj.exe, 00000000.00000002.2144408186.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004401000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Xp7zCcGiGj.exe, ExpressionConnectionLicense.cs

.Net Code: SetAttr System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.6230000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.4768dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2152190596.0000000006230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2392682883.000000000456C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_05415240 push eax; ret	0_2_05415241
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Code function: 0_2_0542745B push ecx; ret	0_2_0542745C
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D65240 push eax; ret	11_2_04D65241
Source: C:\Users\user\AppData\Roaming\Value.exe	Code function: 11_2_04D7745B push ecx; ret	11_2_04D7745C

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File created: C:\Users\user\AppData\Roaming\Value.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Xp7zCcGiGj.exe, 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory allocated: 1A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory allocated: 3400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory allocated: 5400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory allocated: 6A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory allocated: 7A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 23A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory allocated: 4D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory allocated: 63D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory allocated: 73D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2780000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2362			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7479			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7152	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3712	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: wscript.exe, 00000008.00000002.2262052299.000002A8D4795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef00@
Source: Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 0000000C.00000002.2577242699.000000000510F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: InstallUtil.exe, 00000002.00000002.2166776512.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 920000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 920000	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 922000	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C40000	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C42000	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 66F008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 702000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A22000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 412008	Jump to behavior

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Value.exe "C:\Users\user\AppData\Roaming\Value.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Queries volume information: C:\Users\user\Desktop\Xp7zCcGiGj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Queries volume information: C:\Users\user\AppData\Roaming\Value.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Value.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Users\user\Desktop\Xp7zCcGiGj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1896, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.Value.exe.674be10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Value.exe.674be10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Xp7zCcGiGj.exe.4c20de0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xp7zCcGiGj.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Value.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1896, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	112 Scripting	Valid Accounts	Windows Management Instrumentation	112 Scripting	211 Process Injection	1 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Xp7zCcGiGj.exe	60%	Virustotal		Browse
Xp7zCcGiGj.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Xp7zCcGiGj.exe	100%	Avira	HEUR/AGEN.1329724
Xp7zCcGiGj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\Value.exe	100%	Avira	HEUR/AGEN.1329724
C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\Value.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Value.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
panel.o7lab.me	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://stackoverflow.com/q/2152978/23354sCannot	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
panel.o7lab.me	31.13.224.34	true	true	8%, Virustotal, Browse	unknown
service.o7lab.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
panel.o7lab.me	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2168105851.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2553736595.0000000002932000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.00000000049A0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/2152978/23354sCannot	Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ipwho.is/	Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Xp7zCcGiGj.exe, 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2133945112.0000000003937000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2376279473.0000000003277000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	Xp7zCcGiGj.exe, 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Value.exe, 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	Xp7zCcGiGj.exe, 00000000.00000002.2150515855.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Xp7zCcGiGj.exe, 00000000.00000002.2136695355.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.13.224.34	panel.o7lab.me	Bulgaria		48584	SARNICA-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546536
Start date and time:	2024-11-01 04:48:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Xp7zCcGiGj.exe renamed because original name is a hash value
Original Sample Name:	dc17a1ec3a9bb84d21a7f6a7e77133f6.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@30/10@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 429 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 6004 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 6768 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:49:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs
23:49:36	API Interceptor	86x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
31.13.224.34	e5LZscY6NU.exe	Get hash	malicious	RedLine	Browse	bluedns.o7lab.me:1337/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
panel.o7lab.me	http://purepanel.o7lab.me/raw/corano.exe	Get hash	malicious	Unknown	Browse	45.66.231.202

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SARNICA-ASBG	e5LZscY6NU.exe	Get hash	malicious	RedLine	Browse	31.13.224.34
	arm7.elf	Get hash	malicious	Unknown	Browse	93.123.109.118
	amd64.elf	Get hash	malicious	Unknown	Browse	93.123.109.118
	arm6.elf	Get hash	malicious	Unknown	Browse	93.123.109.118
	arm5.elf	Get hash	malicious	Unknown	Browse	93.123.109.118
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1638
Entropy (8bit):	5.343459251874235
Encrypted:	false
SSDEEP:	48:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HDfHKdHK8JHoHKs:iqiqxwCYqh3oPtI6eqzxTqdqCIqs
MD5:	F74640DEF7CD2A8DBCB7874F3CF0B806
SHA1:	AA526A66C13D86C6D550ACB0CFA8F2F3435D3287
SHA-256:	7EE2BA6754FED9FFA2C255A798EDDF7E7B7F891E8F6696FA52E1A70A62D759F0
SHA-512:	2B801C0FF4CA825167590CA9618A9E01082FCD1BEB91682ED6F26B886C86A91AE0673B7DA189417DC4F37B5D9CDC10DEE5FBD7F045E0687F052217B31DC600ED
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.467592520029831
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DEkLW6qRndLvKOZG1923ffB:d5r+uVEOCDEk8tBZ3B
MD5:	81EA878277DC89169A4CB681D7FDB635
SHA1:	75BCE8A3FDDF5EED004EC23DBB6717318E928C18
SHA-256:	8A76044368233D40DD830B0B75133BD1742F0C903BB8F9C24353A6EA03F076B1
SHA-512:	30A5DF5D22D7DA7513D6B474BA17487FDDA5B43C4BB36196F81DADF0B3FCEE9E0BFC98632C5C97A220F4E5872DEEE35EBE3EBD1F7068B93161A63EED2204F136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat"

C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.414352711377271
Encrypted:	false
SSDEEP:	6:hC47bxrBeLuVFOOr+DEkLW6qRndLvKOZG1923f7QqW:d5r+uVEOCDEk8tBZ8j
MD5:	57C62ECD76673AAE34D85E18AA21B065
SHA1:	95368C9A0C77D75511A332C121CC3EB7C6F809EB
SHA-256:	878064D8558F3DE761D1A98F325DA2FCB8BA9FC747FFD5096701C8B4DA51DAEC
SHA-512:	E6BED4A6045CF0A41D1E55D52FF202932FA2993F6745C5C5DA68F3993B5E054983F9E5F4837307EE0F3A72E0E886EA2C207E43CA9F5C5A63D28A72C1204E5FB2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat"

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

Download File

Process:	C:\Users\user\Desktop\Xp7zCcGiGj.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.7485678672107845
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoUkh4EaKC5oelkHn:FER/lFHI9aZ5ox
MD5:	401D9CB9942A4C653B118FC39C569C4E
SHA1:	F46D90937C39CE79A59A0EBA1CF35A7C9F4DED53
SHA-256:	56CFFB3648C84928DAC92B698819F899894126741CCE32318444909CBA0C3217
SHA-512:	37FE577DDF7AD46BA4C114B1E6844FD6BD45A9EDB9228DA1DB3DC6AAADE1E0202DA1FBAD05EA59D0B931D19F5EFCDB2345FFC83F3F7475565DBB91F635043199
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Value.exe"""

C:\Users\user\AppData\Roaming\Value.exe

Download File

Process:	C:\Users\user\Desktop\Xp7zCcGiGj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2254336
Entropy (8bit):	7.972766123500036
Encrypted:	false
SSDEEP:	49152:YX5YSZrAEzwpX/qR0KlOmOdXcyhgkkTScqMkRnGfRlz+:K5YC4o0MOdX4zSPnGZh+
MD5:	DC17A1EC3A9BB84D21A7F6A7E77133F6
SHA1:	2A6C10EA20BFF9E297770BCA2477A8BB82378C45
SHA-256:	82687BBF89460D44B3CEF2D06F5D09288C45D787323254026F39CB3421CC3954
SHA-512:	EB321AB29735ECF574939CD01EE51F04A623382D83D22D8EFC6538A1618AF0BFA3A8407B0F6E3C54F55E4A780E2F5176004D50F9598A0A9935207635810CC042
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.................\"..........z".. ...."...@.. ........................"...........`.................................Pz".K.....".`....................."...................................................... ............... ..H............text....Z".. ...\"................. ..`.rsrc...`....."......^".............@..@.reloc........"......d".............@..B.................z".....H....... ..........0........f .............................................(.......(.....0.......... ........8........E....Q...........6...8L..........s......... ....~....{....:....& ....8...........s......... ....8....~..........s......... ....~....{....9q...& ....8f....0.......... ........8........E....K.......5...\|...{...8F..........s......... ....~....{....9....& ....8....~....%:R...& ....8...........s......... ....~....{....9w...& ....8l...~..........s....%........

C:\Users\user\AppData\Roaming\Value.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Xp7zCcGiGj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2017
Entropy (8bit):	4.659840607039457
Encrypted:	false
SSDEEP:	48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
MD5:	3BF802DEB390033F9A89736CBA5BFAFF
SHA1:	25A7177A92E0283B99C85538C4754A12AC8AD197
SHA-256:	5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
SHA-512:	EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
Malicious:	false
Preview:	Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u \| /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.630609828667227
Encrypted:	false
SSDEEP:	12:P9l5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:VfdUOAokItULVDv
MD5:	01E42C7D0BFC330C8CB8F87BD1F25257
SHA1:	EAD7E45750E84C22F8BB01AF7D3BF6CB81401F8F
SHA-256:	A634384A405C46CD9DB3F596A3F5A032AC51B1B7634BC8FFB9D016CDBCF74CD4
SHA-512:	61F024BC83B791B9A7396F4BF85F38E77E07ADFD7ECC07EE799E8A070533064FC5FB552DDFD41A3DF07E92D41D37585EA962FEF98DAB9CBD1CC4C84812CAC64A
Malicious:	false
Preview:	..Pinging 965543 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.972766123500036
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Xp7zCcGiGj.exe
File size:	2'254'336 bytes
MD5:	dc17a1ec3a9bb84d21a7f6a7e77133f6
SHA1:	2a6c10ea20bff9e297770bca2477a8bb82378c45
SHA256:	82687bbf89460d44b3cef2d06f5d09288c45d787323254026f39cb3421cc3954
SHA512:	eb321ab29735ecf574939cd01ee51f04a623382d83d22d8efc6538a1618af0bfa3a8407b0f6e3c54f55e4a780e2f5176004d50f9598a0a9935207635810cc042
SSDEEP:	49152:YX5YSZrAEzwpX/qR0KlOmOdXcyhgkkTScqMkRnGfRlz+:K5YC4o0MOdX4zSPnGZh+
TLSH:	3CA52357AB9A85B1D6C6477AC5E7488107A3DAB2A5C3DB4B718E27C40C037B3DE421CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.................\"..........z".. ...."...@.. ........................"...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x627a9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6720BB09 [Tue Oct 29 10:38:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x227a50	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x228000	0x560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x225aa4	0x225c00	d6e66b6fd5484394a0e52afacd14afa9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x228000	0x560	0x600	2874489d40acc0abd87d427016cb7e3d	False	0.404296875	data	3.8624994601219402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22a000	0xc	0x200	75e19109f8e92ad1b27dae85cbf519c9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2280a0	0x30c	data			0.4282051282051282
RT_MANIFEST	0x2283ac	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators			0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T04:49:18.762810+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49705	TCP
2024-11-01T04:49:57.901706+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49907	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:49:12.804347992 CET	49704	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:12.809226990 CET	4782	49704	31.13.224.34	192.168.2.5
Nov 1, 2024 04:49:12.809309006 CET	49704	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:12.814588070 CET	49704	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:12.819379091 CET	4782	49704	31.13.224.34	192.168.2.5
Nov 1, 2024 04:49:13.409631014 CET	49704	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:36.115171909 CET	49794	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:36.119942904 CET	4782	49794	31.13.224.34	192.168.2.5
Nov 1, 2024 04:49:36.120026112 CET	49794	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:36.123342037 CET	49794	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:36.128168106 CET	4782	49794	31.13.224.34	192.168.2.5
Nov 1, 2024 04:49:44.600786924 CET	4782	49794	31.13.224.34	192.168.2.5
Nov 1, 2024 04:49:44.600847006 CET	49794	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:44.612665892 CET	49794	4782	192.168.2.5	31.13.224.34
Nov 1, 2024 04:49:44.617427111 CET	4782	49794	31.13.224.34	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:49:12.153062105 CET	64314	53	192.168.2.5	1.1.1.1
Nov 1, 2024 04:49:12.779086113 CET	53	64314	1.1.1.1	192.168.2.5
Nov 1, 2024 04:49:48.147965908 CET	57848	53	192.168.2.5	1.1.1.1
Nov 1, 2024 04:49:48.178812027 CET	53	57848	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 04:49:12.153062105 CET	192.168.2.5	1.1.1.1	0x4d43	Standard query (0)	panel.o7lab.me	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:48.147965908 CET	192.168.2.5	1.1.1.1	0xdc6b	Standard query (0)	service.o7lab.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 04:49:12.779086113 CET	1.1.1.1	192.168.2.5	0x4d43	No error (0)	panel.o7lab.me		31.13.224.34	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:48.178812027 CET	1.1.1.1	192.168.2.5	0xdc6b	Name error (3)	service.o7lab.xyz	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:48:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Xp7zCcGiGj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Xp7zCcGiGj.exe"
Imagebase:	0xef0000
File size:	2'254'336 bytes
MD5 hash:	DC17A1EC3A9BB84D21A7F6A7E77133F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2152190596.0000000006230000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2133945112.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2133945112.0000000003740000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2136695355.000000000494A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2153752302.0000000006A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:49:09
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x550000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2162853339.0000000000C40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2168105851.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.2162853339.0000000000922000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:49:12
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:49:12
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:49:12
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x260000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:49:12
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 10 localhost
Imagebase:	0xe40000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:49:21
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs"
Imagebase:	0x7ff7f6540000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:49:21
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x1b0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:49:21
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:49:22
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\Value.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Value.exe"
Imagebase:	0x880000
File size:	2'254'336 bytes
MD5 hash:	DC17A1EC3A9BB84D21A7F6A7E77133F6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2376279473.0000000003055000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2376279473.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.2392682883.000000000456C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2420758408.000000000674B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2392682883.0000000004073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:49:33
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x2a0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.2553736595.000000000290C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:49:47
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:49:47
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:49:47
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x260000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:49:47
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 10 localhost
Imagebase:	0xe40000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:49:56
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x460000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:49:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	261
Total number of Limit Nodes:	18

Executed Functions

Function 05418208 Relevance: 3.1, Strings: 2, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 05418320
8, xrefs: 0541830D

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: fbq$8
API String ID: 0-3186246319
Opcode ID: 824e4e21dc462be0fc408ed00b2a8910b8d89d21202ed61dc42a1b307c1040c9
Instruction ID: 2f106568ba3a82ef989bae7300e972007386b0438b4e5108fb9adf618c03838c
Opcode Fuzzy Hash: 824e4e21dc462be0fc408ed00b2a8910b8d89d21202ed61dc42a1b307c1040c9
Instruction Fuzzy Hash: 0162D775E002298FDB64DF69C994AD9BBB1FF89300F5081EAD909A7344DB34AE85CF50

Function 0541B9D8 Relevance: 1.6, APIs: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0541BA95

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7baad5561af03eb2618954a198ce1bbe36fe0e0bb892b1f271aed24e5a8bfe16
Instruction ID: 86221226685e673e5174f4667ddea4e94c6e066e44d7b0eab948cf69769bc5f4
Opcode Fuzzy Hash: 7baad5561af03eb2618954a198ce1bbe36fe0e0bb892b1f271aed24e5a8bfe16
Instruction Fuzzy Hash: 1A418AB5D042589FCF10CFAAD980ADEFBB5FB49310F10942AE819B7210D735A945CFA8

Function 0541B9E0 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0541BA95

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cf05bb52c3e3fce1c4eea2a42477f45a82a14f035a0f22b8df3c3e830213d798
Instruction ID: 895d2e5cac69bd8fd6c50cd44429d05f8b376a7b1b1d8fec20b4e34dfa1a33a4
Opcode Fuzzy Hash: cf05bb52c3e3fce1c4eea2a42477f45a82a14f035a0f22b8df3c3e830213d798
Instruction Fuzzy Hash: CE4178B8D042589FCF10CFAAD980ADEFBB5FB49310F10942AE819B7210D735A945CF68

Function 0541D260 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0541D2F6

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dda91c0522dfca13a3b8d9cdf549149d6d9e15f214f465def461cba5dee7199a
Instruction ID: eceeed5e467239445950c7d7d3ccbffeec30dd96955e35c016bfcd2b3a89c959
Opcode Fuzzy Hash: dda91c0522dfca13a3b8d9cdf549149d6d9e15f214f465def461cba5dee7199a
Instruction Fuzzy Hash: 2F31BBB8D012189FCB10CFA9D984ADEFBF1BB49310F10942AE819B7310C778A946CF94

Function 0541D268 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0541D2F6

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2ee25b7111a1514d579caa516b81cd2a6dc9cff260b440529af871a83efaaf96
Instruction ID: 37d3b6771bcf1a8eea4b339f094e7fa9bc6c9b115e94ea2e460eaedad3dceb32
Opcode Fuzzy Hash: 2ee25b7111a1514d579caa516b81cd2a6dc9cff260b440529af871a83efaaf96
Instruction Fuzzy Hash: 2531AAB4D012189FCB10CFA9D984ADEFBF5BB49310F10942AE819B7210C779A945CF94

Function 05415498 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0541586B

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 3644ee73b522ecae0d36d5ae38d4635ff37b6f143f9892360a7a4ddcbe181218
Instruction ID: 96f39f1e563d727f657caaa86bfaa9a8810e5de89627b788cc249821af0c000d
Opcode Fuzzy Hash: 3644ee73b522ecae0d36d5ae38d4635ff37b6f143f9892360a7a4ddcbe181218
Instruction Fuzzy Hash: 29D10470A05258CFEB14DFA9C584BEDBBF2FB89304F2080AAD819A7344DB745985CF59

Function 06A3F300 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Ddq, xrefs: 06A3F405

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: c171680ceae4d7dcb28555ea9cc9111ebdc154e5bfc2f7a2e1546eeb2e14db54
Instruction ID: db13d1bc50f1aa245cc0bb934bf3ed4dab7702f2b22f7a51a41ed4b0d053fe15
Opcode Fuzzy Hash: c171680ceae4d7dcb28555ea9cc9111ebdc154e5bfc2f7a2e1546eeb2e14db54
Instruction Fuzzy Hash: 29D1C174E00219CFDB54DFA9D994A9DBBB2FF88300F1081A9E409AB365DB34AD81CF51

Function 0541F868 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30a6ed443883fdbaa030d9a002900eaf87e76c3544c20c79080ff80eced1a65
Instruction ID: f7bc22f40b267d4866c0b9d667fe8d44a5ace044ab39d0284af0a425b8d79783
Opcode Fuzzy Hash: f30a6ed443883fdbaa030d9a002900eaf87e76c3544c20c79080ff80eced1a65
Instruction Fuzzy Hash: 28C10870A05218DFEB54DFA8D944BEDBBF2FB49304F1080AAD509AB290DB745D8ACF15

Function 0541750F Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2011c88fde50198b1c9183bab4cf77fe7125890885a0c626eddcb063f55faa38
Instruction ID: b1ba4c9667b6fd4d5208cc7fde259a738a2aeae56db2ee67935c768dcab4f946
Opcode Fuzzy Hash: 2011c88fde50198b1c9183bab4cf77fe7125890885a0c626eddcb063f55faa38
Instruction Fuzzy Hash: 2981D3B4A05218CFDB54CFA9D984BDEBBF2FB89304F1080AAD809A7244DB745986CF55

Function 01A86AF9 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbdcec1da12865399903eb343606b53c592a0a09e19e150bc9cd0b2b2b5e904
Instruction ID: 5de2304178495c3d70fa522ec4640a5cbe2c9e9897edab937d9d05fb8fed7de4
Opcode Fuzzy Hash: bdbdcec1da12865399903eb343606b53c592a0a09e19e150bc9cd0b2b2b5e904
Instruction Fuzzy Hash: 48812974A44204CFE714EF5AD988BA9F7F2FB88314F19C16AD819AB395C374AC85CB50

Function 0541B729 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0ccfbaa56a4510af37fa77ac9511c614eab2d5ae40afec5497f0c955b257b
Instruction ID: 4c43a499193a55d600e95e94671a457f12f202cc88f4c8dc51a1cf67bd85818b
Opcode Fuzzy Hash: 50f0ccfbaa56a4510af37fa77ac9511c614eab2d5ae40afec5497f0c955b257b
Instruction Fuzzy Hash: 4C8129B4E012099FDB44DFA9D584AEEBBF6FF88300F14802AD919AB354DB349946CF54

Function 01A86B00 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4617fe8cff39c67fbfa90a40d311ae134a207889a46c5cd9c11de8e87563b4a
Instruction ID: 7c9b3c46114d69631690a84e58e4926795f3f860bb7f1028744c49ab9d4fc2f3
Opcode Fuzzy Hash: b4617fe8cff39c67fbfa90a40d311ae134a207889a46c5cd9c11de8e87563b4a
Instruction Fuzzy Hash: 19812774A44204CFE714EF5AD988BA9F7F2FB88314F19C16AD819AB395C374AC85CB50

Function 0541B738 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e28581899526b87f7d632e6d416a9a4e866ef486a8abdea87773b4c112ae1fb
Instruction ID: 3a81f9f48b2511829555a61651332f6196699f5df586d6f032d48cf500ddcaee
Opcode Fuzzy Hash: 9e28581899526b87f7d632e6d416a9a4e866ef486a8abdea87773b4c112ae1fb
Instruction Fuzzy Hash: 5581E6B4E012099FDB44DF99D584AEEBBF6FF88300F10806AD919AB354DB34A946CF54

Function 01A81CA8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfbd71b62baf9d1c9595b929f10be01bb91c95fcdbaede0d50785f6f477ba7c
Instruction ID: 964095e14507dd5dc0dd3f4b3791b03ad951a4307a0fadbd75527b0e37a960f6
Opcode Fuzzy Hash: 4bfbd71b62baf9d1c9595b929f10be01bb91c95fcdbaede0d50785f6f477ba7c
Instruction Fuzzy Hash: 11617FB4A00104CFE714EF6AE544BAABBF3FF84310F158465E5059B3A5DB799C96CB40

Function 0542C7E4 Relevance: 5.1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 0542D03D
", xrefs: 0542D017
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: 31d8dd5f43209e5673e9493d3a86688de5696492193229cf13c6b0ebc73d9cfa
Instruction ID: 6d45436d2446fcf5cdde65d592a984f6140a2496f17fef6c0f72d5f4f14deb84
Opcode Fuzzy Hash: 31d8dd5f43209e5673e9493d3a86688de5696492193229cf13c6b0ebc73d9cfa
Instruction Fuzzy Hash: 3B41C070901268CFEB60CF68C944BE9BBB2FB49304F5085EAD509A7290DB755E95CF14

Function 0542BEE8 Relevance: 5.1, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%, xrefs: 0542C35B
8, xrefs: 0542C384
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: %$8$8$:
API String ID: 0-1061800311
Opcode ID: ac044af51bab919cd7531854f98da2cfd2d3c8621eade59d28f1bc8f70f1e0c6
Instruction ID: f293e50b4ee936bdbd4ecdc2623709cd30bf9c0b738859277e55e74174d20648
Opcode Fuzzy Hash: ac044af51bab919cd7531854f98da2cfd2d3c8621eade59d28f1bc8f70f1e0c6
Instruction Fuzzy Hash: D7418970A022688FEB65CF18C958BEDB7B1FB09300F8085EAD659A7250DBB45ED58F14

Function 0542BEAD Relevance: 3.8, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 0542BEDC
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 8$:$>
API String ID: 0-1633067128
Opcode ID: b8c159fb974f3c6782097342be298b7b45d245777cd8d732c36852723033953e
Instruction ID: 206c121e8cb73a58d1348e5fbbfa894a43250aa2488434c621731dac3e1aaf38
Opcode Fuzzy Hash: b8c159fb974f3c6782097342be298b7b45d245777cd8d732c36852723033953e
Instruction Fuzzy Hash: E341AA709012688FEB64CF18C958BEDBBB2FB08304F9085EAD609A7290CB745ED5CF54

Function 0542C08C Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 0542C11E
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: .$8$:
API String ID: 0-2317341229
Opcode ID: 570ec7d479976589e6c0986bc1d2de1b710145adb0f1aa9c055303ca7f3ed825
Instruction ID: e2c3fdb63cfa0779f5ef8dc91fefdbaa62f358eb0f999c5efabb6a0097e80bb4
Opcode Fuzzy Hash: 570ec7d479976589e6c0986bc1d2de1b710145adb0f1aa9c055303ca7f3ed825
Instruction Fuzzy Hash: C641B970901268CFEB60DF18C988BD9BBB1FB09304F8085EAD519A7261CB755EC5CF10

Function 0542C8EC Relevance: 3.8, Strings: 3, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E, xrefs: 0542C8F6
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 8$:$E
API String ID: 0-2793474252
Opcode ID: c1caeed32d5de7f1474f2b040afc2eb8b6b3162c2693ddf8b32cbefbb693fcb4
Instruction ID: 600cd3f2de3ee1bc38c6482ebe029a6a2aab7a18e2705315aba8bd8ea20b9b66
Opcode Fuzzy Hash: c1caeed32d5de7f1474f2b040afc2eb8b6b3162c2693ddf8b32cbefbb693fcb4
Instruction Fuzzy Hash: 9F31AA70901268CFEBA4CF18C944BE9BBB2FB09300F8085EAD619A3250DB745ED5CF54

Function 0542C8D2 Relevance: 3.8, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 0542CDE5
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: /$8$:
API String ID: 0-3078618013
Opcode ID: b8b8b1666c621d1da0232fab52f7e35d92eb4d37c46d5bcfdd4d5aa906b7a9b4
Instruction ID: f736b766450df01c4804a0ae78ff7e36c1a945902081e5d974c3af3699bb40eb
Opcode Fuzzy Hash: b8b8b1666c621d1da0232fab52f7e35d92eb4d37c46d5bcfdd4d5aa906b7a9b4
Instruction Fuzzy Hash: C531AE70901268CFEB64CF18C948BECBBB2FB05345F9085EAD509A3260CB785AD5CF14

Function 0542C2B7 Relevance: 3.8, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0542C6C9
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: $$8$:
API String ID: 0-3232746124
Opcode ID: 943117283fb68f6ca422be41d5c0c26a1c687c9957cf7600a1ad77352f842c8a
Instruction ID: 9865ecd4bf2dce6cb668177cc3d22925d083db2efd965f9c49a428d845568921
Opcode Fuzzy Hash: 943117283fb68f6ca422be41d5c0c26a1c687c9957cf7600a1ad77352f842c8a
Instruction Fuzzy Hash: A031AD70904268CFEB64CF18C984BE9B7B2FB09304F8085E6D509A7250D7759ED5CF14

Function 0542C88D Relevance: 3.8, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1, xrefs: 0542BF93
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 1$8$:
API String ID: 0-1756353150
Opcode ID: 00f558e813f383145573a513192baafe8dfcf33050b8008b7ba948977f23d816
Instruction ID: 9347484827c59d7069256344e13b2e65ed13d5dc07632d0a1e243c2871303a22
Opcode Fuzzy Hash: 00f558e813f383145573a513192baafe8dfcf33050b8008b7ba948977f23d816
Instruction Fuzzy Hash: 3431AA70905268CFEB60DF18C948BE9B7B2FB09304F8185EAD509B7250CBB45AC5CF15

Function 05425ABA Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

wW[ , xrefs: 054259AF
:}>, xrefs: 054259A8

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: :}>$wW[
API String ID: 0-2816750256
Opcode ID: ea3a76e9a12219983f71942a724f3e35ead003e86d05e4feb468f9e89a74b824
Instruction ID: 465c2a854999d1a286ed26e9346c63de025a831fc6017ec54e4584737a34c76b
Opcode Fuzzy Hash: ea3a76e9a12219983f71942a724f3e35ead003e86d05e4feb468f9e89a74b824
Instruction Fuzzy Hash: 9261F474A042298FDB64DF28D994BADBBF1FB88300F1181AAD90AA7744DB745EC5CF50

Function 054258C1 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

wW[ , xrefs: 054259AF
:}>, xrefs: 054259A8

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: :}>$wW[
API String ID: 0-2816750256
Opcode ID: 2c61ca85557dc886a351d0dd829ed5ffb4ee73872783c037242f3f08525b7ce6
Instruction ID: 175b1cb53dd3e830f28202081e56aadcf8f708e67685f1c80910a90b216ebe15
Opcode Fuzzy Hash: 2c61ca85557dc886a351d0dd829ed5ffb4ee73872783c037242f3f08525b7ce6
Instruction Fuzzy Hash: E5510774A001298FDB64DF28D998BADBBF2FB88300F1181AAE50AA7754DB745DC5CF50

Function 0542C270 Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 8$:
API String ID: 0-3806156078
Opcode ID: ebdc2e7b7a4464ff77184a64ed6121d044211906a4e23a2553dbc0c11701c9c9
Instruction ID: 8a03f51691ea9293bdafadd30f0010fc04d70d7dd71040b95cd4af1c20f3fa5d
Opcode Fuzzy Hash: ebdc2e7b7a4464ff77184a64ed6121d044211906a4e23a2553dbc0c11701c9c9
Instruction Fuzzy Hash: 36319970A01268CFEBA4CF18C984BD8BBB2FB49300F8085E6D609A3250DB745ED58F54

Function 0541C5CE Relevance: 1.8, APIs: 1, Instructions: 290
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0541C83F

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 011995017f72a141783f3202a6c67d178c8202d05dd82102d9d4ab7acf4680b3
Instruction ID: b65c5fec620c51e5fcb3f1a868c923ce45a92fb803385a0f6ba5ae7dbe7d9c2c
Opcode Fuzzy Hash: 011995017f72a141783f3202a6c67d178c8202d05dd82102d9d4ab7acf4680b3
Instruction Fuzzy Hash: F8A102B4D04219CFDB10CFA9C885BEEBBB1FF09310F14916AE859A7240DB749985CF89

Function 0541C5D8 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0541C83F

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 57925decdd0434cb5caa8b1a8cea9989fbeebcd1205cd2f617bda30b2c088b67
Instruction ID: 760aa76bd416035c80e1074a1716a6b8b464fea7fe701c6969cefaa147816b09
Opcode Fuzzy Hash: 57925decdd0434cb5caa8b1a8cea9989fbeebcd1205cd2f617bda30b2c088b67
Instruction Fuzzy Hash: AAA1F4B4D04219DFDB10CFA9C985BEEBBF1BF09300F14916AE859A7240DB749985CF89

Function 0541EDBC Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0541EF43

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2a23a4d0dc05967367eb1ab64fb83cbe883cd918b94626470097fb66d4775a81
Instruction ID: 4f1eec4cf42106029df5fcd0f379b5e0263ab81798af3dec2e80debd29cf35a2
Opcode Fuzzy Hash: 2a23a4d0dc05967367eb1ab64fb83cbe883cd918b94626470097fb66d4775a81
Instruction Fuzzy Hash: 136112B4D003189FDB14DFA9C845BEEBFB5BB08300F24812AE819A7290D7789985CF49

Function 0541EDC8 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 0541EF43

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: fd349320a6d3dc4caed093644468d442d401775839c53cef36774691721b605e
Instruction ID: addd54843eeec5f907d8baa81cc1850847b3acc7274cae5cf281d9f778e1e34b
Opcode Fuzzy Hash: fd349320a6d3dc4caed093644468d442d401775839c53cef36774691721b605e
Instruction Fuzzy Hash: CF6113B4D043189FDB10CFA9C9457EEBFB5BF09300F24812AE815A7290DB789995CF89

Function 0541D048 Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0541D123

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1b141cbbbca72e6ffcdf47424a3e27b945d3b98f8f5e985b56100bee44dbaa1b
Instruction ID: 9c7ca4c4f48a0b1e62b38f48770da42b69d467d5efc77ab05d2d5885da39d302
Opcode Fuzzy Hash: 1b141cbbbca72e6ffcdf47424a3e27b945d3b98f8f5e985b56100bee44dbaa1b
Instruction Fuzzy Hash: C541ACB5D052589FCB00CFA9D984AEEFBF1BF49310F14902AE819B7210D735A945CB54

Function 0541D050 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0541D123

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 89c7479c1e91ffd58dbe5f5377e0dc2f1aeed6776b0977edb09e4a6454ef9815
Instruction ID: 2c9e1c071687a2987077c2a8cba46f94ec968e449d2f7ebc2b89858a043c8505
Opcode Fuzzy Hash: 89c7479c1e91ffd58dbe5f5377e0dc2f1aeed6776b0977edb09e4a6454ef9815
Instruction Fuzzy Hash: D7419CB5D052589FCF00CFA9D984ADEFBF1BB49310F10902AE819B7210D779A945CF64

Function 0541CEE8 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0541CF9A

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e518a080f7296016f1ed590456c777b8000beb5c9c8de243aa0b68c3da2a7bf6
Instruction ID: d348fc4e22d2906cfa891f43d5ee2f8dc449bdddb1ff26a527654456fd300e01
Opcode Fuzzy Hash: e518a080f7296016f1ed590456c777b8000beb5c9c8de243aa0b68c3da2a7bf6
Instruction Fuzzy Hash: AF3198B8D042589FCF10CFA9D981ADEFBB5BB49310F10942AE819B7250D735A945CFA8

Function 0541CEF0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0541CF9A

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2cbc4a5cf6609cf877c1ec414802660181cb41e4182e990c7562a2328dae318a
Instruction ID: 16ef3492247da5d52bc197aa7d79c961a3e0b191f9d25fbbe805ea8f64325f9e
Opcode Fuzzy Hash: 2cbc4a5cf6609cf877c1ec414802660181cb41e4182e990c7562a2328dae318a
Instruction Fuzzy Hash: EF3188B8D042589FCF10CFA9D980ADEFBB5FB49310F10942AE815B7250D735A945CF68

Function 0541D539 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0541D5E4

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9dcb56b4de4245be163b599ce8fc968de3fd456c067dfc3e9803af5d9c905d71
Instruction ID: 04d0b3d640903a33426be5d33b9b15d7b569a681f3711d439615e2205af456d0
Opcode Fuzzy Hash: 9dcb56b4de4245be163b599ce8fc968de3fd456c067dfc3e9803af5d9c905d71
Instruction Fuzzy Hash: E931CBB5D042589FCB10DFA9D584AEEFBB1BF09310F14942AE819B7210D739A945CF68

Function 0541D540 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0541D5E4

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b66665fe6990143dab32b79b30174ccefe5abf5d42b28cb0f6addb31955b7172
Instruction ID: 32cf8a0a2c3a7d045a55359b9deca41392e67f1db623232b5da542642d50ab8d
Opcode Fuzzy Hash: b66665fe6990143dab32b79b30174ccefe5abf5d42b28cb0f6addb31955b7172
Instruction Fuzzy Hash: EF31ABB4D042589FCB10DFA9D584AEEFBB1BF49310F14942AE819B7210D739A945CF64

Function 0541C988 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0541CA3F

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03914fe901313fc09e9c8ff786f38eddee5ab6de6764cadb9a15e8e94677ba51
Instruction ID: f1bf15d1e62020f93d782305027476f3733d85493eb62eaf46852d54a764139a
Opcode Fuzzy Hash: 03914fe901313fc09e9c8ff786f38eddee5ab6de6764cadb9a15e8e94677ba51
Instruction Fuzzy Hash: 5441BBB4D012589FCB10DFA9D884AEEFBF1BF49314F14802AE419B7250C738A985CFA4

Function 0541C990 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0541CA3F

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f69de88b5b77bf0e4a9c2e43d4d05a2ad1ddb78e6dd95d12789c2c6f9280b9f5
Instruction ID: 11b702dd04a4d53e8741e01fec582281d0444fd438e6c7a2c1471a02f5e385cc
Opcode Fuzzy Hash: f69de88b5b77bf0e4a9c2e43d4d05a2ad1ddb78e6dd95d12789c2c6f9280b9f5
Instruction Fuzzy Hash: 8C31CDB4D002589FCB10CFA9D884AEEFBF1BF49310F14802AE419B7240C738A945CF94

Function 05417ED8 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05417F72

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 296f7a7330153a578dd7594d352ba794f91997c4ee6ede91ba4d215c2a03c472
Instruction ID: 1d00b3a721e17f3837b4fca477e2e7f3d060e2e6f3230090f4af761dd93835c8
Opcode Fuzzy Hash: 296f7a7330153a578dd7594d352ba794f91997c4ee6ede91ba4d215c2a03c472
Instruction Fuzzy Hash: 2C31BBB4D052189FCB10CFA9D980AEEFBF5FB49310F14842AE815B7250C738A946CBA4

Function 05417EE0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05417F72

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 72f58620da5b4012483f2c1272297fcd2e43219becfd8eeef4655a033db93c09
Instruction ID: 2e640ee711c3e2faa3fac6ee2ff8348e28f8856a5f1148300cdbf7a7323a2067
Opcode Fuzzy Hash: 72f58620da5b4012483f2c1272297fcd2e43219becfd8eeef4655a033db93c09
Instruction Fuzzy Hash: 0E31ABB4D052189FCB10CFA9D980AEEFBF5FB49310F14942AE815B7250C739A945CFA4

Function 01A81AE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

C, xrefs: 01A81BA0

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-2531096973
Opcode ID: c381400b58024e629edc2fd20cdf99738ce33e5b85dc4f3018effe767b338a4e
Instruction ID: 7084ce5a367e6eca59d1744897dc81e82dce59f275cbc4b98c5f2c13bab0b327
Opcode Fuzzy Hash: c381400b58024e629edc2fd20cdf99738ce33e5b85dc4f3018effe767b338a4e
Instruction Fuzzy Hash: 5631D634B101468FD716DB39C958AAE7BF6FF85210F1481AAD409CB3A5EB349D07CB91

Function 06A22636 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

o, xrefs: 06A22302

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: e091360d4658b44b9ece1a3c63b339c2af19ae92a4bddac1bc9f09d3606c55aa
Instruction ID: 39e3e0e56a5b81013981c9149595c6efc304859d6dd9e5dfcb4c05d7f19c451c
Opcode Fuzzy Hash: e091360d4658b44b9ece1a3c63b339c2af19ae92a4bddac1bc9f09d3606c55aa
Instruction Fuzzy Hash: 3D31D6B4D5022ACFDBA4EF58D998B99BBB1FB48305F0000E9D509AB640DB349EC4CF10

Function 06A221EE Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

o, xrefs: 06A22302

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: bf355ea6a57ca7765c82fcfb9da357637ce78106a6647ec7f461adf49a859f99
Instruction ID: 08d5a916c3e88af5a678ea20d36899f2b1229420accf05861038b394e57e8dd5
Opcode Fuzzy Hash: bf355ea6a57ca7765c82fcfb9da357637ce78106a6647ec7f461adf49a859f99
Instruction Fuzzy Hash: 0031E9B4D5062ACFDB64EF58D998A99BBB1FF48305F0000E9D409AB644DB349E85CF15

Function 06A265E5 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

5, xrefs: 06A26641

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 00b22a4954739cf7c18837e93c75e8d924271bfbba19ae1e75ca637e45c323c9
Instruction ID: 668eeb089389b5c7bdcfeb91f1ac1acff392a699a876aeefde6bc89aef1c419b
Opcode Fuzzy Hash: 00b22a4954739cf7c18837e93c75e8d924271bfbba19ae1e75ca637e45c323c9
Instruction Fuzzy Hash: 93F0BE7094126ACFEBA0EF58C848BAABBB1EB04308F1040E5D04C97240D7B44EC4CF21

Function 0542C678 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

$, xrefs: 0542C6C9

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 9dce6132971249c1e4af5d1f4e22985e82090febe6598d325ccfb79d8ecfdbeb
Instruction ID: 056d11d3b54b010d5d2268f042af9cec787e81a2d03f44f46b5960fa9ad878c0
Opcode Fuzzy Hash: 9dce6132971249c1e4af5d1f4e22985e82090febe6598d325ccfb79d8ecfdbeb
Instruction Fuzzy Hash: 08F07F7490012A9FCB64DF64DA91ADDBBB6EF48300F4084EA850AA7251DF31AE82CF11

Function 0542C74A Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

;, xrefs: 0542C796

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: a331791ce926391aff527fda6b5b2b2aa4471cc8cb2106f54fbb1b68715352f6
Instruction ID: 836ed4f1703f301fafacc68b9dd924ceca1a50c46ff18cd90f6649a22f22f966
Opcode Fuzzy Hash: a331791ce926391aff527fda6b5b2b2aa4471cc8cb2106f54fbb1b68715352f6
Instruction Fuzzy Hash: 0AF0393180461ADBDF11DF60C954ADAFBB1FF44348F008A85EA4933210DB30AA9ACF80

Function 0542C61B Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

D, xrefs: 0542C64E

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 4b7c871d75e8f646c4f5cb963f4991cd2e1e582b983651e3ae986c26b2dbe8a4
Instruction ID: 87854b1fd2e5b1a583abcd92480cf07ab05800f667e9adac7b154032c65ac973
Opcode Fuzzy Hash: 4b7c871d75e8f646c4f5cb963f4991cd2e1e582b983651e3ae986c26b2dbe8a4
Instruction Fuzzy Hash: A5E07E749042288FDB51CF24C944BD9BBB2EB49314F0481D9C50D93261C7359A8ADF00

Function 0542BF70 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

1, xrefs: 0542BF93

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a049a54ecbaca2939fd246e4340e2aef4b2c6a06c10b93d0fc659ddef75cb1d4
Instruction ID: b1642fd927c45b34bc6372de3a68810da80140db19ff9f7a766f6e53dc2b92ff
Opcode Fuzzy Hash: a049a54ecbaca2939fd246e4340e2aef4b2c6a06c10b93d0fc659ddef75cb1d4
Instruction Fuzzy Hash: E4D095B490A22A8AEB20EF61C958BCDBBB1AB08204F1084CA800DA2304C6309A868F01

Function 05423AA0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02c9fa82bc9266c41c07be61f7154e400701412434985fc941f5a752070e358
Instruction ID: 9277c5381238ff3961480f83e40c98ef149073ccf0fd90fb673e20b756d4c776
Opcode Fuzzy Hash: a02c9fa82bc9266c41c07be61f7154e400701412434985fc941f5a752070e358
Instruction Fuzzy Hash: 01C1D074E04228CFDB24DFA8D948BDDBBB2FB49300F5084AAD509A7345DB785985CF00

Function 05423A90 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7192972d6edb2cfe03b7a939226d2eb799dac454442e9eef8bef6a3e742f76d
Instruction ID: 8f50393fe4a494e90e7cbd35d78341d8198318c96ad84ba7d986a7722321b8a5
Opcode Fuzzy Hash: c7192972d6edb2cfe03b7a939226d2eb799dac454442e9eef8bef6a3e742f76d
Instruction Fuzzy Hash: 84B1E1B4E04228CFEB14DFA8D948BDDBBB2FB49300F5084AAD509A7244DB785D85CF00

Function 01A853F8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7fd7a43fd73b3e6134069f266332530f77c2941a23eb4d3aa69ee40a4699ee
Instruction ID: 1978bed498fe8e5f6863773ad3739790d70dce4c0793e3558f2f0c0f902d650f
Opcode Fuzzy Hash: 4e7fd7a43fd73b3e6134069f266332530f77c2941a23eb4d3aa69ee40a4699ee
Instruction Fuzzy Hash: E8818A74F94105DFDB14EF48C844BAAB7B3FB84301F18C675CA069B646D379A892CBA1

Function 05429F00 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe595b3c64f18966c2168823438ce5248a5f467dcee3cc566d8f62149a99e26c
Instruction ID: b7c1f8e7a468631bcd4cdbad635cb0f463a851b91d08d6364dae74a38825bf0b
Opcode Fuzzy Hash: fe595b3c64f18966c2168823438ce5248a5f467dcee3cc566d8f62149a99e26c
Instruction Fuzzy Hash: F9A13674A04228CFEB54DFA5D988B9DBBB2FB89300F5081AAD609A7358DB341D85CF15

Function 01A853E8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4ca7c5cedc020fd4a5775c9d29c65244302f34acc39cbd67606a56a8ec9f7d
Instruction ID: 373e79fd59e22c0326df7d06960d13296b24a83b8d6fe7d0e84f9074885b384f
Opcode Fuzzy Hash: 5b4ca7c5cedc020fd4a5775c9d29c65244302f34acc39cbd67606a56a8ec9f7d
Instruction Fuzzy Hash: 34818C74E90105DFDB14EF09C8407AAB7F3FB84311F18C676CA069B646D379A892CBA1

Function 05428698 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f466893e0c6917fc5fab17a377c0d1510b3f17c8a9b08f0f874e0e0ffce5a1d6
Instruction ID: ca6be22a63070384970f5a0f8f36f29e6a3386b9a1def82d659505f01b2cdfc6
Opcode Fuzzy Hash: f466893e0c6917fc5fab17a377c0d1510b3f17c8a9b08f0f874e0e0ffce5a1d6
Instruction Fuzzy Hash: 8A91F374D05228CFEB14DFA9D944BEDBBF2FB89304F90806AD409A7255DB786986CF10

Function 0542AB51 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2e288a8fe0e13bdad58abc0d913b7792ea14cdfbeb046677cac8b974c10f3c
Instruction ID: 04525b7a8f27aeadd87c73203560081455e584d16e63d2175c0456781369d634
Opcode Fuzzy Hash: 5d2e288a8fe0e13bdad58abc0d913b7792ea14cdfbeb046677cac8b974c10f3c
Instruction Fuzzy Hash: AF913870A05228CFEB50DF69CA88BEDBBF2FB49304F5041AAD909A7250DBB45D85CF41

Function 054286A8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530db4cf4be42da95083ced8db49f9d1cdc98a0fc47678cc9d71ebf2f0bf612a
Instruction ID: 4881e1ef5af60e62e289e72158cdbfd605f73d98b723a942fbb6b89362c1a435
Opcode Fuzzy Hash: 530db4cf4be42da95083ced8db49f9d1cdc98a0fc47678cc9d71ebf2f0bf612a
Instruction Fuzzy Hash: C881F174D05228CFEB14DFA9D944BEDBBF2FB89304F90806AD409A7255DB786986CF10

Function 0542AD83 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c7f61af86c81a5d39e073759fc7f468e479463f7c38e6c2441a165ec22355c
Instruction ID: 8e60eee5a6032cc786ef1124d03d561eccb7ca492ff9995081ee619242801744
Opcode Fuzzy Hash: 94c7f61af86c81a5d39e073759fc7f468e479463f7c38e6c2441a165ec22355c
Instruction Fuzzy Hash: E591F470A05228CFEB10DF6ADA88BDDBBF2FB49304F5141AAD909A7244DBB45D85CF40

Function 054289B5 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5313a16334712c553411ffea763953845e7862fad0078d158e980f34daf7a0
Instruction ID: 3f14fff26bdff41bdf40100280aeb3ff0a3111b2a48915cab554423b0bea52e4
Opcode Fuzzy Hash: 2d5313a16334712c553411ffea763953845e7862fad0078d158e980f34daf7a0
Instruction Fuzzy Hash: 2A71F574D05228CFDB14DFA9D944BEDBBB2FB89300FA1806AD509A7254DB386D86CF10

Function 05426E18 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce25b294e10ad92a3eb823278f7f12f8c79b0a99684f76a92292aaacf7b0ce12
Instruction ID: 780e5c23dcf1bc04a435a92ee9b50d085d8843b626088eca74d1ff969f6f6076
Opcode Fuzzy Hash: ce25b294e10ad92a3eb823278f7f12f8c79b0a99684f76a92292aaacf7b0ce12
Instruction Fuzzy Hash: 3961D0B4A08229CFDB20DF68D584BEDBBF2FB49300F5180AAD519A7244DB745D8ACF51

Function 054281EC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11beb8a8d51e8791ed5335e97717d536f1394ac4ff2ebe1c29f9f013738e4770
Instruction ID: b79e68ae004760e8e379646840ac783e67fce465fbcedc90bf2a027a5d2f19cf
Opcode Fuzzy Hash: 11beb8a8d51e8791ed5335e97717d536f1394ac4ff2ebe1c29f9f013738e4770
Instruction Fuzzy Hash: E551E274A05228CFEB14DFA9D984BEEBBB2FB89304F60416AD409A7284DB745D85CF11

Function 01A857F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de65b237f34a818dafb83b8fd7da96813ed137917baeaa861e0f138330725cb
Instruction ID: 9828b6776327537c2e6f95a7fe03de5ea4f0be6cafef92daa24bd402902bb26f
Opcode Fuzzy Hash: 9de65b237f34a818dafb83b8fd7da96813ed137917baeaa861e0f138330725cb
Instruction Fuzzy Hash: 0F41BD71E10204CFE706DF69D984BAABBB2FB84311F5481BAD8098B261D7749D45CB91

Function 0542D69F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64885c7ae39d362206b11f01da2f9a7c55c0df1b43c4583f68dcb9fc301ae6c
Instruction ID: 58da456804ee3d628f48166699ec8e27313e17eb14a632d3e20d01af8aa5a002
Opcode Fuzzy Hash: b64885c7ae39d362206b11f01da2f9a7c55c0df1b43c4583f68dcb9fc301ae6c
Instruction Fuzzy Hash: 7341C270D05229CFEB64CF69C944BE9BBB6BB49304F5081EAD50AA7290DB745AC6CF10

Function 01A81928 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2da5106cbf453b5951a1fedd39da562e3d04d521e463883bef0f63cfde54dd
Instruction ID: fcdfddcb50c7ce931122ab90a7e745202dc9bbe45c813ec6937945c19970969a
Opcode Fuzzy Hash: fb2da5106cbf453b5951a1fedd39da562e3d04d521e463883bef0f63cfde54dd
Instruction Fuzzy Hash: 0931A074A0010ACFEB14EF69D944BEEBBF2FB88314F148064D505AB395DB745C46CBA1

Function 01A81938 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d751563402652e8048fa6dca0d8edc1f40745afdd2c5d0d3dc8a25955bd5418
Instruction ID: f71a45b3c6371d22f96c163b31ec943c1418e70cff3b82e86448d65880c56d81
Opcode Fuzzy Hash: 3d751563402652e8048fa6dca0d8edc1f40745afdd2c5d0d3dc8a25955bd5418
Instruction Fuzzy Hash: F9319E74A00109CFEB14EF69D544BEEBBF2FB88314F148065D505AB395DB749C86CBA1

Function 01A8673F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450bdae2e08a576088d55b91d921636845a124d432143fd4027d17c91ed3340b
Instruction ID: cac2cd3268e72a8ac4862bfd8af36d44159ad2bf62cbac913a4022671c87ea69
Opcode Fuzzy Hash: 450bdae2e08a576088d55b91d921636845a124d432143fd4027d17c91ed3340b
Instruction Fuzzy Hash: 6B215E75B802104FC758AB7C9518A2E3BE6EFCD26131545B8E40ACF375EE68DD4287A1

Function 01A87BB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae369b739b3143164b6f5068bee54d9721dc79e4ae6a641dfd068feb2c9a3ae
Instruction ID: 2310cc1fe34585bf3ab1a6d4f66fbab6b352c69e86660b8195c9e0e5b6f278be
Opcode Fuzzy Hash: bae369b739b3143164b6f5068bee54d9721dc79e4ae6a641dfd068feb2c9a3ae
Instruction Fuzzy Hash: 1121FC749093858FDB029BA9D8557EDBFB2EF86310F1480A7C101DB1A3D63C4855C752

Function 017DD344 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133288770.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0aac81f94897e7ee8ec73142edef5353952c9f89a908c5ee92af941297e707
Instruction ID: 03723a71f30f1bead05dcb9ab31225fd395d9a364a1728eca6a0673184ca9c53
Opcode Fuzzy Hash: ca0aac81f94897e7ee8ec73142edef5353952c9f89a908c5ee92af941297e707
Instruction Fuzzy Hash: 4421F871504208DFDB25CF98D9C4B26FF75FB88314F24C5A9E9094B296C73AD416CBA1

Function 0542D71E Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b732bf94ec3a84c6b7c07d1ed792864f93fb2d654ea272d57b1e7ba35324e9
Instruction ID: 4749773b20839f2d8c28ddfc58d17a4e2893b7bdd93625223fe4dc6b82801972
Opcode Fuzzy Hash: 41b732bf94ec3a84c6b7c07d1ed792864f93fb2d654ea272d57b1e7ba35324e9
Instruction Fuzzy Hash: 5931C270D052288FEB24CF19C944BE9B7F6BB49304F5085EA950EE7250D7749AC6CF10

Function 017DD520 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133288770.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cfe9edad0e96704379e83e615c03a9c1ae80da25d4b8b9c0322cf012c8df35
Instruction ID: 2704943886bf8261d5ea8d19bf9965af65cf8a881304c2ad6a3b8a7b42088083
Opcode Fuzzy Hash: 80cfe9edad0e96704379e83e615c03a9c1ae80da25d4b8b9c0322cf012c8df35
Instruction Fuzzy Hash: 3E213671500208DFDB25DF58D9C0F26FF75FB88318F7485A9D90A0A296C336D455CBA1

Function 01A8EE80 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431c9eab5f38fd4f65ca518921a9daa8fc95d9d994828be606629f1c77d0cc0b
Instruction ID: 86e3307f5b9ef48a37a383a4ba19405bff06bb30fff6124a4ccdbd8a5308c704
Opcode Fuzzy Hash: 431c9eab5f38fd4f65ca518921a9daa8fc95d9d994828be606629f1c77d0cc0b
Instruction Fuzzy Hash: 8C3126F0905209EFDB00EFA9C0487ADBFF1FF89309F1485A9D405A3284DB744A84CB51

Function 017ED01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133372429.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df06baaa1562ac5404f6fee152001d821f9f3139bdea49da2122be0793bdfed1
Instruction ID: 93496a158eefee1649162bb4ef3bb9aba8a2e0ee498f643aceb0c8794066fdb1
Opcode Fuzzy Hash: df06baaa1562ac5404f6fee152001d821f9f3139bdea49da2122be0793bdfed1
Instruction Fuzzy Hash: 45210371104244DFCB25DF58D9C8B26FFE5FB88354F2885A9E9090B246C33AD406C6B2

Function 0542A168 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391915716ff178fa6e510367fb4223cfa1447d8a3c259b2886f80e1090751f07
Instruction ID: 660f7aaef2585edd99bb3c9d6e583770f1a7977da38e1aa243f2ca9ea37c2da4
Opcode Fuzzy Hash: 391915716ff178fa6e510367fb4223cfa1447d8a3c259b2886f80e1090751f07
Instruction Fuzzy Hash: FC217770E0422A8FDB04DFAAD9047FEBBF2FF89310F908429D515A3384DBB849498B51

Function 0542E4E6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26568bd565f7a3019367e0bce91c399ff7ca7e9886b4c178db80efd4c7245af
Instruction ID: d27d86b3bc538b4a32979d433d1c1e70a0415a09a4d2567213bd6056c678f8e0
Opcode Fuzzy Hash: e26568bd565f7a3019367e0bce91c399ff7ca7e9886b4c178db80efd4c7245af
Instruction Fuzzy Hash: 1A31D174D04238CFEB24CF5AC848BEDBBB6BB09304F4481AAD409AB240D77459A6CF10

Function 05429D7F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925fabb2f63ba36905f1391b8375ec5b2070a70a8988e48e59c93605bc477c52
Instruction ID: deab70ed27e4c66cb376076d3689fb78521106e8a80001ad044fd072680bf923
Opcode Fuzzy Hash: 925fabb2f63ba36905f1391b8375ec5b2070a70a8988e48e59c93605bc477c52
Instruction Fuzzy Hash: 9531E474A04218CFEB64DF65D998B9DBBB2FB89200F0082EAD60DA7354DB341E85CF55

Function 0542A178 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af52fc2951be48333dae523cf7c6dfac5b3a9c6328c2f66b846d74833a08516b
Instruction ID: 753d6c8a1046d3d35d73d5647f8257ea05c40faafaa63cd087dccb3cb797364d
Opcode Fuzzy Hash: af52fc2951be48333dae523cf7c6dfac5b3a9c6328c2f66b846d74833a08516b
Instruction Fuzzy Hash: 47216970D0422ECBDB04DFAAD9446FEBBF6FF89310F808429D505A3344DBB859498B51

Function 01A86858 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b243503ae5b07b4dcab1bde2e001bc9d9309185fb8e6953599edfd820283855
Instruction ID: 97f846d86f41157ccb405fd2d1284f5c701b9d99642507e155e94b7ba5ff3569
Opcode Fuzzy Hash: 0b243503ae5b07b4dcab1bde2e001bc9d9309185fb8e6953599edfd820283855
Instruction Fuzzy Hash: 81115B74B843009FC789EB7CD958D5A7BEAAF8D22131145A9E00ACB375DE78EC0087A0

Function 01A85DBC Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aba83abc939a8181b2ee5457104085e079e235960cc52d5b264826bd201d78
Instruction ID: fc8458793bc57dd70812cc1ec4788dad5a8caecb353002f0de8934009bdc9c88
Opcode Fuzzy Hash: 65aba83abc939a8181b2ee5457104085e079e235960cc52d5b264826bd201d78
Instruction Fuzzy Hash: 03210774A00105CFDB11EB58D5C8A9DFBF2EF88320F58C591D905AB616D735ED82CB94

Function 01A85BB3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b2db7e43f6ff48164c2198b9a60a255d02905ac1735027d19097b45d32abce
Instruction ID: e088c2d109e856fd3ac7a3a887241510bdeb9f7edc87a5d621d82e9ca0024982
Opcode Fuzzy Hash: 52b2db7e43f6ff48164c2198b9a60a255d02905ac1735027d19097b45d32abce
Instruction Fuzzy Hash: A8214C74A00105CFDB11EB58D584A9DFBF2FF88324F68C591D5099B216D735ED82CB94

Function 05429F1A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2854740e7515d43a87daac734307dacb5d4d1c2b4d0ca9a4f89f793bf1441d17
Instruction ID: 2d133a92195f6ab7d80f0c3baad78a2ff6347dc9bc72e93f2d419f7872b9f5db
Opcode Fuzzy Hash: 2854740e7515d43a87daac734307dacb5d4d1c2b4d0ca9a4f89f793bf1441d17
Instruction Fuzzy Hash: CE212A70D092A8CFDB44DFA9D1486EDBBF2FB49304F51806AD415AB25CDB7888C5CB05

Function 0542B826 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e457ca3a4478450f4b882b9d7255d6f942cbb8e9f5adfebc4cc40f13f6559100
Instruction ID: 35863e30aae8bc2640b3b417066230f894a51f67a85671e582ba61588e7e0885
Opcode Fuzzy Hash: e457ca3a4478450f4b882b9d7255d6f942cbb8e9f5adfebc4cc40f13f6559100
Instruction Fuzzy Hash: 03211374D04228CFDB04DF98D944AEDBBF2FB49309F40806AE51AAB254D7384A89CB65

Function 0542E2E8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f47aa761b2cce429227af054b48eb8df51930400037ff7081e431ff3ccdfa8
Instruction ID: 7c00a1cc1a0ba0d190c6cff82fa9ac62d52dcaffaafb65cc7a618f9e5f3037dc
Opcode Fuzzy Hash: 23f47aa761b2cce429227af054b48eb8df51930400037ff7081e431ff3ccdfa8
Instruction Fuzzy Hash: 4131F374904238CFEB10CF59D848BEDBBB6BB09305F8581AAD449AB281D7745996CF11

Function 01A83033 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3858997b9f195e4b43ccc29c28216ff73982671c0518da9ed638e8a345494dc1
Instruction ID: c6fc56461402ab4b25ecb95a82ac88297461fe2fdf288fa726db050a600c586b
Opcode Fuzzy Hash: 3858997b9f195e4b43ccc29c28216ff73982671c0518da9ed638e8a345494dc1
Instruction Fuzzy Hash: 0C210C30A04244CFEF21DF29D945BAAB7B2FF84B25F58C0A5D0499B265DB799982CF01

Function 0542B521 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ba2843725cc91df1e6289a21b011c27360a45b264897a8261300563576caef
Instruction ID: e078c3542ca90706c5d0f10eadc05b7384e183996defcf8629cc712e030a49e2
Opcode Fuzzy Hash: d2ba2843725cc91df1e6289a21b011c27360a45b264897a8261300563576caef
Instruction Fuzzy Hash: 96213674E04228CFDF04DF98D544AEDBBF2FB89305F40802AE515AB254D7384A89CF54

Function 0542DBBF Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0785f16e9df53635477dbc61b54a97df7e14938544c529893253243834513a
Instruction ID: c97c876ac5007c646be86956644d888dbb58bd0cefc4504842c4e9fcba3652f3
Opcode Fuzzy Hash: aa0785f16e9df53635477dbc61b54a97df7e14938544c529893253243834513a
Instruction Fuzzy Hash: 40210771D052689FEB24CF64C954BE9BBB6BB49314F4085EAD20AE7291D7705AC6CF00

Function 01A86690 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f107a43bddab9c02ebdf26bded0bf1a0cda94a2384fc36273b1a4a92c2206276
Instruction ID: 9a4beb075eaedacc5a61cff09d20e73b66d277af253529030a1df9dd1f404deb
Opcode Fuzzy Hash: f107a43bddab9c02ebdf26bded0bf1a0cda94a2384fc36273b1a4a92c2206276
Instruction Fuzzy Hash: D4115E71B842404FCB58AB7CD96891A7BE6AF8D22131145B9E10ACB375ED79CC008B91

Function 06A3A828 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9b5f3e765ffd72d01a12c0ea1c7eedb4460a53f169c7a27a1a1d3a7f86bc21
Instruction ID: a363413b76ec2794e04ccdb35958c24b07dd1768f1e3807b3c22e2e31577a2d9
Opcode Fuzzy Hash: 6b9b5f3e765ffd72d01a12c0ea1c7eedb4460a53f169c7a27a1a1d3a7f86bc21
Instruction Fuzzy Hash: 8821D074E0021A8FCB44DFA8C594AEEBBF1FB48311F108469E509A7340DB359D41CFA2

Function 017DD33F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133288770.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: 394b57d0d9af54da40e1cc1fc6d4a84fe1b7824154434e4ee4cc7596e1446472
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 2021AC76404244CFCB16CF54D9C4B56FF72FB88214F24C2A9DD084A296C33AD41ACBA2

Function 017DD51B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133288770.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: de34f5e0251fa8c7a3cfe3901413e5579909868c210292fe1befb988c1eab645
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 77119D76504284CFDB16CF58D9C4B16BF71FB88314F2885A9D90A0A656C336D45ACBA2

Function 06A277A5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c0133000bf0fa18efa6a24d7aa1918390ddba448bbfc4765f7dfc2aeb600dc
Instruction ID: 1dcf464fc975add9aef0dc227fe382bd1a64304ec63caeeaf73d84079333b6e6
Opcode Fuzzy Hash: 01c0133000bf0fa18efa6a24d7aa1918390ddba448bbfc4765f7dfc2aeb600dc
Instruction Fuzzy Hash: 1431A578A103298FCB64CF28C984A99BBF1FF4A214F0181E9E81DA7754D7349E80CF11

Function 06A27F73 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44db30f3b255f60d11c0c94244430a23d9dc914b2b089f97feab4723c5446469
Instruction ID: 82790412b8da6e057aa2f98be3ebfadcbcfc2149dd636fbd6278d1caa364afe9
Opcode Fuzzy Hash: 44db30f3b255f60d11c0c94244430a23d9dc914b2b089f97feab4723c5446469
Instruction Fuzzy Hash: C621E674A1422A8FDB64DF58C998AA9BBF1FF49304F1041EAD848A7344D730AEC0CF50

Function 017ED017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133372429.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ed000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction ID: 9fe0767280bdd7ed7cde47029865f397be004846ee6094e822b314f640cc077e
Opcode Fuzzy Hash: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction Fuzzy Hash: AD11B176504280CFDB12CF54D5C8B16FFB1FB88314F28C5A9D9094B656C336D41ACBA2

Function 01A85C46 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815899b2375b9ec97b82fa9c5ae5f503571c76f2d6695028f7f01d9dd8bb9dc7
Instruction ID: 27edb9b94cf34c8a7250ab0177a56c267f85843c99ab458241a5ae7c26eb641e
Opcode Fuzzy Hash: 815899b2375b9ec97b82fa9c5ae5f503571c76f2d6695028f7f01d9dd8bb9dc7
Instruction Fuzzy Hash: D3113074E00105CFDB11EB98D98879DF7F2EF88321F28C165D90AAB619D738ED468B45

Function 01A867B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e637ff52f547d3a6af6ae14916eb8c52d0ccc332a629fb88b5865438d84bdda
Instruction ID: a58ad35d8b7fd783f66dfb52e711eaf39f9b2547e669c21fe8e51be9f43cf1ef
Opcode Fuzzy Hash: 1e637ff52f547d3a6af6ae14916eb8c52d0ccc332a629fb88b5865438d84bdda
Instruction Fuzzy Hash: 78014C757803108FC78AEB7C9518A1D3BEAAF8D22131245A9E00ACF375DE28DC5187A1

Function 01A85A87 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306f1d7cd4124a0d44bfe121c143d5887696366d436da127669dcaa32562d58b
Instruction ID: fda47202bcb6ee201aa7e48224762a1338a1193d91339817e5da93e8ed0256b0
Opcode Fuzzy Hash: 306f1d7cd4124a0d44bfe121c143d5887696366d436da127669dcaa32562d58b
Instruction Fuzzy Hash: 30115E34A00105CFDB15EBA8E588A5DF7F2EF88321F24C165D90A9B319D738ED46CB41

Function 0542C151 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e50460e4239bdafcec915aa608fef7c8a0d971e43f966a918d2da49c829a532
Instruction ID: 192e0a512d064de581de696df1041b938e78d6ed245c696222a2cc9fa7f64323
Opcode Fuzzy Hash: 8e50460e4239bdafcec915aa608fef7c8a0d971e43f966a918d2da49c829a532
Instruction Fuzzy Hash: FF21BF74A08268CFEB60CF64CA94BEDBBB2FB49304F1085DA950DA7250DB355E82CF40

Function 01A865B1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce2882dc59d56c28b2a3ab70195804a2774e0f780b48616139d71e68da4adf2
Instruction ID: 70c5fd2d86d9877102ceb6544f01f69ddfd27918be8a7fdadca660f7682cc3d1
Opcode Fuzzy Hash: 3ce2882dc59d56c28b2a3ab70195804a2774e0f780b48616139d71e68da4adf2
Instruction Fuzzy Hash: C3011E75B802108FC7489B78E9189293BF6EF8D22131545A5E506CB375DE38DD02C7A0

Function 01A85AE2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c91a1fb10c99471f2bf3e373515ad9b343e48a5c97a6c97893d7794f63b4d4
Instruction ID: 09c4e0920ec4703507eefaf8e6c42595ac3b401513221dcf534dce78e001bd0e
Opcode Fuzzy Hash: 01c91a1fb10c99471f2bf3e373515ad9b343e48a5c97a6c97893d7794f63b4d4
Instruction Fuzzy Hash: E7115B38F04105CFEB15EF99D9C879DF7F2EB88321F188065DA09AB305C6359D428B55

Function 05425D44 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada013e0c9ea4d752a6045fa57340dd43535b3c4137e7439f1b91497c9ef4432
Instruction ID: cc29b20bf4ca41a6ec5fa9b766721ad88e2f5e01da6bac909d0beeef40446e1a
Opcode Fuzzy Hash: ada013e0c9ea4d752a6045fa57340dd43535b3c4137e7439f1b91497c9ef4432
Instruction Fuzzy Hash: B021E374909228CFDB26CF24DA88BA9BBB1FB49305F4151EAD509A7654CBB55EC4CF00

Function 01A85FDF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e590aee457f0b65ffc894918ecfdbbbf950551642c338dfc9f174e473cc3b6
Instruction ID: 44c201211884f7821a96e59a512db96c825a11cf2c9051445186500be4768467
Opcode Fuzzy Hash: a2e590aee457f0b65ffc894918ecfdbbbf950551642c338dfc9f174e473cc3b6
Instruction Fuzzy Hash: E1018C38B40201CFEB15EB68D588B5DB7F2EF88321F1480A5EA09DB225D638ED42CB51

Function 01A85AB7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e65c92298b6d4003d29d4f6a6dace76e3b8f829a7c2da811848412554efd46
Instruction ID: 338ab976eb7598db8f643b44a8dc50dc3ad1efc6d9d19332a87c0ffe449e71cb
Opcode Fuzzy Hash: d2e65c92298b6d4003d29d4f6a6dace76e3b8f829a7c2da811848412554efd46
Instruction Fuzzy Hash: 7E01D438A00101CFEB11AB98E588B6DF7F6EB84215F148065DA1D9B615C635EC03CB51

Function 01A81C02 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67493a3409d12e2bf0a545b7d52aaa77111920f8c8917706f07c59e53927d7dc
Instruction ID: 8fa3e7a146630b9ecbe84fe1610f9a47bb07187b0a8986392004da19b7e27985
Opcode Fuzzy Hash: 67493a3409d12e2bf0a545b7d52aaa77111920f8c8917706f07c59e53927d7dc
Instruction Fuzzy Hash: 23019274E001099FDB14EFA5C4456EEBBF2EF85318F10C0A5C9098B285EB385947CB91

Function 01A85EE3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575b9d123f946cb1f313d89096cff9bf66454592cd2438e608a7996a81d8f71a
Instruction ID: 6a08122fa92967e47d4b2b3cd72ec6da9817bf14b922107aaf823a26c25592d0
Opcode Fuzzy Hash: 575b9d123f946cb1f313d89096cff9bf66454592cd2438e608a7996a81d8f71a
Instruction Fuzzy Hash: 03019E38A04102CFEB15AB58D48876DB7F2EF85322F14C0A5DA0A9B656CB35D9828B41

Function 05428A32 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aab7a2c421d2f6c6ab2e6dacc20f7de4b396f7cec1e1ed6c7e59aa866df6cda
Instruction ID: 9ddc2d42ed3c29a6a85279b504cfc359771a34eb85b08e05cc15e5d9903bdb98
Opcode Fuzzy Hash: 5aab7a2c421d2f6c6ab2e6dacc20f7de4b396f7cec1e1ed6c7e59aa866df6cda
Instruction Fuzzy Hash: A901A2B2C46218AFC741EBB4C9417DEBBF9EB48210F5044A69409E7310EB799A41D752

Function 06A27E10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826c5e64a4cd0764f14d0791fbaf6ca3bbf51ba162c4cffac53a0e5842f36bd7
Instruction ID: 3efd78c9eb9069c248fd0c2110d2b86165633d66f7964a1b49c4e21ecab10ce3
Opcode Fuzzy Hash: 826c5e64a4cd0764f14d0791fbaf6ca3bbf51ba162c4cffac53a0e5842f36bd7
Instruction Fuzzy Hash: DB21A7B4A1422ACFDBA4DF18D998AA9BBB1FB4A308F1040E9D50DA7344DB745EC5CF11

Function 06A24DCF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0ca53bbddf949f294abd4db320670604dd4af0b5a1c4fec2a257b5c6d79003
Instruction ID: e196a0936af531f4a2410c335b450fe39fc6b71d754ec76099f371d50c099c31
Opcode Fuzzy Hash: 9d0ca53bbddf949f294abd4db320670604dd4af0b5a1c4fec2a257b5c6d79003
Instruction Fuzzy Hash: 2221A3B4E0822A8FDBA4DF28C988A99BBB1FB49304F1040E9D50DA7344D7786E85DF51

Function 05428DE0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec2c13f65f68a73f83891cbaa73be1f46f0fca217d1d37c2935272428dff97e
Instruction ID: a20dfb590c8a0a584050723c129922cc89d01556039236fed605405f68120493
Opcode Fuzzy Hash: 8ec2c13f65f68a73f83891cbaa73be1f46f0fca217d1d37c2935272428dff97e
Instruction Fuzzy Hash: 4E01DFB1C9A218AFC782DBE4CA053DEBBF5AF05201F5445E68408D7250EB758A14C752

Function 05428E28 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac95c6ffd46f89c3f6c7435f8e4c2513fbb2c3b62c4c5e89486492535c4404c1
Instruction ID: 719b9e7c567207dfa75acecf9083afafaa48b57c918c120f31822f8c87fc0545
Opcode Fuzzy Hash: ac95c6ffd46f89c3f6c7435f8e4c2513fbb2c3b62c4c5e89486492535c4404c1
Instruction Fuzzy Hash: 8E01DEB5D45115DFCB80CBE4CA007EDBBF1EB44311F6489EA8418DB341D63A8A12DB51

Function 01A87BE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fce879d3972590b317801230e26a7c92e15be7d09c2fad6eb232535ad6a3dd7
Instruction ID: f558b792c99a0403cc1cb76bd8558bcb68235680d52ee299611dc49d96903c50
Opcode Fuzzy Hash: 3fce879d3972590b317801230e26a7c92e15be7d09c2fad6eb232535ad6a3dd7
Instruction Fuzzy Hash: 680152B4A00109CFEB04EB99D588BBEB7B3EBC8300F24C035C605A7395D7799892CB51

Function 01A87B00 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c93b0670f44f2d32011a17633d183dd3dc9c0fa825dfcf41f2c8828ede1c02
Instruction ID: 334c02be303c0e4b3794f22783bb900785e674a612339ada7cd5bf8c0fe756ef
Opcode Fuzzy Hash: 62c93b0670f44f2d32011a17633d183dd3dc9c0fa825dfcf41f2c8828ede1c02
Instruction Fuzzy Hash: EF018830A091A08FD71597AD88182257FA39BC3396F3CC0EAD2694B557C277C947CB61

Function 01A85FA4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d175df8dfa41f7a4c6ac812e712d5ea35b5efab08825dbad8c94ec54feccd
Instruction ID: 4691fe4f8556a3c6192de8c239b87c0a86cc84aad8c0874d2498e863577b736f
Opcode Fuzzy Hash: fe6d175df8dfa41f7a4c6ac812e712d5ea35b5efab08825dbad8c94ec54feccd
Instruction Fuzzy Hash: C5011A38F04105CFDF11EB98D588A9DF3F2FB88321F14C066DA09AB615D634E9028B55

Function 01A865C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f54fca45a95100a4a5f7f7a5ea4877fcaddbdafbddd970f09f37e1b0e21545
Instruction ID: be4c68e7ef3070809073a156cd2062eb985b6f44e9ae538bc1a7a02883e9392c
Opcode Fuzzy Hash: c9f54fca45a95100a4a5f7f7a5ea4877fcaddbdafbddd970f09f37e1b0e21545
Instruction Fuzzy Hash: 2A01CD75B802108FC758AB7CE91CD1D7BEAAFCC66131145A5E50ACB379EE78DC0187A0

Function 01A85B69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf3b48c87a35e28ca552bb7d911a4fcafe130ebe52a54ad491dc7951d02df9a
Instruction ID: 3097a9cbe435f4a88fea88cf490002ac66bc36c85b692a32e4b80bef901b50f2
Opcode Fuzzy Hash: bcf3b48c87a35e28ca552bb7d911a4fcafe130ebe52a54ad491dc7951d02df9a
Instruction Fuzzy Hash: 6C01A238E04101CFDB11AB68E58876DF7F2EF89325F14C0A5DA0A9B215D735DD42CB41

Function 01A85E91 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe45900e6db6b7db408b02216bd0b41a52e37717bebd05d1eb827cc30c40d9c1
Instruction ID: 9dffb7db2e5a6a57a888a8a4fa2f562e94c402c3ba116a468caa5a537409997e
Opcode Fuzzy Hash: fe45900e6db6b7db408b02216bd0b41a52e37717bebd05d1eb827cc30c40d9c1
Instruction Fuzzy Hash: 25015A38E00105CFEB11EB98D588B9DF7F2FF88321F18C1A5DA09AB215D335AD428B51

Function 06A29094 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c19f791e2bd62635fbc2353bcbf2c8bb7bde9392dd73851c53c3223332e2a9d
Instruction ID: 444c3d949dba6a42caa9b74c25fbe751a81fb581f49cd5ca9c69d78eb50b9d6a
Opcode Fuzzy Hash: 8c19f791e2bd62635fbc2353bcbf2c8bb7bde9392dd73851c53c3223332e2a9d
Instruction Fuzzy Hash: B011E4B4A4022ACFDBA4EF18CD88BA9BBB1FB49308F0041F99519A7344DB345E84CF51

Function 01A81C10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83310f84260b9945cf5a0bd71e6556ea7cac20d9a156efe09a7ae28fc5aea01b
Instruction ID: fb7a65117de22d4a0798f80355076dfa031b69bbd8fccf7410091e9140c7174a
Opcode Fuzzy Hash: 83310f84260b9945cf5a0bd71e6556ea7cac20d9a156efe09a7ae28fc5aea01b
Instruction Fuzzy Hash: CD018B70E001099FDB14EFA9C4456EEB7F2EB84314F10C4B5C90A8B388EB386A43CB81

Function 01A87C1A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0080bc267c2de1ef125f2563f1cd158ce804510169cba9ad47b1c32793b73ae
Instruction ID: 9f025a658c9831e2b264cf72547d9bd2c38b40507556f6de9e0740b96329bc3e
Opcode Fuzzy Hash: e0080bc267c2de1ef125f2563f1cd158ce804510169cba9ad47b1c32793b73ae
Instruction Fuzzy Hash: 0C0171B4A00109CFEB04EF99D588BBDB7B3EBC8304F24C025C5069B265D7789C82CB11

Function 01A85FBA Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0509a1c761a5385fc98e75587debae273649984ee122926d8cdd3d0fc2caaa26
Instruction ID: ec8c0b3f0644086dc900fd96e2a0ed69e98cdb9304ec0e9c22f4553d0544a225
Opcode Fuzzy Hash: 0509a1c761a5385fc98e75587debae273649984ee122926d8cdd3d0fc2caaa26
Instruction Fuzzy Hash: 7C014F38E00101CFEB11AB58D588B5DF7F2EF48321F14C0A6DA09DB615D635D9428B51

Function 01A85B4C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a8f264da69dee453e218f8f4f34352f705cd171cbbd80c32b3520a1d181193
Instruction ID: 10bc6ba17b631b6edb7b767dc7dbdfcc7af7b375711a2c6244ba1d0311863c30
Opcode Fuzzy Hash: e6a8f264da69dee453e218f8f4f34352f705cd171cbbd80c32b3520a1d181193
Instruction Fuzzy Hash: 3D018134E04101CFDF15ABA8E988A5DB7B2EF89321F14C065EA0A9B615C635DD428B51

Function 01A85CDD Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d812c2491fc25dc5d35cbdbce9bf787b914df75a81a7bc2a3f8d5cf7909dad
Instruction ID: fd73f8e4d66b66cfca6dbaf0bf2ed4ec9288319bb5d8a78f7333a291abf2539e
Opcode Fuzzy Hash: 87d812c2491fc25dc5d35cbdbce9bf787b914df75a81a7bc2a3f8d5cf7909dad
Instruction Fuzzy Hash: 8B01D138A04201CFDB11AB98D488B5DF7F2EF89325F18C5AADA199F256D335E9428741

Function 01A85B16 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8c403c48d749c5f8ecbafceef8aa1f39723095859f61d8db0304607a2176f1
Instruction ID: baa40a26d21cb749666c7edc51bfdf4ed2732d7f468e671e3668e14f68db2aad
Opcode Fuzzy Hash: 1f8c403c48d749c5f8ecbafceef8aa1f39723095859f61d8db0304607a2176f1
Instruction Fuzzy Hash: 3A016D38E00105CFDB11EB98D58865DF3F2EB88221F14C066DA09E7615D634ED028B45

Function 0542695D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f70b00baedc19be7280f79bb9b5eda3a95c618a414808c51fb8b0655b94467
Instruction ID: acc65382078a5853f9768e9ee53034d3990cf0ff1993bc8f9be40e4774a377fa
Opcode Fuzzy Hash: 17f70b00baedc19be7280f79bb9b5eda3a95c618a414808c51fb8b0655b94467
Instruction Fuzzy Hash: B111D374915228CFDB26CF24D948BADBBB1FB49305F0141EAE909A7254CB755EC4CF40

Function 01A826E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b70cd187b365f969677be84edda8ab10376105dd2e08c0de74733db72f70da1
Instruction ID: d67b68e18e99d0a7987ec468a90d1703ccf4cb47a6cd0a9a7283f1fc759ef737
Opcode Fuzzy Hash: 1b70cd187b365f969677be84edda8ab10376105dd2e08c0de74733db72f70da1
Instruction Fuzzy Hash: 11F0BE35B04204CFEB24EA6AE5047EA7BEAEB88325F18807BD50DC3654EB769881C750

Function 01A85338 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2208a30c51d0d252a5a642f033bbe25c9fa808410cb757f4ca390dc1d0f4bdce
Instruction ID: 5e14fdd29e5b2a68cdac89633fcb5c20e2d07bb8471ee9159dfce5c4ad2ab24c
Opcode Fuzzy Hash: 2208a30c51d0d252a5a642f033bbe25c9fa808410cb757f4ca390dc1d0f4bdce
Instruction Fuzzy Hash: FFF0C830A45304DFCB15DFA4F6147ACBBFAEB85311F1040A9D8058B256D7B55E52DB42

Function 01A85B3E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f2ca467db6a8fdea6fcac1f12a662acc8f6f0b194f5d09971ac62dc59e004c
Instruction ID: 480db8a0c430e02171e4b621411e6e2b93345fe5425747d8b775b0b19b5f1482
Opcode Fuzzy Hash: 80f2ca467db6a8fdea6fcac1f12a662acc8f6f0b194f5d09971ac62dc59e004c
Instruction Fuzzy Hash: 2FF0F638F04101CFDB11AB68D58966CB7F2EF49321F18C0A2DA0ADB215D635DD428751

Function 054241B9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78b3c446538fc9ce22a814ce363e9374b76b71402691392e88b7ede6741854c
Instruction ID: 5c7e57964e4ad80c7663dcaca322918c084eb9285ae162a6e196ee47f120c24e
Opcode Fuzzy Hash: a78b3c446538fc9ce22a814ce363e9374b76b71402691392e88b7ede6741854c
Instruction Fuzzy Hash: EAF0F038586014EBCB59DBE4CA047F9BBF5EF89221F5485DAC8094B355CF368E12D742

Function 01A86750 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08a27967e1e1937b71bdeef1dbbeea1a88d49c569db94b464398119f766d953
Instruction ID: e0d9f9362d2ca626d96694c32486f906776276529df4fd66f7d46014b53b8342
Opcode Fuzzy Hash: c08a27967e1e1937b71bdeef1dbbeea1a88d49c569db94b464398119f766d953
Instruction Fuzzy Hash: 3AF0DA75B802104FCB58AB78D51891E3BEAAFCD66131545B8E50ACB364EE78DC0187A1

Function 01A85B2F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a73d80ac5f70f4d04bf51cad799eb8c6dce640ca254ce491993bf2d9443b1b9
Instruction ID: 71ed6918e3e4c14b739b3c2d422b72e7c54893ff9a1956d8997853fbf47c5f32
Opcode Fuzzy Hash: 8a73d80ac5f70f4d04bf51cad799eb8c6dce640ca254ce491993bf2d9443b1b9
Instruction Fuzzy Hash: 61F09038B04001CFEB15AB68E58876DF7F6EB89221F18C1A2DA0ADB616D635D9428745

Function 01A85AA2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830f215d9a2bf15a539fc5be0ab72f8185135eb100cda8bfcb23293d5491c85c
Instruction ID: 47dc3afbaaa559a451ac9a6f1ea650b1535e8434408efda2ce7ab023e8235a7e
Opcode Fuzzy Hash: 830f215d9a2bf15a539fc5be0ab72f8185135eb100cda8bfcb23293d5491c85c
Instruction Fuzzy Hash: 75F0E934B00001CFDF11BB68E58C65DB3F2EB88321F14C461DA0ADB615D634DD038745

Function 0542D481 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22088dc33951e72d538bf7471d8652db9070453f871f915e6c8bd92c8da70e3d
Instruction ID: c4ea35449eeeaf472dde3abc1b83959c944761afd31df53b10bacb4fb297dc49
Opcode Fuzzy Hash: 22088dc33951e72d538bf7471d8652db9070453f871f915e6c8bd92c8da70e3d
Instruction Fuzzy Hash: 58013C31C0061AEBCF11EF98D8108EEBB75FF89320F40C51AE95877211D731A566DB91

Function 06A22619 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf0e3758ca60eb6c11405b585cd5820c0473ee1b33e795d2a024ea2fc598129
Instruction ID: 4211d284ec66ced3fe52c9fa4fb1dfb680a524c4392ae715a3af533242184942
Opcode Fuzzy Hash: ddf0e3758ca60eb6c11405b585cd5820c0473ee1b33e795d2a024ea2fc598129
Instruction Fuzzy Hash: F001F3B490022A8FCBA4DF14CD98A9DBBB1FB54309F0140EA9929A3290CB341EC49F10

Function 0542D488 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3da38256b61c0b53b2918ff8bce34c047c8a687d47a7e478c1f77c01de906a
Instruction ID: a2b77e1a90c3b6da9e23a80d50b999f2fe5f274e92718d248f9d1b38bcf7de1d
Opcode Fuzzy Hash: ef3da38256b61c0b53b2918ff8bce34c047c8a687d47a7e478c1f77c01de906a
Instruction Fuzzy Hash: 00F03731C0021AEBCF01EF98C8008EEBB75FF89320F00C51AE95827211D732A5A2DB91

Function 01A85381 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7dd61119b6a8c973986e23dc477fdbfa1b21d9a3d92704c9367da6977060dd
Instruction ID: a0418d34b5ae0cbdfabeb0ecb6a313637a18fdc3e3134aec614162bbecc3ce31
Opcode Fuzzy Hash: 1e7dd61119b6a8c973986e23dc477fdbfa1b21d9a3d92704c9367da6977060dd
Instruction Fuzzy Hash: 79F08C34A017118FE3569A18B5547A5BBF6EB81322F5880B6E8048A192C6FA9896DB81

Function 0542BCA9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a6278b0a4276fbc8849a6d5cdb7bd2269b98a6b0cd5b0b34fb87fefb82a70a
Instruction ID: 5c36cf1b7c39553053e58c794283b028b7060a563580d1a35166b19bf2b4d33b
Opcode Fuzzy Hash: 59a6278b0a4276fbc8849a6d5cdb7bd2269b98a6b0cd5b0b34fb87fefb82a70a
Instruction Fuzzy Hash: FAF0BE35409218EFCB06CF94D9409E9BFB1FF49314F04C0CAEC486B296C7329A26EB51

Function 05429B58 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dfe8691508621e7d1f3fe7b56cfa3af3524284b676d77cf3379d655e08925f
Instruction ID: 9e1421f01c318e26ed8fe9af5a158c2b45c736d0cb7e3623b44cbcdf28f15244
Opcode Fuzzy Hash: f9dfe8691508621e7d1f3fe7b56cfa3af3524284b676d77cf3379d655e08925f
Instruction Fuzzy Hash: 7601DC70E14228CFEB54DFA9D588BDDBBB2FB49300F5080AAD509A3250CB345D82CF04

Function 0542B441 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2db5acf77f5f486cdaf97677064ea7b17f1afd7e2c096b645dfe7bad026f84
Instruction ID: 294c207582c055e59dd246e96910d6b8fa747d7ea9d926024bf468adff338200
Opcode Fuzzy Hash: ed2db5acf77f5f486cdaf97677064ea7b17f1afd7e2c096b645dfe7bad026f84
Instruction Fuzzy Hash: A5F0A035905108EBCB00CF90D941AEDBBB1EB48310F14C05AFC1566351C73699A2EB41

Function 05423F98 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05a31edf2feacd6e89b0a54da33033ab37a216c95f64193d1b9b93e3bb90804
Instruction ID: 6d205b3f96e83d31f8a1f53e2441e56fb713177c8e6a21fc1a950a77e7378c16
Opcode Fuzzy Hash: c05a31edf2feacd6e89b0a54da33033ab37a216c95f64193d1b9b93e3bb90804
Instruction Fuzzy Hash: 2BF05E30D482189FCB50DFA8D5016EDBBF4EB48220F20C9DAE818D7385D7799A03DB81

Function 0542A348 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7727ddd0ed5fd3305e8c52ed88f5d5b613deab6b3079b2944cc7dfdb0d813a
Instruction ID: c34913d44e6fc38459f9490c402e8ca75886d8e23649256090b623b8a7cd3e97
Opcode Fuzzy Hash: 5e7727ddd0ed5fd3305e8c52ed88f5d5b613deab6b3079b2944cc7dfdb0d813a
Instruction Fuzzy Hash: A1F0A035945118AFC700CB94C8016ECFBF5EB48310F04C0AA9C4897341CA758A52DB81

Function 05427CF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1967909356fe0e0fbc0e92e6c189a9b4e204964931e5383e9f46c098e5ae18bb
Instruction ID: 676f456ecba88cbf36aa0d55771f0f03b2eb2837303e55126b00677148e3e680
Opcode Fuzzy Hash: 1967909356fe0e0fbc0e92e6c189a9b4e204964931e5383e9f46c098e5ae18bb
Instruction Fuzzy Hash: 29F08274D092559FC751CBA8C5409A8BFF1EF46228B18C1EAC9589B2A3CA359907DB01

Function 0542910A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fa4203e437db6a30e3c28c3f25996ec764dce1448ce6ccae9cc546bfa41f92
Instruction ID: 4dcb10fe1a5f69a6da7a38c9db75ccb04b6fa4c5d3b4719effa63773c553761c
Opcode Fuzzy Hash: 65fa4203e437db6a30e3c28c3f25996ec764dce1448ce6ccae9cc546bfa41f92
Instruction Fuzzy Hash: 18F0A034808118AFCB40DF95C5057FDFFF4EB48310F14C0AAAC9896341C6398A52DB40

Function 0542E041 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ebb1723ae9d835087df8ef0afd91b2bdba777ec8eca79c4194c126539c4a5a
Instruction ID: 99834dd98a4015223e76c29b971b32888b21cad3a345dc47de675d50ea65af62
Opcode Fuzzy Hash: b7ebb1723ae9d835087df8ef0afd91b2bdba777ec8eca79c4194c126539c4a5a
Instruction Fuzzy Hash: 87F058B5C05158EBCB41DFA4C941BECBBB5EB48320F14C09AE80466340D2329A22EB41

Function 0542A861 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435ec76e03832260973efbf5c3401b51f7d52851e6bf57a48ef8a22ce8ef35e9
Instruction ID: 072327a814dce27fa977393a77023568dbc7a4b0305669fb02eaf1dff9d9d9cd
Opcode Fuzzy Hash: 435ec76e03832260973efbf5c3401b51f7d52851e6bf57a48ef8a22ce8ef35e9
Instruction Fuzzy Hash: EBE092709061189FC784EFA8C9413E8BBF4EB08210F5480AACC09D7741DA759A83DB42

Function 05429A70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3435af28aaf954085500a601152791ada88972ca07f6e81baac00125dc46f470
Instruction ID: 8d8a011d5f2a67a043e783b43ac1a70e20987a5798258e367b79a1a35717818f
Opcode Fuzzy Hash: 3435af28aaf954085500a601152791ada88972ca07f6e81baac00125dc46f470
Instruction Fuzzy Hash: 79E068348081099BE704DBC0C5017ECB7F0FB45310F9480AE980553301C236AD83C781

Function 05420E70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da32e61b3dd3cc990f9acbfd505ad17fedf3059633ac4190173d8e31c144eded
Instruction ID: 9097f3084b472dfd8bb291ad3d3f253b7da4974120d7bda01bd4771e80945e57
Opcode Fuzzy Hash: da32e61b3dd3cc990f9acbfd505ad17fedf3059633ac4190173d8e31c144eded
Instruction Fuzzy Hash: 8EE06D2852E2949FC316C7B4C505AA9BFF09B46214B19C4DAC84C8B263C6229C0BC742

Function 0542690B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64749fe633b389f6a1213d80ecd6f8e346cfa3a21779590c5960f5abbf97c33c
Instruction ID: 6e3f2876a32710fe8d5f755665c3b18a0f09c03b627b4feeebc2c072807326e5
Opcode Fuzzy Hash: 64749fe633b389f6a1213d80ecd6f8e346cfa3a21779590c5960f5abbf97c33c
Instruction Fuzzy Hash: 53F0C4B49082388FDB25CF68C6497D9BBB1FB49305F41019AD109A2695CBB84AC5CF16

Function 05428D98 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810fb092488a73bf59278d9d1b309c485c55a2464ece739589ab7cd6811694bc
Instruction ID: ccfe4983c1343ea02c093619a45518a787e0c45276dddad3ca9791de82aabbb6
Opcode Fuzzy Hash: 810fb092488a73bf59278d9d1b309c485c55a2464ece739589ab7cd6811694bc
Instruction Fuzzy Hash: BBE0DF70C59218AFC740EAA8C90A3DDBBF4AF04201F1440A98808D2380E7718A49C741

Function 05428318 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478a741f8b78521cba45a955948089b4f047283c8aa2661b90fccd53e64051c2
Instruction ID: 644da299e39f69bc8ee88788fbbd4150f6378eaffb99eeeb72bbb7ccb053bbe7
Opcode Fuzzy Hash: 478a741f8b78521cba45a955948089b4f047283c8aa2661b90fccd53e64051c2
Instruction Fuzzy Hash: CCE02671885208AFC341EBF0C9017CEF7F8EB08211F6025F2C04AD7200EA798E019392

Function 01A80860 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed28085b821eaba7842ec249a513b1896da16d74b3a6891f95f18e0afe9a94cd
Instruction ID: 855d4fd105f5bbf516b9e39f4831e1e44d1494b556ef93af4679ef169eb5c0f6
Opcode Fuzzy Hash: ed28085b821eaba7842ec249a513b1896da16d74b3a6891f95f18e0afe9a94cd
Instruction Fuzzy Hash: FBE0EC7801A3815FC3231B7495152507FF0EF5761EF6541DAA080C9463E26C445B9BA1

Function 05421530 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a04a569ce45352907e60050e9212ebb3a39946e76638ac9d5546ea821674c4f
Instruction ID: 6122dae4ed9672fd0417b3c24d68eccb87a6ed5019d463eff21c5a850b4992e8
Opcode Fuzzy Hash: 2a04a569ce45352907e60050e9212ebb3a39946e76638ac9d5546ea821674c4f
Instruction Fuzzy Hash: CDE026B4509011ABC704C798C6417E87BB1EB8A325F6890CCC85E4B393CA379D43C600

Function 05422F29 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811908e799ecba3ab46729184b02d9ee3aef65b1a9807937573f0323965e8a48
Instruction ID: 0d2dab24991eafb59ceca014c4b779b5af99d895d91b8edb34eee58fdfeda9c0
Opcode Fuzzy Hash: 811908e799ecba3ab46729184b02d9ee3aef65b1a9807937573f0323965e8a48
Instruction Fuzzy Hash: 8FE0923490E214DFC701CFA8E6449A8BFF0AF46311F1981EAD8089B356C7719D12EB42

Function 05428FF9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7632f30ffeb9046405b6e7b4a621d0f73e0bc3fbff2897771b49d690255c4e23
Instruction ID: b2fd1750e67693ebd30c09134850101af8e11feedca445271e04546e6d941958
Opcode Fuzzy Hash: 7632f30ffeb9046405b6e7b4a621d0f73e0bc3fbff2897771b49d690255c4e23
Instruction Fuzzy Hash: 59E0D83594A1649FC709C7A8D5066ECBBB19F89330F54C28EDC19073D2CA329D93D642

Function 05420659 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80b1f317347aeb568e0896e109fce3c8bd7c84c835202ec498ae8d96c5630f6
Instruction ID: 3ea51e581ce101af6865e687daf24c9a0daa673a6b6915ccf5ebbc6b68aa8a44
Opcode Fuzzy Hash: e80b1f317347aeb568e0896e109fce3c8bd7c84c835202ec498ae8d96c5630f6
Instruction Fuzzy Hash: 87E0DF75809108ABCB10DA94DA857E8BBF5EB85314F64C0A9C80957342C6329E03DB91

Function 0542EEC0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc8befe627bbcc0a5b49e24a21c21fa67ac3ae539bc07733226215a656e90b2
Instruction ID: f7e5afaf1f57e2fda274b808a17223fa7c74a0d94fee1aa31cdd642dba80677b
Opcode Fuzzy Hash: 3bc8befe627bbcc0a5b49e24a21c21fa67ac3ae539bc07733226215a656e90b2
Instruction Fuzzy Hash: ACF0153490520CEFCB01CF98D9409ADBBBAFB48310F10C0AAEC08A7351C7329A21EB41

Function 0542A128 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0941c1469a100dc798139895a69488c0b49deb021f8ad274065aadb8bb0e03
Instruction ID: 4b85378d9ee9627f5d45af6086106b58af6ccdea5f2512cfac8cf42e3a003e68
Opcode Fuzzy Hash: 6b0941c1469a100dc798139895a69488c0b49deb021f8ad274065aadb8bb0e03
Instruction Fuzzy Hash: 21E0DF708051189BC380CB99C9423F8FBF4EB05221F9480EADC9996341D6799A83CB82

Function 06A36300 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction ID: 10578d27ca77ef796bad406e4c0ea22cd0cb08e8b07b494a7081cf9399f9d2e9
Opcode Fuzzy Hash: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction Fuzzy Hash: B5E0ED74D05208EFCB84EFA8D5406ACFBF4EB48310F10C0A9A81897351D7319A51DF81

Function 06A3AB08 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction ID: cc48ce11f3bbc9a47e7c93f38a8158e79dc29b3e862c7809825165dfb81ed5fd
Opcode Fuzzy Hash: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction Fuzzy Hash: 18E0C974D05218EFCB84DFA8D540AACFBF5EB48310F10C0AAE84997351D6319A51DF81

Function 06A3D948 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction ID: 7c743ceba291e2963377a301a20a3c531719dbd745d3214f611d03781892a572
Opcode Fuzzy Hash: 17fbd66579de55fceec0114b505cd63f19cefc9685e7ddb5a9ac28c51ee4333c
Instruction Fuzzy Hash: 5CE0C974E05208EFCB84EFA8D5406ACFBF4EF48310F10C0A9A818A7341D6319A51DF81

Function 0542B450 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1efb453179f7da06a4f6f7e94aee1434d459428d672c1e0bd21b7d73fbdc6f
Instruction ID: 3ca1979d17a23946795e1c1d8e2c8162a14a39f412e68bf977c44dfe1bf3438b
Opcode Fuzzy Hash: 4a1efb453179f7da06a4f6f7e94aee1434d459428d672c1e0bd21b7d73fbdc6f
Instruction Fuzzy Hash: 19E0E535909118EBCB05DF94E9409EDBBB6FB49311F54C09AEC0527361C7329A62EB91

Function 054224E9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a1491c1b733509d6266a3bf3a6b260aa35a39af50884af5ae44e80674b9fe4
Instruction ID: 41462e1a3441d300f3d4fe4fe505d6f908118c7bdbe8952c2aa2e73f5e415b1f
Opcode Fuzzy Hash: 03a1491c1b733509d6266a3bf3a6b260aa35a39af50884af5ae44e80674b9fe4
Instruction Fuzzy Hash: 48E0263951D1109FC315C694DA023E87FB1DB8A228F28D0CD880D8B383CA72DC43CB01

Function 0542BCB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1efb453179f7da06a4f6f7e94aee1434d459428d672c1e0bd21b7d73fbdc6f
Instruction ID: 2b4887c30589281ba196eb4a7db9c4a3781bae124d63f6554bd4f17df13bbd56
Opcode Fuzzy Hash: 4a1efb453179f7da06a4f6f7e94aee1434d459428d672c1e0bd21b7d73fbdc6f
Instruction Fuzzy Hash: C0E06D38805108EBCB01CF94D9009EDBBB5FB48310F10C099EC0927351C7329A21EB41

Function 0542A7E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5722f9126ce349d35d450e478659c80e43aba6976b7d1c9d5dfb6641a4085b6
Instruction ID: 68856d0dea61b28b708f085f7dd320deb0054232331ffbc47231612e6adc180b
Opcode Fuzzy Hash: c5722f9126ce349d35d450e478659c80e43aba6976b7d1c9d5dfb6641a4085b6
Instruction Fuzzy Hash: E8E0C270409028DFC744CA94C9117E9BBF8EB46324F68E09DDD0997341C7BA9D43D765

Function 05429118 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fba00a08d9b241b73112d3346101d6bd1692bb44222f607997e68864fdd3878
Instruction ID: 60ecea110d2d7013e14b975a2361f80e58037748efb97a99da5fe043582bce0f
Opcode Fuzzy Hash: 6fba00a08d9b241b73112d3346101d6bd1692bb44222f607997e68864fdd3878
Instruction Fuzzy Hash: 0FE03974809118AFCB44DF99C5045BCFBF9AB48210F14C09AAC9896341C6319A51EB51

Function 0542E050 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be55bffe6cfcc343967c1b9536356443ae0d60e687a69792f00afd3c9fa94e85
Instruction ID: de210cd522bc4f62672178f9a55ec9d7792a6943de33a791afbd1cc9f07a69bd
Opcode Fuzzy Hash: be55bffe6cfcc343967c1b9536356443ae0d60e687a69792f00afd3c9fa94e85
Instruction Fuzzy Hash: 57F03934C05218EFCB01DF94C900AACBBB5EB48310F14C09AEC1466351C6329A62EB41

Function 06A3A7D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction ID: 1e3068f7f045e69b18c6bc6c728e4149f3b0c3fe3ea20410ac245540fdf5eed9
Opcode Fuzzy Hash: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction Fuzzy Hash: AAE0E574E05218EFCB84EFA8D5806ACFBF4EB88310F10C0AA9808D7345D6319A42DF81

Function 06A3DF38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction ID: 26a28e8cfadb3f757e35a3603328fd0aa078b805acdb96476ce71927954fad4d
Opcode Fuzzy Hash: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction Fuzzy Hash: ABE0ED74D05208EFCB84EFA8D5406ACFBF5EF48310F10C5A9981C97341D6319A11DF41

Function 06A3F870 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction ID: 8d2c4c8ea5992ac525c34960de58868386b88b795f1a3e8db533f10006d93e05
Opcode Fuzzy Hash: 8536956ecec37d76372f506dd48c91b8017134f4ec2dcc6810185264b9530c40
Instruction Fuzzy Hash: 88E0E574E05208EFCB88EFA9D5406ACFBF4EB88310F10C0A9981897341D7319A01DF81

Function 05428E38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3311da660d0e8b0f3b77ba8164266ae4a63979d2ec9cb3120cd91a27411013ca
Instruction ID: 1e85f60ffdd10f76ce01baa898e595dd5ca397c78eb62b92e90b180aa3caf3b4
Opcode Fuzzy Hash: 3311da660d0e8b0f3b77ba8164266ae4a63979d2ec9cb3120cd91a27411013ca
Instruction Fuzzy Hash: 4FE0E574E05218EFCB94DFA8D5416ACFBF4EB88310F10C4AA9818D7341D7359A12DF41

Function 05423A50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cccd7249f7d66a2761c05cedcff20fc5d1e6a67dd86f3cbc6468b50d76bd71f
Instruction ID: 207b2f92dcb9ca9773d2273f712beb17ba1f84c81cdfd6e7ddcb1684e63f295c
Opcode Fuzzy Hash: 1cccd7249f7d66a2761c05cedcff20fc5d1e6a67dd86f3cbc6468b50d76bd71f
Instruction Fuzzy Hash: CBE0D83454D1509FC305CA94C6401A87F70EB46214B5885DAC8498B393C6379C03C741

Function 01A857A8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f5e73b5129555311d58d73bf8154800ffd95e375c7d0afdea6aa2c77bf30dd
Instruction ID: cda2f6e3897835d41a2ffc0bc092340c150ecaebd38d66429898b4160ba72860
Opcode Fuzzy Hash: a8f5e73b5129555311d58d73bf8154800ffd95e375c7d0afdea6aa2c77bf30dd
Instruction Fuzzy Hash: 42E0C230B01205CEF720BA2AA50472A72DAE7C4710F48CC71DA0C82648D67998914A42

Function 06A3FF90 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95857d36c133b6478b27b5fbf4a424ed309cfb5b786f3161ee87d4682d16c0db
Instruction ID: c58faa992c9bc4c30a41242d75addb8c8d2f99103501069033c2908668940dda
Opcode Fuzzy Hash: 95857d36c133b6478b27b5fbf4a424ed309cfb5b786f3161ee87d4682d16c0db
Instruction Fuzzy Hash: F1E0E574D09208EFCB44DF98D5409ACFBB4AF89310F14C1AAAC4457345C6329A52EF81

Function 0542EDD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86da7251e5f87f571880423228ba39718d3f6c6a912a5263c9c28a4f510f59c0
Instruction ID: 7380288d1751b7c7a5b2bcf4b79e88f7bce8d4f583c4cad7a8819a91cec969fc
Opcode Fuzzy Hash: 86da7251e5f87f571880423228ba39718d3f6c6a912a5263c9c28a4f510f59c0
Instruction Fuzzy Hash: 29E0E574D09228AFCB54DF98D5416ACFBB9EB88311F14C0AAD84857341D6729A62EB81

Function 05424F3F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f4ca2ba24aca733c307db70cf46c58ffe2a1baf862abb1eef0ca8b30c793f7
Instruction ID: 84397b83446efc6c7882dea051a0ee61923628c681f26d2be0c8831a36edf6bd
Opcode Fuzzy Hash: 69f4ca2ba24aca733c307db70cf46c58ffe2a1baf862abb1eef0ca8b30c793f7
Instruction Fuzzy Hash: E9F0D4749081688FDB61DF28D9487E9BBB1FB49305F4141EAD489A2685CBB84DC4CF10

Function 0542506E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ece90cb713e254f25654512641407b9c85dd7099ed51ced4367b0518244204
Instruction ID: 9e4eb3a2736de3075da9a734ecdf1a8be4245599333a074503d1cec26b6f8c0c
Opcode Fuzzy Hash: c1ece90cb713e254f25654512641407b9c85dd7099ed51ced4367b0518244204
Instruction Fuzzy Hash: C6F0D4B49081288FDB25DF28C6457D9BBB1FB49305F4105EAD109A3655CBB84ED4CF11

Function 01A86590 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca59cdc665d6fb95e8774e733259522eca438149a46a55576cba6dd02510c77
Instruction ID: 416f446e571842ba364430f2f4fe37a58bd9abe58ed560b23ae0b235cc339314
Opcode Fuzzy Hash: eca59cdc665d6fb95e8774e733259522eca438149a46a55576cba6dd02510c77
Instruction Fuzzy Hash: 28E0C236B483948FCB146B74B52C228BFE19B89221B0C88FAC185C765AD93984028B92

Function 06A38FD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc01652c7ccf4859b1407f98ecb7d41d2992615cc9b8a4b624c187e402c9e6a7
Instruction ID: 986d9fc1f225f33d1db8e7c549114c955a3a0d124667f9da113045e6a2aac056
Opcode Fuzzy Hash: dc01652c7ccf4859b1407f98ecb7d41d2992615cc9b8a4b624c187e402c9e6a7
Instruction Fuzzy Hash: 5AE01A74D05118EFC754DFA8D5415ACFBF5AF89311F14C0AAA80857341C6359A41DB85

Function 0542A870 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4423b65c0232cedeaa8afc56a33c462ca2943ec884f383d0f89f7340b7fab2
Instruction ID: f9c0fb8e415871b281d9bf15fe6b4e81c330723ec120c53c39b744fee06ea2f1
Opcode Fuzzy Hash: 7c4423b65c0232cedeaa8afc56a33c462ca2943ec884f383d0f89f7340b7fab2
Instruction Fuzzy Hash: 8CE04F70D05118DFC784EFA8C5406ACBBF4AB48210F5080AA8C0897341EA719E42CB42

Function 05429008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3f2630c43af6fd905bfd692ed47e0104ee614e91c72891996b5cd05dac81ef
Instruction ID: 3011c4578be2c7ba3c701e63ef1a8165049c2a3fe9c5f146acf6e8a83b627ff2
Opcode Fuzzy Hash: fe3f2630c43af6fd905bfd692ed47e0104ee614e91c72891996b5cd05dac81ef
Instruction Fuzzy Hash: 66E04F74D09118EBC708DF94D5449ADBBB5EB49310F50C099A80417341CA329A52DB86

Function 06A3E698 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50064da5dec6c97ddeeba7a3b812e5f81bf59d12f488256147b7ec707cc56cc1
Instruction ID: 5ad540a0f7dbeb006df567c81845c357ceb2f55bf2243eb254127c2d8ffeb5f4
Opcode Fuzzy Hash: 50064da5dec6c97ddeeba7a3b812e5f81bf59d12f488256147b7ec707cc56cc1
Instruction Fuzzy Hash: 2AE0EC74909118DBCB44EF94DA515ACBBB9AB85315F1481A998091B381CB329E52DB81

Function 06A3BAE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deffe67795f17ffc54a4eecdeb7eb7f20dd810923a3a67c0e9df5ad56ebe90a9
Instruction ID: a78211a1829553686be7f55865647fd48ea58820c85a2c4236ce014b1d96f7b4
Opcode Fuzzy Hash: deffe67795f17ffc54a4eecdeb7eb7f20dd810923a3a67c0e9df5ad56ebe90a9
Instruction Fuzzy Hash: 8AE01271C42508EFC791EFF48E0169E7BFDDF49211F1045A595049B110EE754E14D7A2

Function 06A3BEF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a046d12f88bb4b2b021454280a3eb5631a0078bec42927087de03f8e7f51880c
Instruction ID: 2c457304d3822c14519f3ac5b0c9e74ccaa7b368b6acdc498a420fafb9f30dbe
Opcode Fuzzy Hash: a046d12f88bb4b2b021454280a3eb5631a0078bec42927087de03f8e7f51880c
Instruction Fuzzy Hash: 28E0EC74D16219DFCB80EFB8D5456ADBBF4AB48211F1054A9A808D7250EB309A54DB91

Function 05421540 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 52bed5f7a5833051e35d40c8cc1e47f8fd0cc39ee688bb00120737156e4b55fc
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 72E0C274909118EBCB04DF98D5405ACFBB4EB89310F50D0DDD80A17341C7329E42DB81

Function 05428DA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a44356b1d0ef7e0c9d7c78be3aaa56a1ca6a665f55ebd89ee5bc7a44ffe26e5
Instruction ID: a9020d3a288cc9ce51627982457be31aed49de77e91b2db8e1878bfdccf8ab21
Opcode Fuzzy Hash: 3a44356b1d0ef7e0c9d7c78be3aaa56a1ca6a665f55ebd89ee5bc7a44ffe26e5
Instruction Fuzzy Hash: A7E01270D5621CDFC780EFB8D5456EDBBF5AF14211F5040A9C80993350E7715A55D742

Function 054224F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: d65e71326d388fe52489eed1bea560488e720c6c7f15cdd5581761c27141dafd
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: CCE0C27890D118DBCB04DF94D5405ACFBB9EB89314F50C0EDC80927341CB729E42DB81

Function 05422F38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 9f8d74e5b8140be1605a18b9a9a7e3f30584fbef98687f4f89ef31a50697f41d
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 43E08C3890D118DBCB04DF94E5405ACBBB8AB89311F5081A9980817345CA729E12EB85

Function 05420668 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 5da3e126dd1501e8ca428960184329ae9761e75ea471782eb02b22851c2bf921
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 56E0C234909118EBCB14DF94D6445ACFBF9EB85314F50C0DDC80817341CB329E06DB81

Function 05420E80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 6174eff4a0e5704eb986081162ad20162ecdf33809644f9cfd5451ce02e84d2c
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 13E08C34909118DBC704DF94D5445ACBBF4AB85310F548099880817341C732AE42DB85

Function 054241C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 3f7474867d56731b4b925fd9eb2ed9b760c0db902599db5a9f398c93e9fd9b82
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 36E08C38A09118DBCB04DF94D9445BCBBB9EB85310F60809988081B341CA329F02DB81

Function 0542F890 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: b128f99ccdbbbd95e603bc32c6405206e2bd6c384e57553e96cd950236430909
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 4FE0C234D09118EBC704DF94D5415ACFBB4EF85310FA4C0D9C80917345CB329E46DB81

Function 05428328 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a6ad966ebc28a97691bfaf75520e060f6b081f522b801e27a646a4a5f9c175
Instruction ID: 36345df12e7a9795c1a0af6c4a0bd3d6b7f5295d84b36576d925a10b5940f443
Opcode Fuzzy Hash: 81a6ad966ebc28a97691bfaf75520e060f6b081f522b801e27a646a4a5f9c175
Instruction Fuzzy Hash: 0EE01271882208EFC781EFF48A0069EBBFDDF49211F4045E5944597210EE764A10D792

Function 05423A60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: ceea6f05933bf4efdd68277d52f1820904718d520211311b965fdf2257839be2
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: B2E0C234909118EFC704DF94D9805ACFBB4EB85310F50C0EAC80917341C7329E02DB81

Function 054292F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 766ad553b3d956d055005a7c64347c417194b5809f64716fe9ae0eb581557768
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 9CE0C234909118DBCB04DF94D5405ACFBB8FB89310F50C0EDC80817391CB329E42DB81

Function 05429A80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 4713f4b71443b6d8874560fb9847bdf0b220d6459024172d3b7ca3f89090348a
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 5FE08C34909218DBC704DF94D5405ACBBB4BB85310F50809E980917341C632AE82DB85

Function 0542F2B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction ID: 3f9e9e34e8783eaaef82ea63b4c589c695939b7da84389edcf17e307afa6d338
Opcode Fuzzy Hash: 1731b8c2d9c49ffab02eb9de859ade980f11155b34005ae5e1c2606e3888066e
Instruction Fuzzy Hash: 83E08C38909118EBC708DF94D5425ACBBB8AB86310F908099880867381CA329E16DB91

Function 01A83E30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce12c33284732dcb90ca0fb62ba680b4adb1835e7beca3e2d09ed82f12fdf4c
Instruction ID: 377f682b7d943a9302dba8b98e2d8f2ce4d45adad27d7481d4641f3f5eaaea7b
Opcode Fuzzy Hash: cce12c33284732dcb90ca0fb62ba680b4adb1835e7beca3e2d09ed82f12fdf4c
Instruction Fuzzy Hash: F4E0E574500204CFEB2AAF04D0687B47BB2FB45306F5484EAC51A47AC1CB798AC6CF80

Function 05426D10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction ID: 1f094cdaa708d5e0bfda67910159b93b12e22b6afd0fc04cd1d5dd3eae87a891
Opcode Fuzzy Hash: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction Fuzzy Hash: 0EE08C7081912C9FC750DBA8D5002ACBFF4EB49215F5480DAC80857342DA329A02DB41

Function 0542DC4B Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dee5644e05e3cf09a2372477064a889dc9a66571a28d6ce4b78b2a11a4c4e04
Instruction ID: 4b25931ccc59846ef6e76f6aaf18f381138e347b5763233451bcc32fc2ca2a5a
Opcode Fuzzy Hash: 9dee5644e05e3cf09a2372477064a889dc9a66571a28d6ce4b78b2a11a4c4e04
Instruction Fuzzy Hash: ACE0E5B4D0422C8BDB12CF54CD44BDABBF9BB09304F1041AAE209A7240D6B45E84CFA0

Function 05428668 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction ID: ab05accd38571bf2ee4a16d81c5bd6172df07ac2a04fde9b89da9ca6982c896f
Opcode Fuzzy Hash: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction Fuzzy Hash: A2E0C230809218DFC740DBA8C5006BCFFF4EB49215F54C0DAC84857341DB329E02DB81

Function 0542A138 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction ID: 37139d5ab3fefebdd7fc8088ea18ee285ec67af976a6c0274de34c16eb7ba794
Opcode Fuzzy Hash: 4c0ea84708a83c609695766047f41f83e3628a59288678b322382574f982d7be
Instruction Fuzzy Hash: D7E0C230809118DFC744DFA9C5412BCFFF4AB49221F9480EACC4857341D6729E02DB41

Function 0542FF08 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b795f270cb80daf9fc95d3edc131e41f5bbba8fe8e145d8bec0483dbc1576c
Instruction ID: 29385acce1b6ec4f7d669e0b285030e97a44c0acebea505403a2055765ba8bd6
Opcode Fuzzy Hash: 75b795f270cb80daf9fc95d3edc131e41f5bbba8fe8e145d8bec0483dbc1576c
Instruction Fuzzy Hash: 92D05E7050E118EBCB44CA94E501AAAB7B8EB46214F94909A980947349CA329D02DB81

Function 0542A7F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b795f270cb80daf9fc95d3edc131e41f5bbba8fe8e145d8bec0483dbc1576c
Instruction ID: b5dee90b1dd7dc9a78352be017590af42fd741d258576929a75e9fb1cfac0514
Opcode Fuzzy Hash: 75b795f270cb80daf9fc95d3edc131e41f5bbba8fe8e145d8bec0483dbc1576c
Instruction Fuzzy Hash: 51D05E7090A118DFC744CA95D500AA9B7ECEB46214F54809D9C0957341CA729D02D761

Function 01A85348 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d007ce9a0cc09a894c1e6a2e3f942e4354cf7fec3162015dce9ec39ce596f6df
Instruction ID: ebac04cbea91fd1771c276921cc04400535a46e5a27c8fe83e9c91ccf3de3de9
Opcode Fuzzy Hash: d007ce9a0cc09a894c1e6a2e3f942e4354cf7fec3162015dce9ec39ce596f6df
Instruction Fuzzy Hash: 41D01770A0110DEF8B08DFA8EA4595DBBFDEB48200B1041A89908E7224EA316F209B82

Function 01A85A73 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cffd55c398d17bb4f3e0cd5dc085eb93f383dd9c5b3d9881788f0e64d6d1e1a
Instruction ID: 69d20b522f067cf35d12d14cd1895ee3a6d25fb24b94dd0fe8a51092cc7f88c2
Opcode Fuzzy Hash: 2cffd55c398d17bb4f3e0cd5dc085eb93f383dd9c5b3d9881788f0e64d6d1e1a
Instruction Fuzzy Hash: 6BD0123AB04001C5FB517565B9493AEF3B3E7C0135F18C477CB1E92406E63194178215

Function 0542BFA2 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5298d86d0b95b80ea892290c5df9ee0a3ed33ef8d57d0d336de58c9cd7a8e851
Instruction ID: d1e9946c325e23a0353fd75bf54e0e82998cdd5bb169a27369bb7556d2a433a3
Opcode Fuzzy Hash: 5298d86d0b95b80ea892290c5df9ee0a3ed33ef8d57d0d336de58c9cd7a8e851
Instruction Fuzzy Hash: C2E0B671A045288BEB11DBA4C958F99BBB2FB4D305F108099E20D67254C7765D849F50

Function 06A3EB60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84e94f040f18f7de998c1f13a297dbd9b4746fe25d792851a81d755a04b27ac
Instruction ID: b3b28d7e20ef8d7dd81b2933834cf7f8189112dcb5e1af683346680df522148d
Opcode Fuzzy Hash: e84e94f040f18f7de998c1f13a297dbd9b4746fe25d792851a81d755a04b27ac
Instruction Fuzzy Hash: 7BC08C3019B7158EC2922A446109374BAEC6B06212F409802700F088278B614010C292

Function 01A80CFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4899c0ed33194e1a2517d11ec2e38aa7d0ac6ca11aed1576ff28f730a7f35e
Instruction ID: 55b90fa608b99c8690b121ef27b650a97ac773e4d7189cf91f9a7de76f192757
Opcode Fuzzy Hash: ca4899c0ed33194e1a2517d11ec2e38aa7d0ac6ca11aed1576ff28f730a7f35e
Instruction Fuzzy Hash: 9CD0A935A00014CFE728AF558900298B6E0BB0934078A88B6EA82AB012C730A80ACB80

Function 01A820C1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6430dd2bda5b4c29e412769ce6f8ad4606d7fedda4d9bba7b694c50bb366d8a3
Instruction ID: c4c68fe0f23fb9134ff96acd4b7c133b3924a923ea5161972a26470771b9d011
Opcode Fuzzy Hash: 6430dd2bda5b4c29e412769ce6f8ad4606d7fedda4d9bba7b694c50bb366d8a3
Instruction Fuzzy Hash: B8D0C970A0010E8FCB14EFA4E644E9DBB76FF50304F10442A90496B658CB342E06CB41

Function 01A808A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c084abf05532014cd48a4e8e6705b5cc6bb724503566d521c7380dff61cac962
Instruction ID: ebd412c7706df03681a37b660812fc8fe262c51e275d8a9dc30d7a52bdb7a6d0
Opcode Fuzzy Hash: c084abf05532014cd48a4e8e6705b5cc6bb724503566d521c7380dff61cac962
Instruction Fuzzy Hash: 28C08074C243445FCB714B7050482F47FE49B0617DF1445DED44459433C36104578B00

Function 01A8319F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaef2cde8076128876ef707a3ff49fb77e7a7bd20f74d06b881619d4e26b777d
Instruction ID: 8badbc0aea61cc3d7091afcba486479cb2d4f0507ff11061376a1df5ab1daf79
Opcode Fuzzy Hash: aaef2cde8076128876ef707a3ff49fb77e7a7bd20f74d06b881619d4e26b777d
Instruction Fuzzy Hash: AFC01270600204CFD729AF20C0183647BB2FB48305F0081AA880E82780CB348C80CF00

Function 01A808C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c88f49063eb276a6065755243d202004573bfba0ce20e965421a41103e446a
Instruction ID: 95638fed9ed5067bf5d9c756c3dca93d03bf185f07937ff886fe5f8e309b2d9c
Opcode Fuzzy Hash: b1c88f49063eb276a6065755243d202004573bfba0ce20e965421a41103e446a
Instruction Fuzzy Hash: 75B0922440658409CBB1C7200A0DBEA3ED16B0A12CF5C85DC81452A403D71100038B92

Function 01A808B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0c262becf211ad993329805aefb5d2d5cbc55ed99c60c79ae0f48e137bc4d0
Instruction ID: 06e859cfa0fe43eadb9ea36a753a277a09d11991ab3a822c32914d1e0102ddfe
Opcode Fuzzy Hash: 3a0c262becf211ad993329805aefb5d2d5cbc55ed99c60c79ae0f48e137bc4d0
Instruction Fuzzy Hash: 19900275045A0C8F4950279574095D5B7DC954953A7804451B50D495059A59645046A5

Function 01A83EEB Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4a1f99f56a6e0deeac4a96928290ecfb4c8d616e0c95959af78e27b5a9be99
Instruction ID: c623a87a1a46763c0a8065f966d754119fdb6e4961648d04617e463a19795608
Opcode Fuzzy Hash: 0e4a1f99f56a6e0deeac4a96928290ecfb4c8d616e0c95959af78e27b5a9be99
Instruction Fuzzy Hash: 4CB092B084111A8BC7788F18C9047A8BAF0AB08300F00C0FB9A2DE2A50E6300980AF24

Function 01A85C24 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a29ac601c88f44bba5bc610020faf2b435bf02fde3cbd2aacbe5af2ef4d2be
Instruction ID: 5620160501c544f3847b48d8cf418bc9eaee63cd5d135d99305481900795de0e
Opcode Fuzzy Hash: e1a29ac601c88f44bba5bc610020faf2b435bf02fde3cbd2aacbe5af2ef4d2be
Instruction Fuzzy Hash: 3FA012348002008BC3418A10D0C8318B9F1A708210F108051644189604D53040C14700

Non-executed Functions

Function 01A8EFC8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 01A8F0AA
4']q, xrefs: 01A8F07F

Memory Dump Source

Source File: 00000000.00000002.2133743923.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: ba15c6f15b48ceb46838fcb7f9d52f31f200a2e8da4a8602d76c20f4840f6904
Instruction ID: a7f0e884c8473d953a25b87ee0afc56b5734d2afef816c6d3302b66112256a27
Opcode Fuzzy Hash: ba15c6f15b48ceb46838fcb7f9d52f31f200a2e8da4a8602d76c20f4840f6904
Instruction Fuzzy Hash: 31711F70E042098FE708DFAAE950A9ABBF7FFC8300F14C539D104AB269DB795955CB51

Function 05411BE8 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

daq, xrefs: 05411E0A

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 5a43a3c1995db22dd2492c99ba069143be05a134994926b69b55a49dad37aba7
Instruction ID: 19f615d2280100159a017d20b074f71dde1442552e1171471a02cb6c6294d62a
Opcode Fuzzy Hash: 5a43a3c1995db22dd2492c99ba069143be05a134994926b69b55a49dad37aba7
Instruction Fuzzy Hash: 8091F074A04218CFEB14DFA9DA48BEDBBF2FB49304F0091AAD509A7354EB785D85CB05

Function 05411BDA Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

daq, xrefs: 05411E0A

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 5fc009dbb44e41d2904121954a7c06ed913aa94dbf32be80e1de216628cd79ee
Instruction ID: c85ad05ff2fff07a73ec282f647270cebed59bb05e388eb61d26383342f01135
Opcode Fuzzy Hash: 5fc009dbb44e41d2904121954a7c06ed913aa94dbf32be80e1de216628cd79ee
Instruction Fuzzy Hash: D491F1B4A04218CFEB14DFA9DA48BEDBBF2FB49304F0051AAD509A7354EB785D85CB05

Function 0542F8D0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d735ab5386d2a57150e1afc8dbef4d951b11cc92b4b0fb70aec34d77eab73a
Instruction ID: a54a6d11bfcd1f11b71d0dac37b773d61d3590e27bdfda93bb731a4bd68ed353
Opcode Fuzzy Hash: 22d735ab5386d2a57150e1afc8dbef4d951b11cc92b4b0fb70aec34d77eab73a
Instruction Fuzzy Hash: 5FC10474A04228EFDB14DFA9D559BEDBBF2FB49300F90806AD409A7254DB785D89CF10

Function 05420EB0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a4d489ceda162dae657f620f862d852738de0e852db72ab7319935f7e6c211
Instruction ID: db8cb28790ee450dff2bcd1926d74517025b055ef7dbde342e5969df86aa8fd9
Opcode Fuzzy Hash: 69a4d489ceda162dae657f620f862d852738de0e852db72ab7319935f7e6c211
Instruction Fuzzy Hash: 5D912470A09228CFDB14DFA9D588BEDBBF2FB49304F51906AD409A7244DB785A85CF10

Function 05420EC0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2683fea35ea62d9779ad6a56214ee272a6168f4162b8fa6031e4b1a4dd4bb590
Instruction ID: 7b7be4104085fdbc55a7137f4f6248972c4530e8bfd98fd470c63d2be3458534
Opcode Fuzzy Hash: 2683fea35ea62d9779ad6a56214ee272a6168f4162b8fa6031e4b1a4dd4bb590
Instruction Fuzzy Hash: DB912470A09228CFDB14DFA9D548BEDBBF2FB49304F51906AD409A7244DB785E85CF11

Function 0542115C Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bd9321f99939d0542f8fcf8588dc0a4d6fd47d0bbce2279ba2cbe48112c5b5
Instruction ID: f873c7250dacf07afe506a61b856695207df78a59b959403d73f5d256dac02c0
Opcode Fuzzy Hash: 53bd9321f99939d0542f8fcf8588dc0a4d6fd47d0bbce2279ba2cbe48112c5b5
Instruction Fuzzy Hash: 1E911574E09228CFDB14DFA9D588BEDBBF2FB49304F51906AD409A7254DB785986CF00

Function 06A3E6D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c51b07b722f053c1bfe878d5a7b84a4f75dbb5a8b6d277d0b344cf94d8c7e8
Instruction ID: 3ca6c540e273443a334249eb01209ce6df9de14ed8062fbbf70bbba08e09bef9
Opcode Fuzzy Hash: d9c51b07b722f053c1bfe878d5a7b84a4f75dbb5a8b6d277d0b344cf94d8c7e8
Instruction Fuzzy Hash: C991F970D05228CFEBA4EFA9D944BDDBBF1BF49304F1490AAE009AB251DB745986CF41

Function 0541EC5A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11e28b92df280645a28d01c42adc0d73e1f3db8be99e34c0a5178aab149610e
Instruction ID: 3716ebd5c403511fbb73b5a43e3147141e24634da19ab27da65e90ed551eb47e
Opcode Fuzzy Hash: d11e28b92df280645a28d01c42adc0d73e1f3db8be99e34c0a5178aab149610e
Instruction Fuzzy Hash: 6B41F0B5C04259DFCB10CFA9D440AEEFBF4BB09310F14802AE815B7240C738AA45CFA8

Function 0541EC60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca4fa87021bfa01ecab1cfa64d03a045a0bb8752f299a030fff5f2cff429840
Instruction ID: b22648dd7ce1b21b345578094010445a4b1996ab708c8581e4dc78493a3a565c
Opcode Fuzzy Hash: 4ca4fa87021bfa01ecab1cfa64d03a045a0bb8752f299a030fff5f2cff429840
Instruction Fuzzy Hash: CC41D0B5D04258DFCB10CFA9D444AEEFBF4BB09310F14906AE815B7250C738AA45CFA4

Function 06A20040 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153642231.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a20000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf0f1b829aa03e84cc26fafdf9eb21ed816946b7c5e7136343e2dc5935376db
Instruction ID: 83740ba40d18fa343f8ab93f504650c0a2bfd4be34a402d2d6e2ba1a5dc55d12
Opcode Fuzzy Hash: 3cf0f1b829aa03e84cc26fafdf9eb21ed816946b7c5e7136343e2dc5935376db
Instruction Fuzzy Hash: D941ED70D056298FEB68DF1ACD587DAFAF2AF88301F00C0EA950CA7254EB704AC58F51

Function 05419F50 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab8956aa2ada559cb318a571c3abd56d1634121d81b2fdfb0498986fce2d1a7
Instruction ID: c95d1638f81b793fd334fb430fcd8dc664b0b13124249a4b2af13649f8751efc
Opcode Fuzzy Hash: 8ab8956aa2ada559cb318a571c3abd56d1634121d81b2fdfb0498986fce2d1a7
Instruction Fuzzy Hash: D621D3B5D042089FCB14CFA9D580AEEFBF5FB49320F14945AD84577210C7356945CFA4

Function 05419F58 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2144227384.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5410000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b78e4ab3f46649f9a6cc8599669b83a13b82507ae87e82f44968d83464da0e5
Instruction ID: 75eae8568fecd39a4ed877872f12dcabcc960935bf4be20051e77fa3bb91211d
Opcode Fuzzy Hash: 7b78e4ab3f46649f9a6cc8599669b83a13b82507ae87e82f44968d83464da0e5
Instruction Fuzzy Hash: FF21C0B5D042189FCB14DFA9D984AEEFBF5FB49320F10905AE809B7210CB35A945CFA4

Function 0542C5FA Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

(, xrefs: 0542CC71
+, xrefs: 0542C60C
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: ($+$8$:
API String ID: 0-2044610021
Opcode ID: aaaed503839371d8fa0ad9ddbc0ca8df3251d85dd08e6d894a24c805e7bce190
Instruction ID: 272fa470f0e12d4d20176c674fad222b425942f37e3345e17d8e5f7b2b3aecb7
Opcode Fuzzy Hash: aaaed503839371d8fa0ad9ddbc0ca8df3251d85dd08e6d894a24c805e7bce190
Instruction Fuzzy Hash: 8D31CB70905268CFEB64DF28C984BEDB7B2FB0A300F8089EAC109A7250CB745AC5CF14

Function 0542BE86 Relevance: 5.1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

Strings

0, xrefs: 0542D03D
", xrefs: 0542D017
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: 142f3ac0d39815469cf089da71144282baf956c29b41a327858dfc2be09556a9
Instruction ID: 0ca62a814f54eefa24e650c5c25696a3035261bb935c353bcc2ed9515d2d3aa8
Opcode Fuzzy Hash: 142f3ac0d39815469cf089da71144282baf956c29b41a327858dfc2be09556a9
Instruction Fuzzy Hash: A621BB709052A8CFEB60CF29C984BE9B7B2FB09344F8089E6D509B7250DB785AD5CF14

Function 0542CF30 Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

1, xrefs: 0542CF55
:, xrefs: 0542BE30
8, xrefs: 0542BE55
6, xrefs: 0542CF7E

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: 1$6$8$:
API String ID: 0-334024651
Opcode ID: c243f045438746394383a90470a13f327bb53d0a6a2e07f6275d688d43aa14ef
Instruction ID: ccf1c548bb5437b6a7a638d8dc15ce99fe52059e25cd3706c0cfeb90b5c1d4c4
Opcode Fuzzy Hash: c243f045438746394383a90470a13f327bb53d0a6a2e07f6275d688d43aa14ef
Instruction Fuzzy Hash: C021B970901268CBEB60CF28C988BDDB7B2FB09304F8085E6D509B3250CB785AD5CF14

Function 0542BFEB Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

0, xrefs: 0542D03D
", xrefs: 0542D017
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: 1dd858a5dcc0c3fb09d950b03d9032aaa8cb799275271447fc118e4931c8d3ab
Instruction ID: 1d77f39350f95a9e123d0297a3f0122856f4a2120d71fcc81629eda96ad14f47
Opcode Fuzzy Hash: 1dd858a5dcc0c3fb09d950b03d9032aaa8cb799275271447fc118e4931c8d3ab
Instruction Fuzzy Hash: 0F21BB70901268CEEB61CF19C944BE8B7B2FB09304F8085E6D509B2250C7B95AD5CF14

Function 0542CA6F Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

3, xrefs: 0542CA6F
/, xrefs: 0542CA98
:, xrefs: 0542BE30
8, xrefs: 0542BE55

Memory Dump Source

Source File: 00000000.00000002.2144285276.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_Xp7zCcGiGj.jbxd

Similarity

API ID:
String ID: /$3$8$:
API String ID: 0-3974735656
Opcode ID: 1fcc7ce3131265779848a1af3f41647c9bcc22bdf353bf9dc114550479ae7091
Instruction ID: 86cda7f7f33497377449f60582a3bc2e555887bc3297d9af7e91dd78fefbc259
Opcode Fuzzy Hash: 1fcc7ce3131265779848a1af3f41647c9bcc22bdf353bf9dc114550479ae7091
Instruction Fuzzy Hash: F421BD709052A8CEEB65CF18C948BDCB7B1FB09340F8085E6D509B3250CBB85AD5CF14

Analysis Process: InstallUtil.exePID: 6536, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	6

Executed Functions

Function 0110BFF7 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0110C25E

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f7db4f0e7f388a7234fbc88ec1f03c7f8ec7e05587ae0ab1493167a2eb71e68a
Instruction ID: 21b08d8241cdcf3acac81b015333865773a984312d17b263f975f34ff9d2ea54
Opcode Fuzzy Hash: f7db4f0e7f388a7234fbc88ec1f03c7f8ec7e05587ae0ab1493167a2eb71e68a
Instruction Fuzzy Hash: 74813570A00B058FD729DF69D44075ABBF1BF88304F108A6DD48ADBA90DBB5E945CF90

Function 011063D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01107421

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4c85f3dc0e742552e6995e8a9064ca3819505f4f37a1cf2aa89e4d5fe9e6bc3c
Instruction ID: 3da939e7694bf3945ced7994537ae4d3972caf143936ee6d8ed019cd45d70190
Opcode Fuzzy Hash: 4c85f3dc0e742552e6995e8a9064ca3819505f4f37a1cf2aa89e4d5fe9e6bc3c
Instruction Fuzzy Hash: CF41E2B0C0061DCFDB29DFA9C844B9DBBF5BF48304F60806AD418AB295DBB56946CF91

Function 01107367 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01107421

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ae69a20958df9495601cf419e08d4c3918c1cd49fbc872cdd7c780102d606607
Instruction ID: ef5412979b11f1764b2c750c43b88ac013b65b3fa355e5fc158c470e367c1f9c
Opcode Fuzzy Hash: ae69a20958df9495601cf419e08d4c3918c1cd49fbc872cdd7c780102d606607
Instruction Fuzzy Hash: 6D4102B0C00619CFDB29DFA9C844B9DBBB5BF48304F60805AD448AB290DBB56946CF91

Function 0110611C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0110674E,?,?,?,?,?), ref: 0110680F

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f23c11eca3e100fe97fed2b9cb912c71cae30af8f3f84291b86397503faa6a73
Instruction ID: 90e5c0419ce30e0668c8ee65dc1af396eb205166e7fca6e67caaeb2bc419cc73
Opcode Fuzzy Hash: f23c11eca3e100fe97fed2b9cb912c71cae30af8f3f84291b86397503faa6a73
Instruction Fuzzy Hash: 9F21D4B5D002089FDB10CF9AD984ADEBFF9EB48310F14841AE914A7250D378A954CFA1

Function 01106783 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0110674E,?,?,?,?,?), ref: 0110680F

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e85fb591bb5e802a3576f42d0f20dc08ff0f67547465e2debd5c4fa159b959df
Instruction ID: a00fad6b96cbff214460e27ce3aafd2b9fa185c9aff413508742b04bd0c3803d
Opcode Fuzzy Hash: e85fb591bb5e802a3576f42d0f20dc08ff0f67547465e2debd5c4fa159b959df
Instruction Fuzzy Hash: 5421E4B5D002089FDB10CF9AD984ADEBFF9FB48310F14801AE918A3350D378A954CFA1

Function 0110C1F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0110C25E

Memory Dump Source

Source File: 00000002.00000002.2167611962.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1100000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bde1610e1aa071c293b23fcc2184d7ef0995c200d6a4b206f917e488de47b9a3
Instruction ID: 710e69e2393790ae95ef97e1791db3aec9ddace88ef5a1a52afce5f2c37ff8c0
Opcode Fuzzy Hash: bde1610e1aa071c293b23fcc2184d7ef0995c200d6a4b206f917e488de47b9a3
Instruction Fuzzy Hash: BC1140B5C002088FCB14CF9AC444BDEFBF4EF88310F10815AC918A3600C3B9A544CFA1

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2167376316.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_106d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3da76947efcc7a05d7ab383779437bc7ad353ea0fe659e78bc07b98ba54bdf
Instruction ID: 213bfc41fd36fdc1d8a391fd2463b6ae380031e8276a3c698f80e98815db1d95
Opcode Fuzzy Hash: da3da76947efcc7a05d7ab383779437bc7ad353ea0fe659e78bc07b98ba54bdf
Instruction Fuzzy Hash: 7F210371604200DFEB15DF68D580B26BFA9EB88314F20C5A9E9890B256C33AD406CBA1

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2167376316.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_106d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d80340c3b6835dac0e4e4590b60cdbc84b3fa43a5c1abd3d0728ddf13d9253
Instruction ID: 6eb8e8c6954ce36bf43b1bbecdf08ea2d8189d26e201b43151ae2414e810ca3a
Opcode Fuzzy Hash: 05d80340c3b6835dac0e4e4590b60cdbc84b3fa43a5c1abd3d0728ddf13d9253
Instruction Fuzzy Hash: E82165755093808FD713CF64D594715BFB1EB46214F28C5DAD8898F667C33A980ACB62

Analysis Process: InstallUtil.exePID: 6768, Parent PID: 6532COMMON

Executed Functions

Function 008F04EC Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

8aq, xrefs: 008F0851

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 1f90d8f65c210310ff3d967e6ec89c38ad1d44411ca57d1c00a0b52df91f2e6c
Instruction ID: 8de16d44e3000a362428b94d32daf7cf3de306f2715f898f43460ae73f517c7d
Opcode Fuzzy Hash: 1f90d8f65c210310ff3d967e6ec89c38ad1d44411ca57d1c00a0b52df91f2e6c
Instruction Fuzzy Hash: 7CF0823450A2C49FC702DFB8E9619DDBFB49E4620071445DAC088EB262C5349E06EB11

Function 008F0888 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

tP]q, xrefs: 008F0963

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: b25a844cd9f72767935f125a1201b4887898c38c295865ec2f3f38fe95d0676f
Instruction ID: 164aeef84ec1d66c8d273907136444b75851d553719fe9bff9e520818f87f260
Opcode Fuzzy Hash: b25a844cd9f72767935f125a1201b4887898c38c295865ec2f3f38fe95d0676f
Instruction Fuzzy Hash: D14146347402108FCB59AF79C4A892D7BE2BF8971572508A8E906CB3B6DE35DC02CB91

Function 008F0898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

tP]q, xrefs: 008F0963

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 5dc53d2604ee4e8d7a575c9df1cf296117786dee29d2063a74799525d0d2071b
Instruction ID: 96d5b78cefe579a7b8320f16eabd132c416e4b93c23e0bd5eb44696109d9a81b
Opcode Fuzzy Hash: 5dc53d2604ee4e8d7a575c9df1cf296117786dee29d2063a74799525d0d2071b
Instruction Fuzzy Hash: D34137747402108FCB58AF79C59892D7BE6FF8971572508A8E90ACB3B6DE35DC02CB91

Function 008F0A40 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

$]q, xrefs: 008F0A98

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 280a3eda3ad47bf5c14e5edb08b7830c040d11aad807a1cf0c70d09f8c8a00b7
Instruction ID: bdb96ac415376c1bff24fb4ec008022766d9903322f9042d9935dfff3b46231a
Opcode Fuzzy Hash: 280a3eda3ad47bf5c14e5edb08b7830c040d11aad807a1cf0c70d09f8c8a00b7
Instruction Fuzzy Hash: 012105327043299FE7148B7DE890B7AB7E9FFC4725B18417AD209C7292DA71DC028B90

Function 008F0848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

8aq, xrefs: 008F0851

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 660c7af85c416d7fd2bbe678c0531160e535a8ba3f6f150bb6e56b0f6cd6100d
Instruction ID: 510aeedb180e8776a78c36ae29b20a86d7c7c0b0da5fedb5cecb1fa0d02501db
Opcode Fuzzy Hash: 660c7af85c416d7fd2bbe678c0531160e535a8ba3f6f150bb6e56b0f6cd6100d
Instruction Fuzzy Hash: 4EE0CD3090020DEFCB00FFB8E941D4DB7BDEB44244B1045A8D408E3254DE30EF059B41

Function 0089D508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2264288582.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ba23e5db5c281153098966c6f3d980375493d0ff0b5c5d5a0f2117aa286fd1
Instruction ID: 805a7c9fadbb660a70323988cf0f516a851324c7ba0d78311ac96e42a61b73b7
Opcode Fuzzy Hash: f3ba23e5db5c281153098966c6f3d980375493d0ff0b5c5d5a0f2117aa286fd1
Instruction Fuzzy Hash: 63212571504304DFCF05EF14D9C0F26BF65FB98318F288569E9098B256C33AD816D7A1

Function 0089D503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2264288582.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_89d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8f6c3a032c28f387fc42b26a3b142c6e997874b99f3879a4f4614bbabb08a7f0
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 8D11AF76504240DFCF16DF10D9C4B16BF72FB94314F28C5A9D9094B656C33AD85ACBA2

Function 008F0A10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2264509558.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8f0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f5be1a89d0300506473b74868ef65aeb42aea36de055385a3d3a0dcbd69338
Instruction ID: 19ff4cbc6ebda9e82857c3ae5174437715659cc637bc658c9e2c87f158937de0
Opcode Fuzzy Hash: a5f5be1a89d0300506473b74868ef65aeb42aea36de055385a3d3a0dcbd69338
Instruction Fuzzy Hash: A6D0C775B441188FCA04AB78D55445CB760EF8437531006B5D135C71B5D661D911C611

Analysis Process: Value.exePID: 1272, Parent PID: 7032COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	325
Total number of Limit Nodes:	36

Executed Functions

Function 04D6B9D8 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04D6BA95

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 635b518ede48b24c4be1355bb3f9957b5ae44805b6d455a979ef140c08c1aa34
Instruction ID: b910fc156ba5b85d39c527cf51bdfaa184e49aec9de2b13908ee02e45d263a9a
Opcode Fuzzy Hash: 635b518ede48b24c4be1355bb3f9957b5ae44805b6d455a979ef140c08c1aa34
Instruction Fuzzy Hash: 414198B4D002589FCF10CFAAD980ADEFBB1FB49310F10942AE819B7200D775A942CF64

Function 04D6B9E0 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04D6BA95

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a9eba0df3f3920145ace5454149dcfeca3349866f44cee59394f5a7c97c9cb53
Instruction ID: efd88926fe0aa7a467fe193ea125136965091b828e31453cd28b051e5b8d46a6
Opcode Fuzzy Hash: a9eba0df3f3920145ace5454149dcfeca3349866f44cee59394f5a7c97c9cb53
Instruction Fuzzy Hash: 754177B8D002589FCF10DFAAD980AEEFBB5BB59310F10942AE819B7210D775A945CF64

Function 04D6D260 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04D6D2F6

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab3344d83b0b507ce1a2bdc320ced4631affb361b2c1186825eb2e263bf3a953
Instruction ID: 5e2259f0cd41b541ca5e7f34aea4c0c867d45424aa4689d76554699f3050e3b1
Opcode Fuzzy Hash: ab3344d83b0b507ce1a2bdc320ced4631affb361b2c1186825eb2e263bf3a953
Instruction Fuzzy Hash: F3319AB4E012199FDB10DFA9D984A9EFBF1FB49310F10942AE819B7200D779A945CF94

Function 04D6D268 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04D6D2F6

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64e5ebaf75bc8f7f1cdfe798e887a782d5572417427b2f9f19d05b7622c823f8
Instruction ID: b2970ac4533c25412b2581adeffc5554226af1af63a392f91ab01439534625a3
Opcode Fuzzy Hash: 64e5ebaf75bc8f7f1cdfe798e887a782d5572417427b2f9f19d05b7622c823f8
Instruction Fuzzy Hash: AD318AB4D012189FCB10DFAAD984A9EFBF5FB49310F10942AE819B7200D779A945CF94

Function 063CF300 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Ddq, xrefs: 063CF405

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: 07603788e3a123c8b5fd9d1907ebba7d7740a0197f070017bd47c1404afb860b
Instruction ID: fd152186fd349fa727f8abb1a5b828c8b48df3f8c00210c26b8f8e835b3f60a8
Opcode Fuzzy Hash: 07603788e3a123c8b5fd9d1907ebba7d7740a0197f070017bd47c1404afb860b
Instruction Fuzzy Hash: A4D1C274E00219CFDB54DFA9D990B9DBBB2BF88300F1081A9E409AB365DB35AD85CF51

Function 01086AEF Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c3b14cde383d05973db6788d4d9b3a1e044d7d07b64d62e2ac1b05c88e5de
Instruction ID: 79417cb29539b369b4e2360198c19c8f937a630b8d79f70a8a3aff6b89bf0769
Opcode Fuzzy Hash: 513c3b14cde383d05973db6788d4d9b3a1e044d7d07b64d62e2ac1b05c88e5de
Instruction Fuzzy Hash: 12814C74A08204CFD714EF59D884BD9F7F2EB88304F16C1A9D895AB396CB36A885CF54

Function 01086B00 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46d2bdf0691530810afb6d8e71d4c3828fef75920e447968d69b2c65bdf8aea
Instruction ID: 1df74bf344c3e8be545f695132c82a9a2d2546bd8313e77b1b2a626d2c855bb7
Opcode Fuzzy Hash: d46d2bdf0691530810afb6d8e71d4c3828fef75920e447968d69b2c65bdf8aea
Instruction Fuzzy Hash: 18813C74A08204CFD714EF59D484BD9F7F2EB88304F16C1A9D8956B39ACB36A885CF54

Function 01081CA8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55126223438ff0368317b7bda366104ea8ab188cbffc761031cfec430823a03e
Instruction ID: d55db9bf47e32469a45fd6042004d3414fe79b5bac228cd9a79b0e5986243c96
Opcode Fuzzy Hash: 55126223438ff0368317b7bda366104ea8ab188cbffc761031cfec430823a03e
Instruction Fuzzy Hash: 3C615A74A04204CFE754EF69E588BAAB7E3FF88310F158065E5859B3A9DB75AC42CF40

Function 04D7ADAC Relevance: 5.1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
0, xrefs: 04D7B605
:, xrefs: 04D7A3F8
", xrefs: 04D7B5DF

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: b5e7ff30c4126d950bf9e1b2eb34d946be64696d61e59e008bad8b5cfa4d1f18
Instruction ID: bf96f0df3ec504b9daf9657e17f6fd1c08e82e7453c9159af87a7657d550c666
Opcode Fuzzy Hash: b5e7ff30c4126d950bf9e1b2eb34d946be64696d61e59e008bad8b5cfa4d1f18
Instruction Fuzzy Hash: CF41CF70A41268CFDB61DF68C888B9DBBB1BB49314F4081EAD409B7350EB75AA85CF11

Function 04D7A4B0 Relevance: 5.1, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
%, xrefs: 04D7A923
:, xrefs: 04D7A3F8
8, xrefs: 04D7A94C

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: %$8$8$:
API String ID: 0-1061800311
Opcode ID: c8ca7ca581d40f6d537865947977dfcc5c392d5daab7ffcaff5a2e596ba74750
Instruction ID: e94af71c68191bd1701d5c8f40bb60f91517cb85a166bef0b8a4d2cde4dcfada
Opcode Fuzzy Hash: c8ca7ca581d40f6d537865947977dfcc5c392d5daab7ffcaff5a2e596ba74750
Instruction Fuzzy Hash: 40418A70A412688FEB61CF18D848BADBBB1BB49304F4084EAE54DB6740E7756AC5CF16

Function 04D7A475 Relevance: 3.8, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
>, xrefs: 04D7A4A4
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: 8$:$>
API String ID: 0-1633067128
Opcode ID: 57569961fc3af4f2df884f550bd3184ebbc0796570697398921fadbaadb9336d
Instruction ID: 24a51955443f3126c29b6fe8237318c6d29d277c8aa0e5c44e5d15972e4c6ded
Opcode Fuzzy Hash: 57569961fc3af4f2df884f550bd3184ebbc0796570697398921fadbaadb9336d
Instruction Fuzzy Hash: DE419A70A412698FDB64CF18D888BECBBB1BB48304F4084EAD509A7750EB756AC5CF15

Function 04D7A654 Relevance: 3.8, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
., xrefs: 04D7A6E6
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: .$8$:
API String ID: 0-2317341229
Opcode ID: 1922653cd15cfd6e78968c7f722bc0f43fa649bcb639d29d0537392d711f28b6
Instruction ID: 307a5e17f99b98c5cdba0fb7abc2dc08115252896dd7a16dc23e168b3136c29d
Opcode Fuzzy Hash: 1922653cd15cfd6e78968c7f722bc0f43fa649bcb639d29d0537392d711f28b6
Instruction Fuzzy Hash: B741ADB0900268CFDB61DF58C888B9DBBB1BB49304F4080DAD419B7751E775AAC5CF11

Function 04D7AEB4 Relevance: 3.8, Strings: 3, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
E, xrefs: 04D7AEBE
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: 8$:$E
API String ID: 0-2793474252
Opcode ID: 18780f88418b50d9dc0bb5a1a24aa0d90e2a6aceeef01add26e3409b76fbd2aa
Instruction ID: 76a9d07ea42f0d03ffa02ea6bee24fa38cc677de90136be49edbb039b78e6de9
Opcode Fuzzy Hash: 18780f88418b50d9dc0bb5a1a24aa0d90e2a6aceeef01add26e3409b76fbd2aa
Instruction Fuzzy Hash: 9D31AA70A41268CFDB60CF58D848BECBBB1BB49304F4080EAE509A2740EB756AC58F15

Function 04D7AE9A Relevance: 3.8, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
/, xrefs: 04D7B3AD
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: /$8$:
API String ID: 0-3078618013
Opcode ID: d8dafb40f1b6b5122fe065f5ba51d1d072fb50d8f84d000a9fe4589dda19f1a8
Instruction ID: abc2be35c528e19868b0edc22c4386f0c885d114e5ec70cd622adc59d3f8ca7b
Opcode Fuzzy Hash: d8dafb40f1b6b5122fe065f5ba51d1d072fb50d8f84d000a9fe4589dda19f1a8
Instruction Fuzzy Hash: 5331ACB0941269CFDB60CF68C848BACBBB1BB45309F5084EAD409B3750EB756AC5CF15

Function 04D7A87F Relevance: 3.8, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
:, xrefs: 04D7A3F8
$, xrefs: 04D7AC91

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: $$8$:
API String ID: 0-3232746124
Opcode ID: e3e5acdf808397b6352a51509f3e50bc55af13acc4ce10d2d4260e1e28087290
Instruction ID: 670537761a6732dee56009c5410069c7c0493ba5ad73fac45761085c0c030448
Opcode Fuzzy Hash: e3e5acdf808397b6352a51509f3e50bc55af13acc4ce10d2d4260e1e28087290
Instruction Fuzzy Hash: CA319A70900269CFDB60CF58C988BADBBB1BB49304F4084EAD409B7740E775AAC5CF12

Function 04D6C988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 04D6CA3F

Strings

W, xrefs: 04D6C98D

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ContextThreadWow64
String ID: W
API String ID: 983334009-655174618
Opcode ID: 3991a0fdc654b1dc94f362a29ae46a426bc0388314728deda4171cb9a40ee6ef
Instruction ID: 95ac8004d12fa007f45a54e08522c8e43346b61e1a2d1f936bfe4f7c4c1d0770
Opcode Fuzzy Hash: 3991a0fdc654b1dc94f362a29ae46a426bc0388314728deda4171cb9a40ee6ef
Instruction Fuzzy Hash: 0D41CBB4D002588FDB10DFA9D884AEEFBF0BF49314F14802AE459B7240D778A985CF94

Function 04D7A838 Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 04D7A41D
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: 8$:
API String ID: 0-3806156078
Opcode ID: 809f2572bc9f187e1700ca9dbcc4122c05bf050c47e25d555666be829b155f1d
Instruction ID: 7eb27461535c0ff4f2fee88fddd0bb9adb4f823cedb7373ce04a7d6c6e346d0e
Opcode Fuzzy Hash: 809f2572bc9f187e1700ca9dbcc4122c05bf050c47e25d555666be829b155f1d
Instruction Fuzzy Hash: F531A970A412688FDB60CF58D888BECBBB1BB49304F4081E6E509B3340EB756EC58F15

Function 04D6C5D8 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04D6C83F

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d21f141b3f1869be26286d54cff50e1eca8ede7ae8b82610549140a19022cd8c
Instruction ID: 85bf40c8f361384e3ad8a7c3f02088fbb027a0f1b321450aad1189eb4ccebe5b
Opcode Fuzzy Hash: d21f141b3f1869be26286d54cff50e1eca8ede7ae8b82610549140a19022cd8c
Instruction Fuzzy Hash: 85A104B4D102188FEB20CFA9C8457EDBBF1FF4A704F14916AE899A7240DB74A985CF45

Function 04D6C5CD Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04D6C83F

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c46ab132ad1f9a48693a1e772ce30247011d18101711227ae41333e53f320d7a
Instruction ID: 322e142b979d94bfdc637339d7ed8d1c408163dcdeb0044feaabd7416f72ebf5
Opcode Fuzzy Hash: c46ab132ad1f9a48693a1e772ce30247011d18101711227ae41333e53f320d7a
Instruction Fuzzy Hash: 23A10374D10219CFEB10CFA8C8457EDBBF1BF0A704F14956AE899A7240DB74A985CF85

Function 04D6D048 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04D6D123

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e5f8807479265f623c316a0e112285fff7e683c2abf9059c951c7345b6aac3cd
Instruction ID: 823d588c32af0a69d357eb8e8eee1e7f4ca9aa941077fed12201d416de5fc13c
Opcode Fuzzy Hash: e5f8807479265f623c316a0e112285fff7e683c2abf9059c951c7345b6aac3cd
Instruction Fuzzy Hash: A04199B5D012599FDF00CFA9D984AEEFBF1BB49310F10902AE819B7210D779AA45CF64

Function 04D6D050 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04D6D123

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a64596b33bebddc003e0398d6d0003b0b0f69777898fa65ba799a09269ffff2f
Instruction ID: eb8ea429a0c7493923966edce63cfbcd31ab66026c73d971012715bbe5f17ee9
Opcode Fuzzy Hash: a64596b33bebddc003e0398d6d0003b0b0f69777898fa65ba799a09269ffff2f
Instruction Fuzzy Hash: 52419AB4D012589FCF00CFA9D984AEEFBF1BB49310F10902AE419B7210D779AA45CF64

Function 04D6CEF0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04D6CF9A

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b98904705830bcb03ee96ce13a9e760f4094655d6b6a8738b75e5b254c3d124c
Instruction ID: 6027da2a0470e58711327117edd6ee9d7cd8cbb2706a2a29b9e39fb9b527d774
Opcode Fuzzy Hash: b98904705830bcb03ee96ce13a9e760f4094655d6b6a8738b75e5b254c3d124c
Instruction Fuzzy Hash: 483188B8D012589FCF10CFA9D980AEEFBB5FB59310F10942AE819B7210D735A945CF64

Function 04D6CEE8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04D6CF9A

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d51bdaff8e41f5014ddd35a8c29fea7b1bfade0c2d7612b3f80944554d8bf92d
Instruction ID: 0b30cf25092dba0ea76976b28af9d5b7f0a53f5367593327f52587c4e7a42d7b
Opcode Fuzzy Hash: d51bdaff8e41f5014ddd35a8c29fea7b1bfade0c2d7612b3f80944554d8bf92d
Instruction Fuzzy Hash: 803197B8D01259DFCF10CFA9D984AAEFBB1BF59310F10942AE81AB7210D735A945CF64

Function 04D6D539 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04D6D5E4

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4383b1fa169b89ce8895b5e73c766065f535c4f47e0736782622c021f77228eb
Instruction ID: 0df1e431544bf58f3ed06bbd40cbb233936a5c651ca5146589255266d4286b15
Opcode Fuzzy Hash: 4383b1fa169b89ce8895b5e73c766065f535c4f47e0736782622c021f77228eb
Instruction Fuzzy Hash: 6031B9B5D002589FDF10DFA9D984AEEFBB1BF49310F24942AE819B7210D738AA45CF54

Function 04D6D540 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04D6D5E4

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d0cdb6d967c013247afe8b6d9517ebc6526100a18775999204ef934eff5037c2
Instruction ID: e2328242b5399e0d8e4c338d88d6a1ffe704711bf9a8df3fe4cf61f85cd24b56
Opcode Fuzzy Hash: d0cdb6d967c013247afe8b6d9517ebc6526100a18775999204ef934eff5037c2
Instruction Fuzzy Hash: 8E31AAB4D002589FCF10DFAAD584AEEFBB1BF49310F14942AE819B7210D739A945CFA4

Function 04D6C990 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 04D6CA3F

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 925051eac116ac92896d12ea882ed29cbdb55b37d77201fb8062d3eb28db0ce5
Instruction ID: 4c668d827fb2fdfcd11bc68ebfd685a9d8d41aca3fd0911254011a96bb1f4a3a
Opcode Fuzzy Hash: 925051eac116ac92896d12ea882ed29cbdb55b37d77201fb8062d3eb28db0ce5
Instruction Fuzzy Hash: 6731CDB4D102589FCB10DFA9D884AEEFBF1BF49314F14802AE419B7240D738A945CF94

Function 04D67ED8 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 04D67F72

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 075d640e8bca82f004f517e47c69b82d63f4a4dac63c8032921cfbe09100300f
Instruction ID: 01786c4b1758575d6a953bf79c3bba2cdfc72deee1c1fd783666ab38d797fb1e
Opcode Fuzzy Hash: 075d640e8bca82f004f517e47c69b82d63f4a4dac63c8032921cfbe09100300f
Instruction Fuzzy Hash: 3431CAB4D012189FCB10CFA9D980AEEFBF5FB49310F14942AE815B7200D778A945CFA4

Function 04D67EE0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 04D67F72

Memory Dump Source

Source File: 0000000B.00000002.2417363958.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d60000_Value.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3d6492225f9a74fc3f2945a0e3c0d2367c258e22ac997d95180ab1e0c495a7be
Instruction ID: 2f368b00d8056c0adcc02f62fd692232ca60c05d8fc1b90aa2f45a492282b657
Opcode Fuzzy Hash: 3d6492225f9a74fc3f2945a0e3c0d2367c258e22ac997d95180ab1e0c495a7be
Instruction Fuzzy Hash: 0831AAB4D012189FCB10CFA9D980AEEFBF5BF49310F14942AE815B7240D739A945CFA4

Function 01081AFA Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

C, xrefs: 01081BA0

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-2531096973
Opcode ID: d93ffcbcc73f0419075a4664a08d42a99952d6db2fcc3f9442f1bc28d0bb3734
Instruction ID: fcb19fdef8ad1709c90410d0f574b7cb84ce3cfce0131251a49214f8c4fa738e
Opcode Fuzzy Hash: d93ffcbcc73f0419075a4664a08d42a99952d6db2fcc3f9442f1bc28d0bb3734
Instruction Fuzzy Hash: 0321F130B041068FC705EB6DC854AAE77F6FF85340B1080AAD045CB3A9EE34AD06CB91

Function 063B2636 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

o, xrefs: 063B2302

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: ff0db9e5ac9f6c4077b3cc43d197ef9dfff9b3b239ce7ee97dad14b60e951b8e
Instruction ID: bea50fbc56b8ea1ffc06600f1a9ab534e86694343d8cb1e1c8e2e12a48b24cdb
Opcode Fuzzy Hash: ff0db9e5ac9f6c4077b3cc43d197ef9dfff9b3b239ce7ee97dad14b60e951b8e
Instruction Fuzzy Hash: 0531EA74A50229CFDBA8DF58D898BD9B7B5BB49301F0051E5D509ABA40DB34AE84CF50

Function 063B21EE Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

o, xrefs: 063B2302

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: af20c65807a8a855768c03b1cbcf5bdb242de93ba611f6ed7ab36c4b774f7acb
Instruction ID: eacf44132e5eb9227d3a1a9c5d914a83957e2a1d10f569a74b5eccbd3e7c3c4f
Opcode Fuzzy Hash: af20c65807a8a855768c03b1cbcf5bdb242de93ba611f6ed7ab36c4b774f7acb
Instruction Fuzzy Hash: 23313B74E10229CFDBA8DF58D898A99B7B1FF49301F0011E9E909AB740DB34AE85CF50

Function 01087BD0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

D, xrefs: 01087BD8

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 2aa736f6b5ba9e8b6540c9904de24570d58f906c751ed7171a04f7b659c7b569
Instruction ID: 3a605788334b329bfd512bca1828c7eabb3f01fb90c106e5b302214aa9f53402
Opcode Fuzzy Hash: 2aa736f6b5ba9e8b6540c9904de24570d58f906c751ed7171a04f7b659c7b569
Instruction Fuzzy Hash: A811C634D08209CFEB04EA58D4447EEB7F3EB84310F20C179C28567799DB395842CB11

Function 063B65E5 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

5, xrefs: 063B6641

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: b8fb3d6d0bc622987f16d3c38509e9a1d2ddd4d14cfc0a088e19e3bd5c515a53
Instruction ID: bf79a41938890916feec285c045018ece6a7b516d9584ccaab6e542777100012
Opcode Fuzzy Hash: b8fb3d6d0bc622987f16d3c38509e9a1d2ddd4d14cfc0a088e19e3bd5c515a53
Instruction Fuzzy Hash: 7FF09A34A01269CFEB689F54C848BEA77B5EB05305F1450E5E14D93A40C7746AD4CF51

Function 04D7AC40 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

$, xrefs: 04D7AC91

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 40e8d52687651e49e726432613581d5126b011dd5205bab5169e3f2fee08cc4d
Instruction ID: b8fcc04c25ae0893a468150b28faf62bc050eca28add5bc6efd1d5bb72615056
Opcode Fuzzy Hash: 40e8d52687651e49e726432613581d5126b011dd5205bab5169e3f2fee08cc4d
Instruction Fuzzy Hash: 58F0747490011A9FCB64DF55DA91ADDBBB5AF48304F4094EA8509A7341DF31AE82CF11

Function 04D7AD12 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

;, xrefs: 04D7AD5E

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 0061cfb3e12a44fa2843d50d413799a22a1ec0829aff692946597e1a6736776c
Instruction ID: 9d8fee07351e427baa86cca54579ebe663d93453ae5270e075ab75e5240ca899
Opcode Fuzzy Hash: 0061cfb3e12a44fa2843d50d413799a22a1ec0829aff692946597e1a6736776c
Instruction Fuzzy Hash: D1F0393190061ADBCF11DF50C850ACABB71FF84304F008685EA8E37210DB31BA9ADF80

Function 04D7ABE3 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

D, xrefs: 04D7AC16

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: c86bcc5060519440d78803cdf1bb9f40e5fa5a5d6954aaf96967612e32819a6b
Instruction ID: 4a7b2bb439eddfbae6e433ea92eb0713883c7b005df68d2dbfb20ef92b21e5d3
Opcode Fuzzy Hash: c86bcc5060519440d78803cdf1bb9f40e5fa5a5d6954aaf96967612e32819a6b
Instruction Fuzzy Hash: 8AE09275904228CFDB50CF10C848BD9BBB1BB48318F0481D9C40D93391D7369B8ADF00

Function 04D73AA0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62d42b9ef381c73b929da08628740d0ade815e2a558045ab0c6e92241949513
Instruction ID: 8ee3860698f3aa2690bb105a01031548c4b4792fd6961b3c71f349aea17941e5
Opcode Fuzzy Hash: f62d42b9ef381c73b929da08628740d0ade815e2a558045ab0c6e92241949513
Instruction Fuzzy Hash: 59C1D774E05218CFDB64DF69D884B9DBBB2FB89300F1080AAE849A7354EB746D85DF11

Function 04D73A90 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce47ebff953fc5bcb028b42aea9a0d54eb3497412549af0ac9b94f52b0d9316
Instruction ID: ba797d299c9914cbdab3b9e808dda6ce675d45da05c8f842ac6140dd723d557f
Opcode Fuzzy Hash: fce47ebff953fc5bcb028b42aea9a0d54eb3497412549af0ac9b94f52b0d9316
Instruction Fuzzy Hash: D9B1D774E01218CFDB54DF69D885B9DBBB2FB89300F1080AAE849A7354EB746D85DF11

Function 04D72F97 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8633539b6949d96dbf9b028fb95b29b1cb99c66ade85efd67f878987014887ba
Instruction ID: 7d7f0a5adcd8f0e49556d7aea806653e68487d48386001a874ed859190f8212e
Opcode Fuzzy Hash: 8633539b6949d96dbf9b028fb95b29b1cb99c66ade85efd67f878987014887ba
Instruction Fuzzy Hash: 6BB13A74A05218CFDB64DF69D884BEDBBB1FB89300F1081AAE849A7344EB346D85DF11

Function 010853F8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0127f800654c6af00af91c8d4f8c997233ab042893fedea4ec448ab6e7c82e63
Instruction ID: adabed54e42442c748559b7d3ef1f128a96c6c6fa48f502c37662343ae19d1c6
Opcode Fuzzy Hash: 0127f800654c6af00af91c8d4f8c997233ab042893fedea4ec448ab6e7c82e63
Instruction Fuzzy Hash: 2C818B74B18605DFDB14EB4CC844BAAB3F2FB84305F14C2B5C2968B645D739A892CBA1

Function 04D78928 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbd0826df06343e134831ae5237dfec6f9f85f274a1b7e12c87b536bb052e37
Instruction ID: e3fd44c69310b7aeba473457a3aef895b4446184bcfc37180f2ec1a78627aaa7
Opcode Fuzzy Hash: acbd0826df06343e134831ae5237dfec6f9f85f274a1b7e12c87b536bb052e37
Instruction Fuzzy Hash: 69A10674A00218CFDB54EF69D894BADBBB2FB89300F1081A9E44EA7358DB306D85DF11

Function 010853E8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb6d994ad5cc3e1009e2b178e2270ec41024a16388c789e5ae188a3150beddd
Instruction ID: 87a1f207e60f017b8be0eff448a28cd0cb5af21c484e8cf17df10d4fcb409127
Opcode Fuzzy Hash: 9eb6d994ad5cc3e1009e2b178e2270ec41024a16388c789e5ae188a3150beddd
Instruction Fuzzy Hash: DB819B75B18605DFDB14EB08CC40BAAF3F2FB84305F14C276C2869B645D739A992CBA1

Function 04D7932B Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c9e05ad738def84aa76a0597333d47d5e496b70266cf2a5ad06eee6292c0ee
Instruction ID: 41ff9eafa37cb7de630487adff7cb8a04dd7e145f6e27d7dc596127263c8e20e
Opcode Fuzzy Hash: d9c9e05ad738def84aa76a0597333d47d5e496b70266cf2a5ad06eee6292c0ee
Instruction Fuzzy Hash: 4691D475A05218CFEB54EF69D894BADBBF2FB89300F1081A9E449A7354EB306D85DF01

Function 04D78E50 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a089166c881ba3d4ca901c0914dc9dea86af37b3ad75a3cbd53cb4385ce9da00
Instruction ID: bfbef5df0f404eea44849013292fde7015374fcc9b4f62c90990b1521957f095
Opcode Fuzzy Hash: a089166c881ba3d4ca901c0914dc9dea86af37b3ad75a3cbd53cb4385ce9da00
Instruction Fuzzy Hash: 6B8107B1E05218CFEB54DF69C894BADBBF6BB89300F1081A9E449A7354EB306D85CF01

Function 04D790FC Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597c8d1d68283313729058d8cbeddc37d8ce9f84b9efcf32b7430c9e9a0121c5
Instruction ID: 600be595a9fab6129a4da6b4bca6ca29d9e601b91f847adf741056be76c1343e
Opcode Fuzzy Hash: 597c8d1d68283313729058d8cbeddc37d8ce9f84b9efcf32b7430c9e9a0121c5
Instruction Fuzzy Hash: C491D675A15218CFEB54DF69D894BADBBB2FB89300F1081A9E449E7354EB306D85CF01

Function 04D78E60 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832a17efc013145da5a60f2c3978971bcd4dafcf085919708b424a6b5a3b8d71
Instruction ID: ef25fce58bcd228c133aae501f0464deebe560d0ae243f2c7d7981238ba17b3a
Opcode Fuzzy Hash: 832a17efc013145da5a60f2c3978971bcd4dafcf085919708b424a6b5a3b8d71
Instruction Fuzzy Hash: BB8106B1E15218CFEB54DF69C854BADBBF6BB89300F1081A9E449A7354EB30AD85DF01

Function 04D791D0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66a0e2f0fe0814f805c720c4df86a8d60048db0c7f3412bb10605c11081c155
Instruction ID: 236185735166bd46ffe87a2c12b76bbb3a0f3b00e707e38825b0a39c9d0fc6ec
Opcode Fuzzy Hash: a66a0e2f0fe0814f805c720c4df86a8d60048db0c7f3412bb10605c11081c155
Instruction Fuzzy Hash: BC71D4B5E05218CFEB54DF69D894BADBBF2BB89300F1081A9E449A7354EB306D85CF01

Function 04D791A6 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001c81aa093a1e728560c2cef5ccad06eb4a41c07f17d0e1db3859db9bd188bd
Instruction ID: c427f474aa918284b3145ff798c243505d16d0e7f9af3fb802032eae14d665f1
Opcode Fuzzy Hash: 001c81aa093a1e728560c2cef5ccad06eb4a41c07f17d0e1db3859db9bd188bd
Instruction Fuzzy Hash: C971D475E15218CFEB54DF69D894BADBBF2BB89300F1081A9E449A7354EB30AD85CF01

Function 010857F8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be82d036878eeb0f2118e40334032acb8971fe6c7d2aaba62731eda21836848
Instruction ID: 27a0fc2931f54a997716001f99b82d4b1a4de08f841c6d24b33fc734cc272361
Opcode Fuzzy Hash: 3be82d036878eeb0f2118e40334032acb8971fe6c7d2aaba62731eda21836848
Instruction Fuzzy Hash: FE51AC31B18200CFDB51EB28D884BAABBF2FF84310F5181AAD1899B266D7359C41CB80

Function 01086910 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc041cb464d15c9b3673580349173f6427aaf19b1de5546722696d9daf9f13b
Instruction ID: 0fb6366db9680bbcf7aac4e43dbe1a5f8e060a86b944955ba8153140a2849d85
Opcode Fuzzy Hash: 9dc041cb464d15c9b3673580349173f6427aaf19b1de5546722696d9daf9f13b
Instruction Fuzzy Hash: 60411DB5B802008FCB44EF78D95895E3BEAAF9D21031145A9E54ACB375EE79EC408B61

Function 01081928 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a142ced4642f8a240c28f8731f9da357bfa1a136156b384c64c21250946a3c70
Instruction ID: 0e8faf07766520990cc90e66f1430f413ea6a12441aa6b7aab740dfa02d864b2
Opcode Fuzzy Hash: a142ced4642f8a240c28f8731f9da357bfa1a136156b384c64c21250946a3c70
Instruction Fuzzy Hash: 9231AB75E082058FEB14EB68D844BEEBBF2FF88310F148065D486AB399DB355946CB61

Function 04D7BC67 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58b229eecece9d5d0cf818f4cf1649bddb3ced56657fe1ad9829fdf6353002e
Instruction ID: a45a0bb7090dbf22d6e9a2f2b669b7479b0d3d13fefb8757477ba4e7b8de0379
Opcode Fuzzy Hash: b58b229eecece9d5d0cf818f4cf1649bddb3ced56657fe1ad9829fdf6353002e
Instruction Fuzzy Hash: 9241D474A45219CFEB24CF29CD44BE9BBF5BB49304F0081E6D54DA7294EB30AA84DF10

Function 01081938 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3069971966cb61b3d20220ac7a86b92b78f40073226c8b7261a7f6cfef0c8e5
Instruction ID: 443af8be805a5e502bc463be7adc4815893335dcdf287a1285df67a4c4785d7c
Opcode Fuzzy Hash: f3069971966cb61b3d20220ac7a86b92b78f40073226c8b7261a7f6cfef0c8e5
Instruction Fuzzy Hash: 8431AC74A041158FEB14EB68D844BEEB7E2BF88310F148064D585AB398DB359846CBA1

Function 04D78B90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff09811ca5885af2c950dd55338c1e787ba00279f2d9ded31e17ceb43756cdb
Instruction ID: cd839afd80d66a68572ce1ee99aafd0e2671708f026808d78a79d2716bf7a522
Opcode Fuzzy Hash: dff09811ca5885af2c950dd55338c1e787ba00279f2d9ded31e17ceb43756cdb
Instruction Fuzzy Hash: 073181B0E04209CFCB00EFA9D4547AEBBF5FB8A300F1080AAE445A7344EB396905EF51

Function 04D7BCE6 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf33a81711487dbd40894e180883ffa6b2b709bae2461909b5269960518f225
Instruction ID: bf2e9384a8085a784d28abed2dfaebd90c22143c91be673dbd4953a6764d316d
Opcode Fuzzy Hash: ccf33a81711487dbd40894e180883ffa6b2b709bae2461909b5269960518f225
Instruction Fuzzy Hash: C331E371A05218CFEB20CF59C950BE9B7F6BB49308F0085E6D54DE7254E770AA85CF10

Function 0102D520 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373209022.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1d4ecfc8404196929a0d9446c7faed79cab35d9eabdeaf8d1820c11fee1fa0
Instruction ID: 79c16e547c7cea8c45535a1e2d8f5cf3b716910e236a9309cad1b0369bf8754a
Opcode Fuzzy Hash: 9f1d4ecfc8404196929a0d9446c7faed79cab35d9eabdeaf8d1820c11fee1fa0
Instruction Fuzzy Hash: 7F213771504260DFDB05DF58D9C0F2ABFA5FB88318F20C5A9E9490B256C37AD856CBB2

Function 0103D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373368504.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_103d000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86bb9c5cca741f047f6d1bda5f19aef1bead036d7d5faef426a03e6285f6ed5
Instruction ID: b9e1fda614c0d309ca9adab3e63a314e52f37a98b8c372b6c74264ad38401aeb
Opcode Fuzzy Hash: d86bb9c5cca741f047f6d1bda5f19aef1bead036d7d5faef426a03e6285f6ed5
Instruction Fuzzy Hash: 5A210371104244DFCB15DF98D9C4B2AFFA9FBC4B54F6085A9F9490B246C33AD40ACBA2

Function 0108EE80 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49fc58e0858e5fdc749463ef5fdb92f3f80e4779e0c06e9e7488b06d583f117
Instruction ID: 8bc92f746d01a720f1fd034ac3c1570898f1f09d36c255963f1fab21c73fe48c
Opcode Fuzzy Hash: e49fc58e0858e5fdc749463ef5fdb92f3f80e4779e0c06e9e7488b06d583f117
Instruction Fuzzy Hash: BF3117B0909208DFDB40EFA8C0497ADBFF5FB89304F2085A9E485A7384DB745A84CF51

Function 01085E33 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746e8cb901847b64275d3e9bd7b83dc5bf919ecfde92438d015c8a246c2bf1c0
Instruction ID: 616b24619f38449f55e50d246697e87a390c22be4d99ff0066c2bd6490d724bc
Opcode Fuzzy Hash: 746e8cb901847b64275d3e9bd7b83dc5bf919ecfde92438d015c8a246c2bf1c0
Instruction Fuzzy Hash: 2F21CF30A08115CFCFA5EF68D888AAEB7E2FB84305F1581E6D0C68F216D7369842CF41

Function 04D7CAAE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad7116da5c9457db1ac9b56f90faf94a2c24bfffd34c6c66bf7ce7b162c9836
Instruction ID: 261080121f5aeb45b3667a831ae265c17b626bc1b4aa6c82de523eca6357fbd6
Opcode Fuzzy Hash: 0ad7116da5c9457db1ac9b56f90faf94a2c24bfffd34c6c66bf7ce7b162c9836
Instruction Fuzzy Hash: E631B570A14628CFDB50CF99C848BEDBBF1BB4A704F0481A6D449A7241EB746EC5DF11

Function 04D787A7 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eea49cc6be56ca25295f732114d99f2b70ca7b7f8977a2146188c6efdd60764
Instruction ID: 9f141c58584f9432127b1787d0a0a949910a875067d6e349d838848bad796452
Opcode Fuzzy Hash: 0eea49cc6be56ca25295f732114d99f2b70ca7b7f8977a2146188c6efdd60764
Instruction Fuzzy Hash: 47319574A00228CFDB54EF25D894B9DBBB2FB89200F5081D9E44EA7358DB306E85DF11

Function 04D78BA0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fbba97b0f7d6dfe4d0a62c43c833e6150d16f76f021028d7cd2f9378c29cd7
Instruction ID: 1a9cc32eb71646ce7b280de09bca3234d9e7093b5039bea81ee49f2e6fdd365f
Opcode Fuzzy Hash: b0fbba97b0f7d6dfe4d0a62c43c833e6150d16f76f021028d7cd2f9378c29cd7
Instruction Fuzzy Hash: 82213CB4E0421DDFCB04EFA9D4546EEBBB5FB89300F108469E045A7344EB386945AF61

Function 01086858 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79daccc938d4a62d9ee8e4da99528ad6d5dcdb8638c76e4eae20030378cd93b5
Instruction ID: 5e1b1f1fcccdc67fe6e510a8859b89b917eabf08c747094038638f7cbaa55bfa
Opcode Fuzzy Hash: 79daccc938d4a62d9ee8e4da99528ad6d5dcdb8638c76e4eae20030378cd93b5
Instruction Fuzzy Hash: 47115BB1B803005FCB44EBBCC958D5A3BEAAF8D36031105A9E04ACB375EE79EC008760

Function 01085DBC Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12c4492bc3e8301c7e83bd8e99d94872612ef1693fc0dc6271f15d80b71378a
Instruction ID: bb73b544f4694d36fa43616c6de7540cbe71e35e0ce55773015a8765dad0ab9e
Opcode Fuzzy Hash: b12c4492bc3e8301c7e83bd8e99d94872612ef1693fc0dc6271f15d80b71378a
Instruction Fuzzy Hash: 25212674A082058FDB11EB48D984A9DFBF2EF88310F598191E185AB616D336A982CF94

Function 0103D006 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373368504.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_103d000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3af1fe261aaca4d628b03d8c3da439bac277afd4ba4ea1f731e0d7f4d0f316
Instruction ID: 7c98e8762ccb5c625553676073c9d22e261d66d6ec1057e3df41c43d690a5303
Opcode Fuzzy Hash: ed3af1fe261aaca4d628b03d8c3da439bac277afd4ba4ea1f731e0d7f4d0f316
Instruction Fuzzy Hash: A021A1710083808FCB03CF54D984B15BFB5FB86714F2885DAD8854B257C33AD81ACB62

Function 01085BB3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78cd5b1d9f16b85d00fcc5bef7b547bf02e0a7b87d346027825e40c83d83487
Instruction ID: 7bc427d9353a5c0ab4cf8fc9c4ea2eb6af7ca7372bd802ee873a99bf988a741c
Opcode Fuzzy Hash: e78cd5b1d9f16b85d00fcc5bef7b547bf02e0a7b87d346027825e40c83d83487
Instruction Fuzzy Hash: 0F217C74A04105CFCB11EB98D884A9EFBF2FF88310F298591E1859B21AD736ED82CF54

Function 04D79DDE Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cbe56577a158e177af3d468e3b346bef764fc97bbc1ed0df08973caca380e6
Instruction ID: c2681b424eb427ad15d09a6b93598a6dfedcbc5a53c173dbbb2895151f542694
Opcode Fuzzy Hash: 41cbe56577a158e177af3d468e3b346bef764fc97bbc1ed0df08973caca380e6
Instruction Fuzzy Hash: 41213BB6E05218CFDF00CF99D4547DDBBB2FB89301F1080A9E555A7254E7389949CF51

Function 04D79DE8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee260b795c4c9b7d4979a758fefc7651940d396956e14261f83dc8dc7a11b7a9
Instruction ID: cbe5de80bd4e444613eb0049811c8d5ad6079f3faa76111e319b85e6d87a3848
Opcode Fuzzy Hash: ee260b795c4c9b7d4979a758fefc7651940d396956e14261f83dc8dc7a11b7a9
Instruction Fuzzy Hash: 2A214AB6E01218CFDB00DFA9D4587EDBBB2FB89311F0080AAE455B7254EB386945CF51

Function 04D7C8B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed5610f1b5195a7bb7fe0848052d1b8b840333e58fa3a9ee0414e63502601e8
Instruction ID: 32f1faa34ab7ec1b525ea3f63554dab6af5bdfb1a50940638e6f66e195929aba
Opcode Fuzzy Hash: 5ed5610f1b5195a7bb7fe0848052d1b8b840333e58fa3a9ee0414e63502601e8
Instruction Fuzzy Hash: 2B31FB74A14228CFDB50CF99D848BEDBBF1BB0A704F048195D449A7241E7746EC5DF11

Function 04D78942 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc70e7526a36d4e3c2d2f278834d0ed077a41057e7e1b4f1a9b6dcb358d2c47b
Instruction ID: 6d9b9d5000890d3fdbd42397f57db6787a086dec219a67c179217e098d38685a
Opcode Fuzzy Hash: cc70e7526a36d4e3c2d2f278834d0ed077a41057e7e1b4f1a9b6dcb358d2c47b
Instruction Fuzzy Hash: AB210974A04258CFCB44EF99D0486ADBBF1FB8A315F108019E045AB359EB75A884DF05

Function 01083033 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be200e33e34ae790bf35213970a543d0b4de8b795108c9d5831afaece71f06b3
Instruction ID: 2c8d5f3c263cfa136d53cc1077a0d1a1a1ea964ddc4903422697292377e822e7
Opcode Fuzzy Hash: be200e33e34ae790bf35213970a543d0b4de8b795108c9d5831afaece71f06b3
Instruction Fuzzy Hash: D1213134A08244CFEB60EA29D8597AAB3F2FB84740F4480A5E0C59E359CB759982CF00

Function 01086690 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fb73eaa7ca1d1668c8a0b4cadfa981970f54b6479ce65752c039058f6f95ee
Instruction ID: f9972d6a4c59d5b2595e9f258ed470edd07a1b4bcb5599c844d09af2052cceba
Opcode Fuzzy Hash: f8fb73eaa7ca1d1668c8a0b4cadfa981970f54b6479ce65752c039058f6f95ee
Instruction Fuzzy Hash: 3F117071B842504FCB54AB7CD858D5A3BEAAFCD21031245E9E14ACB375ED79DC408BA0

Function 04D7C187 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd55f711f6311430d6b9a62babe06f0c1760db2c88bf1e223e53d27179715c81
Instruction ID: 6b3736ae6268bc8c28aebd5453f27832a5987a3e07900e9f8565b88da5cb464b
Opcode Fuzzy Hash: cd55f711f6311430d6b9a62babe06f0c1760db2c88bf1e223e53d27179715c81
Instruction Fuzzy Hash: CE212971A05258CFEB20CF68CD54BD9BBF5BB49314F0085E6D64DA7295E770AA84CF10

Function 04D79AC9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200d44bc2ddfee0b7d1b5a6ff09090494fca781e7770d70e248378696bd9bc65
Instruction ID: d24c3008663c5739c6a8a60a17edf1357cab2424ad2a26c7f8b8ae2805798ada
Opcode Fuzzy Hash: 200d44bc2ddfee0b7d1b5a6ff09090494fca781e7770d70e248378696bd9bc65
Instruction Fuzzy Hash: F32117B6E01218CFEF00DF99D554AEDBBB2FB89301F0080A9E555B7254E738AA49CF51

Function 01085C11 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257f8112537da06bdc7985c09df9bb84af5da2088f97e8cffd37b2365ac029dc
Instruction ID: f8118343f9221049964bc91bc971b367b93949820924e91f37058a9ec7b4c933
Opcode Fuzzy Hash: 257f8112537da06bdc7985c09df9bb84af5da2088f97e8cffd37b2365ac029dc
Instruction Fuzzy Hash: D3110E75A081048FDB01EB58D8847CDBBF2FB88320F2982A6D2C59B656D33A9902CF40

Function 063B77A5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddae0daf42137d99feb8a28f309659d085fd82077d3212cdb27b70fbcedc7a4
Instruction ID: d6ba0f6ef8db5d6672bf9ed88a78e16ffd412fb8222cddd031d6bcf1b8e5faa5
Opcode Fuzzy Hash: 8ddae0daf42137d99feb8a28f309659d085fd82077d3212cdb27b70fbcedc7a4
Instruction Fuzzy Hash: 73319278A113298FCB64CF28C984A99BBB1FF8A310F0181E5E85DA7754D734AE80CF11

Function 0102D51B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373209022.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: a2db2251ced8f8467ae6352bbb1c7c79960e2314a7cd49290b260d80fe9af502
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 32110372404280CFDB02CF44D5C4B16BFB2FB88314F24C5A9D9490B657C33AD85ACBA2

Function 063B7F73 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0eae3d3b8cdf20b021ae44d66bef047ee5b403deaac9e0b8150907fdcd9c491
Instruction ID: 3de6d858041a61b0018fcb6616142ab93781275cd31830d01e074f4f9e3544fa
Opcode Fuzzy Hash: b0eae3d3b8cdf20b021ae44d66bef047ee5b403deaac9e0b8150907fdcd9c491
Instruction Fuzzy Hash: EA21F874A00329CFCB64DF58D894A99BBB1FB49300F1051E9E849A7744DB30AE84CF50

Function 010867B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb75bce89396e7b675d219e4f01ad9a36d53e83789e3df3f10666d5d4916cd8
Instruction ID: b1b31196944feda65e5841ea287c567763e449e00f68d3bc8a78ef18916c748b
Opcode Fuzzy Hash: bbb75bce89396e7b675d219e4f01ad9a36d53e83789e3df3f10666d5d4916cd8
Instruction Fuzzy Hash: 63015EB57802504FC795AB7CD518A5E3BEAAFDE32031245A9E04ACF375ED29DC018761

Function 01085C46 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4c092dac183ebae072eea009531d2859c29b8e914fcc2c6dee4b5d39bf08e2
Instruction ID: 161ef6e15cdf0e8a6ed2828ae7daca3b02cc086a4992831acca5282b8a3afbbb
Opcode Fuzzy Hash: eb4c092dac183ebae072eea009531d2859c29b8e914fcc2c6dee4b5d39bf08e2
Instruction Fuzzy Hash: 4911A034A08104CFCB50EB98D98469DB7F2EF88321F25C1A2E1C6AB619D739ED46CF40

Function 01085A87 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675981031b43e2089179079c2947358d9ca693ac4e5277823e526191f7ccacc6
Instruction ID: ee98ee6b244fedd0231c6710250a1d501480a9a899eaa67df1899b61b9fb0c11
Opcode Fuzzy Hash: 675981031b43e2089179079c2947358d9ca693ac4e5277823e526191f7ccacc6
Instruction Fuzzy Hash: 06119134A08104CFCB51EBA8E984A9EB7F2FF84311F24C165E5869B719C739AD06CF40

Function 01085ED6 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc8710df54e6994561bb8fc74e2d081d3c8f2f3983992ce006ac74202cc00c4
Instruction ID: f5781e6072ca6c49b57b70b9d33d0170c3bc819f92d752be2e62f43c34683793
Opcode Fuzzy Hash: ecc8710df54e6994561bb8fc74e2d081d3c8f2f3983992ce006ac74202cc00c4
Instruction Fuzzy Hash: 5201223460C244CFCB12AB68DC8466EFBB1EF46210F1942E6D1C68F116C637A806CB01

Function 04D7A719 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c4a176fc035da43cd8ed16d4d62b46da717c766382715ba9b4b89e836e96e2
Instruction ID: 500bd7fa76eff74ac86d219247487759bea0e5748ee97a1d64809228f3232a26
Opcode Fuzzy Hash: d9c4a176fc035da43cd8ed16d4d62b46da717c766382715ba9b4b89e836e96e2
Instruction Fuzzy Hash: F721CD74A04268CFDB60DF64C884BDDBBB1AB89304F0085DA944EA7354EB31AE81DF11

Function 01085AE2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5762ffde29f5e13232102a92a387017f75cd4eb813410e2ddef61b19829875d
Instruction ID: e7ad7f2e36ebf28ec09288dd9b34729be0a617e91ed0bc8507937dbb0001dae7
Opcode Fuzzy Hash: b5762ffde29f5e13232102a92a387017f75cd4eb813410e2ddef61b19829875d
Instruction Fuzzy Hash: F4116D38B08205CFDB15EF98D9C479EB7F2EB88310F1480A6E686AB705D6369D42CF14

Function 01081C02 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf407acd1bc5dd713976db1d745a031c88ca3babe5e2f15c9502b7a8c5259e2
Instruction ID: 8d69d95284bc1b684efb3dcb0398dbd8f58f2ae862b7c382ecea086f64cde366
Opcode Fuzzy Hash: 4cf407acd1bc5dd713976db1d745a031c88ca3babe5e2f15c9502b7a8c5259e2
Instruction Fuzzy Hash: C5118070E042099FDB15EBB4C8557EEBBB2EF85304F14C0A5C88987395EA356A06CB91

Function 010865B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a1d7f0a98ce41f547d25bb5a78c942b03f8b50a9495f8ac155e5bfbf9f8206
Instruction ID: 52a8def365b6625eed5416875f87bd4f1ea183320509f80cdd9ced42aa98e9e5
Opcode Fuzzy Hash: 59a1d7f0a98ce41f547d25bb5a78c942b03f8b50a9495f8ac155e5bfbf9f8206
Instruction Fuzzy Hash: 8D014CB9B802108FC7559B78D9189193BEAAFCE21131145A9E14ACB375EE29DC01CB60

Function 01085FDF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49071d1d9e24cbc88aa1e2b652715b64f58f4e604486d5f13b60c342d8a631a
Instruction ID: 5a9a59ee47ce801153f721eea86baeb72e220f158709c20bd3029942c1517df9
Opcode Fuzzy Hash: d49071d1d9e24cbc88aa1e2b652715b64f58f4e604486d5f13b60c342d8a631a
Instruction Fuzzy Hash: 0901C074B08200CFCB51EB68D988A5DB7F6EF88300F144091E2C6DB625D63AED42CF00

Function 01085AB7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d87e72446abbc1919607335dbcaf37557525de205a003fc7ea69a662413eb8
Instruction ID: f4d75f6005d7ee0e8d5a03681e1842687c6bb9b8ef3b323464546d5ab5d2da0c
Opcode Fuzzy Hash: 90d87e72446abbc1919607335dbcaf37557525de205a003fc7ea69a662413eb8
Instruction Fuzzy Hash: 9401F734B08105CFCB51AB98E888BAEB7E6FB84304F1040A1E1DA9B615C636A803CF11

Function 063B7E10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23eb28962b2426e71876b74787086fdbb8c263313d0b1a2fdb2d7794fdb87d07
Instruction ID: 68298ec3927f19d24a233d7d668d7175e681e0c31e01c71e37650daba2dc4aea
Opcode Fuzzy Hash: 23eb28962b2426e71876b74787086fdbb8c263313d0b1a2fdb2d7794fdb87d07
Instruction Fuzzy Hash: 09210B78A00229CFDBA4DF18D884B9ABBB6FB4A304F1040E9D54DA7744DB346E85CF40

Function 063B4DCF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf62acfa3d2d858804e6aac52428cd066f86a7b651e672fbddab2f7f6b36e6c
Instruction ID: ef6ad06fc3c0643f2bfaf50c36c0d42ca2395cb67b858472914af71764e144ef
Opcode Fuzzy Hash: aaf62acfa3d2d858804e6aac52428cd066f86a7b651e672fbddab2f7f6b36e6c
Instruction Fuzzy Hash: 1F21C474E04229CFDBA5DF18D884B99BBB1FB49310F0040E9E90EA7744DB386E859F40

Function 01085D1F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a9a71f21acab8704636e80a52ed0195f2c90d420ccb8e3f6626d4e07f2ab24
Instruction ID: d35471877862f9869bf215252ef0a99025dcfd1bc1e7760587595cf47200a56a
Opcode Fuzzy Hash: e2a9a71f21acab8704636e80a52ed0195f2c90d420ccb8e3f6626d4e07f2ab24
Instruction Fuzzy Hash: B801B13460C205CFDB21AB68D8887ADF7A6FF44201F1445A2E6C68B606C736A952CF41

Function 01087BE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db824cf96746888b9f0e3987915ab699d9d581f2e0de3dcf9a42d9425461b57
Instruction ID: 424a1c66984d779108cd34c293f1ebd1da9047bd0cd5c01794ed25c9308a8b9a
Opcode Fuzzy Hash: 9db824cf96746888b9f0e3987915ab699d9d581f2e0de3dcf9a42d9425461b57
Instruction Fuzzy Hash: 1E015274E0810DCFEB04EA59D8847EEB3B7EB88340F60C079C68567399DB79A842CB51

Function 01085EE9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cfca8c24b1bc6df52a9a5b2e73f9592512d54910c70a15ccc1e6783529a1c8
Instruction ID: 05214d5425579e37de49cc660e9ea707853b3794eb5a8c3502143834a653d0ad
Opcode Fuzzy Hash: a5cfca8c24b1bc6df52a9a5b2e73f9592512d54910c70a15ccc1e6783529a1c8
Instruction Fuzzy Hash: 62015E34A08105CFCB51EA58D8847AEB7F2EB85301F1480A5E1C69B61AD73AE982CF41

Function 0108673F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd985e7272baceea027828f61f6618e597ec902d4c32ca63937feac3876b4d2
Instruction ID: 9eb5088979e5aa88ff0690045cb8f7cd2579f77c16f08da281c96dac3fbeacc5
Opcode Fuzzy Hash: 1dd985e7272baceea027828f61f6618e597ec902d4c32ca63937feac3876b4d2
Instruction Fuzzy Hash: 3801F475B402104FC745AB78C40891A3BEAEFCE22131245E5E08ACB365EE79DC018BA1

Function 01085BA0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0bf14b9f9859550c753f55b8fe6196b56e3a8a1e6d0bf4b8f17f1764cbbfd4
Instruction ID: 3113606ded2920ce3af2b49944c14dd1464ac7df8ea5b1d29e02450713b6065f
Opcode Fuzzy Hash: 3d0bf14b9f9859550c753f55b8fe6196b56e3a8a1e6d0bf4b8f17f1764cbbfd4
Instruction Fuzzy Hash: E501D13870C115CFCB12AB68EC84A9EB7E6FB85211F1444A2E2C2CB616C736E806CF55

Function 01085F52 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c8bb07ab544a6f0b76822ca0b56d0ea19df3c3e0782f618e82325a0f045963
Instruction ID: 83d5848a2975b73265b960f5e543428b74ffbd49f050621fa1ec0857b33522be
Opcode Fuzzy Hash: 28c8bb07ab544a6f0b76822ca0b56d0ea19df3c3e0782f618e82325a0f045963
Instruction Fuzzy Hash: 9101D138B0C105CFCB12AE98EC845AEB7A6EB85300B114592E2C2CB616D636D946CF55

Function 01085FA4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6bd272b78b73692fcf66d37a24c13e7dde0aa754aed63a26f8f3cfd3d50a5b
Instruction ID: a3e19267f168062c724fb74b6322456ecb410c371a5ab011af2ad2964fe9dc73
Opcode Fuzzy Hash: 4a6bd272b78b73692fcf66d37a24c13e7dde0aa754aed63a26f8f3cfd3d50a5b
Instruction Fuzzy Hash: E4017134B08114CFCF51EB98D984A9EB3F2FB88301F108052E6C6A7605D236A802CF11

Function 063B9094 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3a3286cf27c4b2e4e73128493d0689ea63eea2e132198038b93b30ea209e8c
Instruction ID: 72e8ad1782a9686e30ea1f02fa2fec94326475ac3f4c04d059d1ee26c348a350
Opcode Fuzzy Hash: 0c3a3286cf27c4b2e4e73128493d0689ea63eea2e132198038b93b30ea209e8c
Instruction Fuzzy Hash: AE111F74A5022ACFDB68DF18CD44BAAB7B5FB49304F0041E5D919A7744CB346E84CF40

Function 010865C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8e991446f7597caa37b5c193361d1b9a67539850e2f30f7a7bcb929fe6b6c3
Instruction ID: e156b098835445da73ce80aca46017750500099f05eef48ecdb7abefae7a2f59
Opcode Fuzzy Hash: ef8e991446f7597caa37b5c193361d1b9a67539850e2f30f7a7bcb929fe6b6c3
Instruction Fuzzy Hash: 0501FBB5B802148FC754AB7CD91891D3BEEAFCD21131145A5E50ACB378DE39DC018BA0

Function 01085B69 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dae3834c409051ab729343c62b9dc4797f54ee57240e7a080c51b2bd593af86
Instruction ID: 5a00fbaf9ef2f7a436c60be6277a27fecfffd91a37a5da0f51d61af592289841
Opcode Fuzzy Hash: 0dae3834c409051ab729343c62b9dc4797f54ee57240e7a080c51b2bd593af86
Instruction Fuzzy Hash: D101A734A08115CFCB51EB54E88465EB7F2EF85311F148095E5C69B615D736DD42CF41

Function 01085E91 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0d1ff4d148b5361bfa4b5d6a6956b26471f5e533b3bfccf54ba21d9c01c2ba
Instruction ID: db6b7c3aba20605f7a754923c75e3e9d08cc6754970701caf2482ae89f21d1d0
Opcode Fuzzy Hash: aa0d1ff4d148b5361bfa4b5d6a6956b26471f5e533b3bfccf54ba21d9c01c2ba
Instruction Fuzzy Hash: 44017134A08105CFCB11EB98D884B9EB7F6FF88311F1581A1E5C5AB715D336A942CF50

Function 01081C10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e551c1262304538c92c20bdfe95626be1c7adbd81769d934df59b83245d663
Instruction ID: 8f565a8ef73aa0173cb3bb702e004d78d20f7c8a99ca05374958442408aacc56
Opcode Fuzzy Hash: 48e551c1262304538c92c20bdfe95626be1c7adbd81769d934df59b83245d663
Instruction Fuzzy Hash: A7018F30E001099FDB14EBA9C4457EEB7A6EF84304F10C4B5C88A87388EB356A43CB91

Function 01087C1A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3547ac16dd60c4fccb97024af1ad23d8a3f907b210e733275cfadce19247fb74
Instruction ID: ba4f1842144f8b4db3d80114a3ec9e3cb201e64b2802ee715e87890938fc4a4f
Opcode Fuzzy Hash: 3547ac16dd60c4fccb97024af1ad23d8a3f907b210e733275cfadce19247fb74
Instruction Fuzzy Hash: B4015E74E0810DCFEB04EB59D984BADB3B2EB88344F208069C1C55B36DDB789882CB11

Function 01085FBA Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfc13ddefdd9cf8b2a12d91eb3969c43e84bc1a2f934d062d5419e4fef1ffc0
Instruction ID: aa277e8d46819c9df6598fdaf5d2cfd45e12aea55789d00dcf3a04f6ab84333c
Opcode Fuzzy Hash: 4cfc13ddefdd9cf8b2a12d91eb3969c43e84bc1a2f934d062d5419e4fef1ffc0
Instruction Fuzzy Hash: ED014F38A08105CFDB51EB58E988B5EB7F6EB88311F1580A2E5C6DB716D6369842CF11

Function 04D741B9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64df439448a1274e3c67c7bda672cca411c1e3142aa79f4973bfc79a5cb9b68
Instruction ID: 7ee806863155179b3d7c3165b1f9246daef973e2dbe6349dfa1e5c33c314732e
Opcode Fuzzy Hash: f64df439448a1274e3c67c7bda672cca411c1e3142aa79f4973bfc79a5cb9b68
Instruction Fuzzy Hash: F501F434946218EFC71BEBA4D5045ACBFF8AF82315F1482EED84417251EA326E11D792

Function 01085B4C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c0d4078ebcc60cdb04bef56097f5539133fcdc4df210fdaf6eea1fcfc65cf6
Instruction ID: d69775c5f8f904d7f6965a372218d26809e46315a8abb82262e75ffcf7a0e97a
Opcode Fuzzy Hash: e1c0d4078ebcc60cdb04bef56097f5539133fcdc4df210fdaf6eea1fcfc65cf6
Instruction Fuzzy Hash: 36018635A08105CFCF11ABA4E884A9EB7B6FF89311F148055E6C69B655D636D802CF51

Function 01085CDD Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb407af21e3e3b3b2e6c4a17422a5706be9926c0b7818c40a738f2d46550351
Instruction ID: d145f219a9f210b00b3ed183a2abd9d78c405d86e593e0458853f0d4077af48b
Opcode Fuzzy Hash: 1eb407af21e3e3b3b2e6c4a17422a5706be9926c0b7818c40a738f2d46550351
Instruction Fuzzy Hash: D7012134A08201CFCB11EB98D888A5EF7F2EF89310F1582D6E5D69B656D336A802CF01

Function 01085B16 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d977de23744bf80e1261cbcc6f9c3198ba7c556c7e929cc45697f206aaf5780
Instruction ID: 4e6f63a2b0f18b8d58e651d578e08c9541e8166f9257d577a99d654a78e85a9e
Opcode Fuzzy Hash: 7d977de23744bf80e1261cbcc6f9c3198ba7c556c7e929cc45697f206aaf5780
Instruction Fuzzy Hash: 22018174B08115CFCF11EB98E98469EB7F6FB88301F148062E6C6E7715D636AD028F45

Function 04D7BA40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7092bffd8f67df7d3aabc8cbab93732cd97d112e75eb8077868bf0d9b94c51dd
Instruction ID: d0f7b7cdcda9726ed5dacc1d4da278941c2ca2a5bdad4f5f493222d0336dfe6b
Opcode Fuzzy Hash: 7092bffd8f67df7d3aabc8cbab93732cd97d112e75eb8077868bf0d9b94c51dd
Instruction Fuzzy Hash: 73018F7180460AEFCF01DF94C8005EDBB74FF4A314F04C15AE59427211E772A661DFA1

Function 04D78B50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f4a1e8acbacfaa41b9303ddcd4542fe01ab49e34023806ad18587565ccfc95
Instruction ID: 861e8f76c1cb963ea5de4b24f03d262c2672ceb5e4df0cda2af963d3914e9731
Opcode Fuzzy Hash: 54f4a1e8acbacfaa41b9303ddcd4542fe01ab49e34023806ad18587565ccfc95
Instruction Fuzzy Hash: 5CF0F6B9D09248EFC741DBA495105ACFFB4EF8B200F1482EBD84857252F6329F06E791

Function 010826E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b40ceb88422cc1acfa117eed709fac3f7fe0d30a204c273e2d8b930d7882e9
Instruction ID: 9a9a64ca111160417b87704fedead30de2fd90ae2cb5eb60b2a6f7c3c638f0fa
Opcode Fuzzy Hash: e3b40ceb88422cc1acfa117eed709fac3f7fe0d30a204c273e2d8b930d7882e9
Instruction Fuzzy Hash: F5F0B432709204CFDB54EA59F5047DA77EAE788321F1480BAD14DC3754DB369841C750

Function 01085B3E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434f33ae8db62bb41bfdbf108fc7c7ef4c61c9cc03207c9fe7b8e881655f69f1
Instruction ID: 6a36971ed99a2cda33dac3f50929d24d4b7f1139fb73d1c1cb6bb7013ee946a7
Opcode Fuzzy Hash: 434f33ae8db62bb41bfdbf108fc7c7ef4c61c9cc03207c9fe7b8e881655f69f1
Instruction Fuzzy Hash: 9FF0F634B0C101CFCB11ABA4E88969EB7F6EF85311F154092E6C6DB616D63A9D42CF51

Function 01086750 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537252acad0273e858cdaaae3d5c1a7696c5210e75f7e3b0787c4e29cdce27e6
Instruction ID: 7ee3da52d218c66c67e17b3ea8e6a51ba283950123334052c8f42f78cbe353d0
Opcode Fuzzy Hash: 537252acad0273e858cdaaae3d5c1a7696c5210e75f7e3b0787c4e29cdce27e6
Instruction Fuzzy Hash: 9BF05E75B802104FCB44AB7CD51891E37EEEFCC22131249A5E54ACB364EE79DC018BA1

Function 04D789EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e378363fce9d598b31cc48715642052abaf71f2bab770cfda0c9ca2e764c3
Instruction ID: e669a1fcd813914185d1824fb8ee2c68049822361f5f5044b8816af93ba8a793
Opcode Fuzzy Hash: 205e378363fce9d598b31cc48715642052abaf71f2bab770cfda0c9ca2e764c3
Instruction Fuzzy Hash: 5B01EF70E44308CBCB14EFA9D54C6ADBBF6BF86301F109029E059AB220EB34A840EF41

Function 01085B2F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8428763de170efa8cfb85b5a1fe41b21b6810e6f69feb4e5e46acbc956ff95a2
Instruction ID: 818ad2883cc5900deb74bcb9524083cac7e04c2cdee3af9812ee27df5031369f
Opcode Fuzzy Hash: 8428763de170efa8cfb85b5a1fe41b21b6810e6f69feb4e5e46acbc956ff95a2
Instruction Fuzzy Hash: 5DF02B3470C001CFCB11AB68E88869EB7F6FB84301F1541A2E6C6DB616D636D802CF41

Function 01085AA2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71acdd6c7d9cf1b33c8a9c15f4d5415971e5ffa2ac4c09faf39bee0d194f37c8
Instruction ID: d007a45b16a282ece06b17207d784cd16860303a69180396fc515a8c412b9dde
Opcode Fuzzy Hash: 71acdd6c7d9cf1b33c8a9c15f4d5415971e5ffa2ac4c09faf39bee0d194f37c8
Instruction Fuzzy Hash: 5EF0B434708001CFCB11AAA4E88865EB3F6EB88311F1580A2E6C6DB615D636D8028F45

Function 04D78D70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85db487b007c7ad7b6c540af041a0318c694b3553742ec51fd6f85d0b463605c
Instruction ID: c1c470ffc1b3788a25fd45b8289c3bf846a30202c607c57705f6259d5087d4b6
Opcode Fuzzy Hash: 85db487b007c7ad7b6c540af041a0318c694b3553742ec51fd6f85d0b463605c
Instruction Fuzzy Hash: 53F0E974C05208EFC701DFA4C4185ACFFB4EB56310F14C1DBE88452342D1325A02EB41

Function 04D7A270 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4397743ea8d39c5aada42c88378da3558ce0306f836b904560d397e4656b538c
Instruction ID: 51a3f252a67c0ab1b294e86a9a5e34af756270bbd1899af6ee576344585c0af7
Opcode Fuzzy Hash: 4397743ea8d39c5aada42c88378da3558ce0306f836b904560d397e4656b538c
Instruction Fuzzy Hash: 86F0B475509248FFCB06CF50D8409ACBF71AF46300F14D19AEE4427352D673AA26EB51

Function 063B2619 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cfd47c2f5b739c3ceaac1013093b069fcf4449a86f0d36bcbdc9a7b87ffdc9
Instruction ID: cbefc03f111381d83b12c85e056be9e8729475f616177f90992fad63034b40bb
Opcode Fuzzy Hash: 91cfd47c2f5b739c3ceaac1013093b069fcf4449a86f0d36bcbdc9a7b87ffdc9
Instruction Fuzzy Hash: 74010974900229CFCBA8DF14DC98AD9BBB0BB55305F0140EADA19A7790DB342EC4DF50

Function 04D799E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f87c6c286b182acbed1e438ddec5fcd022e20a425904a7eef27a43c29eb61a
Instruction ID: c410ef83006bfb3970e2183243786c007faf7914459dc4711854bdd0921605ff
Opcode Fuzzy Hash: 43f87c6c286b182acbed1e438ddec5fcd022e20a425904a7eef27a43c29eb61a
Instruction Fuzzy Hash: 65F05E7580920CEFCF06DF94D8119ADBF75FB45310F0482EAED4467252E2729A21EB91

Function 04D7BA50 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf142b0379413d28b2e60c7136b412612137faec6b3a0acb47ae540a1958f09
Instruction ID: 29a1f33957e11f4a64844d76f5ac999f86c2b42bb3ec9e8f128e9830abb4943d
Opcode Fuzzy Hash: 8cf142b0379413d28b2e60c7136b412612137faec6b3a0acb47ae540a1958f09
Instruction Fuzzy Hash: 0FF0EC71D0060ADBCF01EF99D8009EDBB75FF89324F04C51AE95827211E772A665DB90

Function 01085381 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e625fbf0aba7c9fb7e5bb3d0a0b2679bfbbbb1f72506253ffa1618e8b298f92a
Instruction ID: 28850cf1ec023e760f07ea80b7e05e1be06346b905a98b2ee488731e2b69ee90
Opcode Fuzzy Hash: e625fbf0aba7c9fb7e5bb3d0a0b2679bfbbbb1f72506253ffa1618e8b298f92a
Instruction Fuzzy Hash: C2F0273120C3548FD312AB04AC44796B7A7AF82354F58C0E5D4C44F286CBF31885C741

Function 04D73F98 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e05e1151fc03b2112d77c42cbd3c588c5fe3c185f3ac881db0a5a9fba4c9af
Instruction ID: 96ca9526b4c99855b45eb9aa9f77fd9561d3417bc438600c12702d6fe2338c0c
Opcode Fuzzy Hash: 56e05e1151fc03b2112d77c42cbd3c588c5fe3c185f3ac881db0a5a9fba4c9af
Instruction Fuzzy Hash: 64F0B470D09248AFC741DFA8C40059DFBF0AB46310F14C5DBD854D7392E232AA03EB41

Function 04D7C608 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bcc0bbc2637376f6fd90b64797d22548453202a2f94e569fe53aa3fde7e937
Instruction ID: feee0b8b6c5bcccd63db852b2aa17746ec14479cc3bac4c62bf47c0a688ea393
Opcode Fuzzy Hash: 58bcc0bbc2637376f6fd90b64797d22548453202a2f94e569fe53aa3fde7e937
Instruction Fuzzy Hash: 23F09A75909208EFCB01CFA4C9849ACBFB5EF49310F18C19AEC4457352E236AA52EB41

Function 04D724E9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3b8ceab3fc0fb905d74fe36db65cfe1d7fe5b1deed874b33c66c62e39734b7
Instruction ID: 36158385568973e56f35e149131056e77d6683875d23f45941f9a4b3dd3d36e8
Opcode Fuzzy Hash: 3c3b8ceab3fc0fb905d74fe36db65cfe1d7fe5b1deed874b33c66c62e39734b7
Instruction Fuzzy Hash: C9E09271A09248DBCB19DFA8E856668BF749B56324F18C1DAD84457382EA32AD02E781

Function 04D78498 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2445846929377494199df120042db49d9789584a085949555c3eac62cfe8b22d
Instruction ID: 8619aa5f9e1c9dd6f02bb5446607f5883245822cc153ffdbe1d343a6a2e3aea0
Opcode Fuzzy Hash: 2445846929377494199df120042db49d9789584a085949555c3eac62cfe8b22d
Instruction Fuzzy Hash: 57E06D7490E208EFC701EF94D8405A8BB79AB46304F2581EAD84857242DA72AE07DB81

Function 04D70659 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292af0c8c3b90285d8d5ec697308792d5838123555d7188943dc7f2f9a0ca2a2
Instruction ID: e3109ea3a61b0f603f87ed3294a20563308d5bca1bed49f5bb4f1324cb671f75
Opcode Fuzzy Hash: 292af0c8c3b90285d8d5ec697308792d5838123555d7188943dc7f2f9a0ca2a2
Instruction Fuzzy Hash: 3CE09274D0D108DFCB06DB94D5901ACBFB1EB86324F2881DAD844633D2D6325E02DB41

Function 04D78E08 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411b988fcc6118e46b92e3596f31d92c63692b089a68fc5df192fc6039a6fa68
Instruction ID: 284be47a915ff6d1223f0f8898bfd4f13efcc2fb8a0aa7befa232af3a99464d7
Opcode Fuzzy Hash: 411b988fcc6118e46b92e3596f31d92c63692b089a68fc5df192fc6039a6fa68
Instruction Fuzzy Hash: 4AF0E5B050D2859FC7A2C768C804298BFB0AF07214F1842EBD984CB293D7379E53D382

Function 04D73A50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815d57be1d9ad1867c27d219201bb0dc1f225b5a5cecde6f1761db323fbe787c
Instruction ID: e75cfcd9540701b1814937f1c59c94a74337d0fb968f4487a6e5612d69bd9a45
Opcode Fuzzy Hash: 815d57be1d9ad1867c27d219201bb0dc1f225b5a5cecde6f1761db323fbe787c
Instruction Fuzzy Hash: A5F09274A09244EFC716DBA8D585568BFB49B46318F14C0DEDC4857392EA33EE02EB81

Function 04D78240 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11c279baad7eefae2fdce3f2a740b131996c382d63218c7697d9dd2c5e9a398
Instruction ID: bc22c2929182d0276f1f79f7452298db15821ed34854289eb4d1092a844f0c7f
Opcode Fuzzy Hash: b11c279baad7eefae2fdce3f2a740b131996c382d63218c7697d9dd2c5e9a398
Instruction Fuzzy Hash: E3E09271906148DFC342FBB4891869A7BB4AF56210F0056D7E100C7061E9361B08DB61

Function 01085338 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02da87f448d2e2066b6a3ca6072e83f918f06ac07be7df986503a5f5b788ca59
Instruction ID: 7ab8e258d1f8202a0229ac45f56595396f6f7d5dbd1eae35f8be1e08da95f602
Opcode Fuzzy Hash: 02da87f448d2e2066b6a3ca6072e83f918f06ac07be7df986503a5f5b788ca59
Instruction Fuzzy Hash: 40E092B0945349AFCF46DFA4E9005DC7BB9FF5620070041EAD444DB215E6315F11EB10

Function 04D7D488 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767809f0cb40d9019be0e29fe9ec8bed2b02b9020e307d387480f8fcc9eb6f01
Instruction ID: b362b3d2852927838754751e03e05d304acadbca1a51676f6292dfebb6b386ca
Opcode Fuzzy Hash: 767809f0cb40d9019be0e29fe9ec8bed2b02b9020e307d387480f8fcc9eb6f01
Instruction Fuzzy Hash: 8FF01534905208EFCB01DF98D9409ACBBB6FF88310F14C09AEC4863351D732AA21EB41

Function 04D71530 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5091c62e7db64b66d39dad5a87ca97da314095905324b707af9489a1d60c73f4
Instruction ID: 904bdf2c58a08f9c769607d532d96c1f5fe9e27709fbfcab49acf6d74d3b0298
Opcode Fuzzy Hash: 5091c62e7db64b66d39dad5a87ca97da314095905324b707af9489a1d60c73f4
Instruction Fuzzy Hash: 0EE068B080E248EFCB05CBA8D80426CBF75AB47300F1581DAC88413352E232EE15D741

Function 04D70E70 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94041b1b7ab2984496da21c8b1fa22bd39a9908f0040627bad41f33305558c93
Instruction ID: a77a279bf69bb7a2c8918113bf6a9b9cd7334fc3a45741ec85726b386741c0a6
Opcode Fuzzy Hash: 94041b1b7ab2984496da21c8b1fa22bd39a9908f0040627bad41f33305558c93
Instruction Fuzzy Hash: B8E06834C0D104CFCB01CB60D4801ACBF74EF42304F2880DAD84413382C2328E06DB81

Function 063CAB08 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction ID: 49e7eecb7ef62f44d236ca67e3b9f86ef2d9d18a6672d9e25d4d70092f57f92b
Opcode Fuzzy Hash: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction Fuzzy Hash: BAE0C974D0520CEFCB84DFA8D540AACFBF5EB48310F14C1AAA80893351D636AA51DF81

Function 063C6300 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction ID: aa66de69100489a3704eae9f3a8fdcc1a22cadfee9830b7240a0f69923c48331
Opcode Fuzzy Hash: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction Fuzzy Hash: 35E0C974D05208EFCB84DFA8D9416ACFBF8EB49310F14C1AAA81893351D6369E51DF81

Function 063CD948 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction ID: d88eb74cbde846133fee2d0aa0514ac1e38ffc0b0c5ffda43878322b1f460455
Opcode Fuzzy Hash: fa7b3e7dad932ad8ca2785daff137d4505ceada1472479fc3167367673b9c12e
Instruction Fuzzy Hash: C1E0C974D05208EFCB84DFA8D5406ACFBF4EF48310F14C1AAA808A3341D6369A52DF81

Function 04D7C618 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b3043471038309cfec7fc2c1e8551db0628560c10057ac7526e776f6b9f94b
Instruction ID: afefae9fd93942d7d48ceb934d3aa0f6c20b1859b3020c73b6687070b6f30e33
Opcode Fuzzy Hash: 99b3043471038309cfec7fc2c1e8551db0628560c10057ac7526e776f6b9f94b
Instruction Fuzzy Hash: 56F03934905208EFCB01CF94C8849ACBFB5EB48310F14C09AEC5453351D6329A21EF40

Function 04D72F29 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84955827b886ccc29fcf392272409ce0bbf920a0523480b608d718ea2969b778
Instruction ID: a06a6749d4c518c090360d4a72e563628c7dea69b1d991e15ae5e125e47c9bdb
Opcode Fuzzy Hash: 84955827b886ccc29fcf392272409ce0bbf920a0523480b608d718ea2969b778
Instruction Fuzzy Hash: D8E09234A0E244DFC705DF94D9424A8FF74EB46314F18C1EED84857246DA32AE07D741

Function 04D799F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f129cf19e1ffab93e30c1bbd8cc8b2d740cc235a4f9550112e7831e8b7c3063
Instruction ID: ded0581838d8f516c651697b4f80537834f2a5e5f53d2eed27f75e1790402c07
Opcode Fuzzy Hash: 3f129cf19e1ffab93e30c1bbd8cc8b2d740cc235a4f9550112e7831e8b7c3063
Instruction Fuzzy Hash: 7BE0E575906108EBCF05DF94D9409ADBB79FB49310F14C19AEC4827251E732AA61EB91

Function 04D7A280 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f129cf19e1ffab93e30c1bbd8cc8b2d740cc235a4f9550112e7831e8b7c3063
Instruction ID: 8a4f6d3f62c41dc87bc025f8b12fb652c4ea74d70612feee354eec95b1ee861d
Opcode Fuzzy Hash: 3f129cf19e1ffab93e30c1bbd8cc8b2d740cc235a4f9550112e7831e8b7c3063
Instruction Fuzzy Hash: D8E06538A05208EBCB02CF94D9009ADBB75FB49300F14D09AED4823351D733AA22EB81

Function 063CDF38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419bbdb0c14b7ca06543c703a1e731a948cdb20db8e39153b511b2304704037c
Instruction ID: 8639f6df0eba60902d5dabd1d70a40d48bc061b201a3d75dda5719e339b69665
Opcode Fuzzy Hash: 419bbdb0c14b7ca06543c703a1e731a948cdb20db8e39153b511b2304704037c
Instruction Fuzzy Hash: 3DE0C974D05208EFCB84EFA8D5406ACBBF4EB48310F14C1AAE81893341D6359A11DB81

Function 063CF870 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419bbdb0c14b7ca06543c703a1e731a948cdb20db8e39153b511b2304704037c
Instruction ID: a3979db5a2949111a5c7febbf720a587b50932da115a63e03137f1a3cf51b2b2
Opcode Fuzzy Hash: 419bbdb0c14b7ca06543c703a1e731a948cdb20db8e39153b511b2304704037c
Instruction Fuzzy Hash: DDE0C274E05208EFCB84DFA9D540AACBBF9AB88310F14C1AEA81893341D6369A01DB81

Function 04D77D1A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c2ca2d8f570bc45254d633012ab5cbf92c8a21e3caa80fe1012e0fefac8491
Instruction ID: 366b159269c4a287dcb5877c6aa75d7a9f4aa81aec5617c190a07222d4ad0413
Opcode Fuzzy Hash: 85c2ca2d8f570bc45254d633012ab5cbf92c8a21e3caa80fe1012e0fefac8491
Instruction Fuzzy Hash: 78E04F74905108DBC704DB94D9415A9FB74EB85304F64C5EA984827341E633BE16DB81

Function 063CFF90 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12092f40d758b314516037095604001e6b613cc3e42b166bcca7af158f316871
Instruction ID: 5921e1d6d6a8150f9c40248c7374ee0be761cb7660d6fa8b30d82a8a4bb6da64
Opcode Fuzzy Hash: 12092f40d758b314516037095604001e6b613cc3e42b166bcca7af158f316871
Instruction Fuzzy Hash: 0EE0E574D09208EFCB44DF98D540AACFBB9EF89310F14C1AEE84453345C6369A56EB91

Function 04D74F3F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64689ecdca16e19a70d9402875f60b61cebbf1a7ea7efa3bf2060b323e1b7590
Instruction ID: 528a8aa1158948efe51c6d2006d2e7a1e4957545702b7996d71afaab97ffbd77
Opcode Fuzzy Hash: 64689ecdca16e19a70d9402875f60b61cebbf1a7ea7efa3bf2060b323e1b7590
Instruction Fuzzy Hash: E4F0D474904228CFCB61CF28D8447E8BBB1FB4A305F0040EAE489A6681EBB46DC4CF11

Function 04D7D3A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252aa7b85a92030b2631384e9daf2150260926f6475fe7f757e329a6f4138abb
Instruction ID: b08d51097c6f0412e5e77bab918f7fb8b4668c3377f06c8688b683001088aaa8
Opcode Fuzzy Hash: 252aa7b85a92030b2631384e9daf2150260926f6475fe7f757e329a6f4138abb
Instruction Fuzzy Hash: DAE09A34D05208EFCB00CF98D5009ACFBB5EF88300F14C0AAEC4453341D636AA11EB90

Function 063C8FD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd01e1594abf3fb2088a07e1851e04ef5b56f8d9be424d18b1b5f692ac9b740
Instruction ID: 2fe355b7a659acfffa9dac344f9a5f6195889fdcdcfb715cd3cb5124b7b6fd55
Opcode Fuzzy Hash: 6bd01e1594abf3fb2088a07e1851e04ef5b56f8d9be424d18b1b5f692ac9b740
Instruction Fuzzy Hash: 09E0E534D05108EFC754DB98D5415ACBBF9AB89211F1481AEE84853341C6369A42DB85

Function 04D78E18 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e8a1b0f7b1db779c4cd45291e06246f929a797e342483e018900e37fb6e4f1
Instruction ID: e31f78e9285f8ca3300bd54e7223053f2dbfe1899b5a2c0bd6e1aa84b29177f0
Opcode Fuzzy Hash: 56e8a1b0f7b1db779c4cd45291e06246f929a797e342483e018900e37fb6e4f1
Instruction Fuzzy Hash: 31E08630905108DFC780EFA8C9446ACFBF4EB49304F1480E99848D3341E732AE41DB41

Function 063CE698 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab571399990354f68ccecf98dfcd087bf74c0e69ae2e07fc80da187abfaefd5
Instruction ID: e5085be9ab941c289d11d5cd071ae6085e0c1a65a227bcc8f25216869611c13e
Opcode Fuzzy Hash: fab571399990354f68ccecf98dfcd087bf74c0e69ae2e07fc80da187abfaefd5
Instruction Fuzzy Hash: 85E01234919108DFC744DF94D5415ACFBB9EB85315F14C1EDE80817381CA329E56EBC1

Function 063CBEF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81d1d6c77e0a2371c684aabd01490f0e1cb815ae805709ef975362a82189397
Instruction ID: b2196d42cd560ea3b76ed4afebfccb5d584989fba175fd171d13eb2ae485c340
Opcode Fuzzy Hash: d81d1d6c77e0a2371c684aabd01490f0e1cb815ae805709ef975362a82189397
Instruction Fuzzy Hash: B9E08C74C16208DFCB80DFB8D4462ACBBF8AB04211F1040A9E809D3340EA314E40DB91

Function 063CBAE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf7830aaa1bc6bead80b12d3944a815fa9e91cd0c20fe3ef726327a7d3fa2bc
Instruction ID: 4c902076eadf4a1647a7f1914634edac1162005c3f4ea0fad21d778324308283
Opcode Fuzzy Hash: 8bf7830aaa1bc6bead80b12d3944a815fa9e91cd0c20fe3ef726327a7d3fa2bc
Instruction Fuzzy Hash: 4EE0C23194210CDFC740EFF4890469EBBFC9F85210F0046E6A40493150E9765E04E7A2

Function 063C9F48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8103455b10e22092bc0d7a94dd957c5c9048d1301bcdd12d59c5314336635e
Instruction ID: e3238fef9f13faf09403685c0d3241a111ffd1032cff33c79c5949d693b178e0
Opcode Fuzzy Hash: ee8103455b10e22092bc0d7a94dd957c5c9048d1301bcdd12d59c5314336635e
Instruction Fuzzy Hash: CEE0127294210CDFC741FFF4990479EBBFD9F45211F0049E6E50493151EA765E14E7A2

Function 04D724F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: a8a64ccd3cf117028661cc0258b6c028acdf01953d46124e8574845ab7633a17
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 7EE0C234909108DBCB04DF98D5455ACFBB8EB85300F14C1EDD80813341DB32AE02EB81

Function 04D784A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 6de0f5cb8ff9af31f14de2498616eee684fbcbd7399c555738ad714b4ae5d91c
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 92E08C34A0A108DBC704EF94D5445ACBBB9AB85304F1481AAA80813341DA72AE02EB81

Function 04D71540 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 83eeef6750325912237b1eb51dc16663f6fc696d7dc0d115225aabdab4930572
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 2DE0C234909108DBCB08DF98D5455ACFBB9EB86300F14C2D9D80913341D632EE02EB81

Function 04D77D20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 92a42d2908db0685d16e0abb44c433de414a09a290708ab75639dc36e6966eda
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 75E01274A09108DBC704DF94D5415BCFBB8EB86315F54C5DAD84817341E632BE52DB91

Function 04D70E80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: ffd65ecd3d91e05bc499019d6e6ffdeb912ca7cf25a989cf9646ac8c9d4636ef
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 89E0C234909108DBC704DF94D5445ACFBB8EF85300F14C1D9D84813381D732AE02DB82

Function 04D7DE58 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 46fec92884eaaacc2fb160a4c825b2a176576467ae9afc392e952b43091a5f58
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: C4E0C274909108EBC744DF94D5405ACFBB9EF85310F14C1DDD88813341DB32AE02DB81

Function 04D70668 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: dac4dc8e845fabf101bfe6c3f88a8460519a0259618e8912dc789f8fb4739c56
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: C3E01234909108EBCB05DF94D6915ACFBB9EB85315F14C1DDD84827385DA32AE52DB81

Function 04D72F38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: e163414c8871860c9fa604dee48052ffcfc63ee7c697f33c703ffebd280beb52
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: A6E01234A09108DBCB04DF95E9415ACFBB8EB85315F14C1EEE84C57341DA32AE52EB81

Function 04D7D880 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 0581d13c8e6894ba40704bb0549670b262ee8016224b16b87e3326ec533bd840
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: EAE0C234909108EBC704DF94D5445ACFFB9EF85300F14C1D9D88817341D632AE02DB81

Function 04D741C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: bff4dace759f88a190c3abbd922f0c92c4f8379bf4edf20175740ac58caeb738
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 9AE0C238909118DBC704EF94D9405ADFBB8EB85301F24C1DDDC0813341DA32AF02DB81

Function 04D7E988 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: cac42987b5f3c44a54d6691dddc3874122b570a40b2b24a0a840ebf75a4471de
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 75E01274A09108EBC744DF95D5415ACFBB8EF86315F24C1DDD84827342DB32AE52DB82

Function 04D78250 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92e4714db2db5dffdf47df46ca7bf77e45ecbc433eb24e3a5efedf0384e1ee4
Instruction ID: 99c0b1af06069ac541cd1bca8e6f445f4478418d2408ce0283eabfce532edb74
Opcode Fuzzy Hash: c92e4714db2db5dffdf47df46ca7bf77e45ecbc433eb24e3a5efedf0384e1ee4
Instruction Fuzzy Hash: 86E0C23194210CDFC701FBF4890869EBBFCAF86310F0046E6E50493110FA365A00E7A2

Function 04D73A60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction ID: 866a84514e4be83b52a5979ef431e063a38214b5549c5bb1ab9eaa5091e061dc
Opcode Fuzzy Hash: 32051e4d716fb2fd586661d695544304c19beb28cb8b43eed0eceafba0763e11
Instruction Fuzzy Hash: 4AE01234909108EFC704DF94D5815ACFBB8EB85315F14C1D9DC4817351D632EE52EB81

Function 01083E30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f791d91620752a09139c35d7b8e5d2d19082a6fab22dc656dbc7b9af028620da
Instruction ID: 569aa6f2d8fdfd6e4b0a7db35bf5011c785c5332ea5ba2105903f0bd015f2f52
Opcode Fuzzy Hash: f791d91620752a09139c35d7b8e5d2d19082a6fab22dc656dbc7b9af028620da
Instruction Fuzzy Hash: CDE0E534908204CFEBA9AF04D1687A873B2FB45305F6090EDC1CA4ABC4CB369A86DF40

Function 04D76D10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76acf731f566b18d4364800b29eccf7ddd8e1c2b079555b9fba3382a5cc39bbf
Instruction ID: 619d29816c1b749af786c117358e81b5e12279e71e8ccc7823bdde27f9ecd966
Opcode Fuzzy Hash: 76acf731f566b18d4364800b29eccf7ddd8e1c2b079555b9fba3382a5cc39bbf
Instruction Fuzzy Hash: BCE08C30915108DFC750DFA8D5002ACBFB8EB46225F18C0DAD84853341F632EA02DB41

Function 04D7C213 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb4c109f47e1eafeac674469fb0a453bf2838138f94dec28bc5b01298d99e32
Instruction ID: b88ff142629deafd3844f05598e65edff0bfee993ca83eab8bbc93786719907b
Opcode Fuzzy Hash: 7fb4c109f47e1eafeac674469fb0a453bf2838138f94dec28bc5b01298d99e32
Instruction Fuzzy Hash: D4E0E575A0421C8BCB52CF54C840BDABBB8BB4D300F00419AE549A7244DA74AA84CF60

Function 04D78B60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76acf731f566b18d4364800b29eccf7ddd8e1c2b079555b9fba3382a5cc39bbf
Instruction ID: 2174d6fedefb3e0b1324ad701b8fe6906786144f6baa3c4239fa7cf10c71ff63
Opcode Fuzzy Hash: 76acf731f566b18d4364800b29eccf7ddd8e1c2b079555b9fba3382a5cc39bbf
Instruction Fuzzy Hash: A6E0C270D05208DFC740EBA8C5042BCFFB8EB45301F1480DAE88853341E632AE02EB41

Function 01085348 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88579fe222103e5ac3c1202edc533f28e23943d7ec17369ba929b94dc1a6884c
Instruction ID: e61d1d83b66f3d74ca5139a2c377dab519ffed90eb9c9452985411940fb14caa
Opcode Fuzzy Hash: 88579fe222103e5ac3c1202edc533f28e23943d7ec17369ba929b94dc1a6884c
Instruction Fuzzy Hash: BFD017B0A0120DEF8B04EFA8EA4199DB7BDEB44200B1045ADD808E7304EA356F00DB91

Function 01085A73 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33316f76f48e2d1fddfd42aabc7b03e0da882b3132b4c288a0daceab6bd3bd4
Instruction ID: efe869c9511f88b6375d90f9adfaea6fbcec265e24779602c62891dc9e91b62e
Opcode Fuzzy Hash: a33316f76f48e2d1fddfd42aabc7b03e0da882b3132b4c288a0daceab6bd3bd4
Instruction Fuzzy Hash: 97D0123670C001C5EB517565BC492EFB3A3E7C0225F19C077D7D792406E63390168E15

Function 010808A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabd5620d9836f6462feb826b6dff0dcf295ed223a11a5701017a8cfee8bcd98
Instruction ID: 903864d5030f708f196725a1fd91dfea560f24002c648759506e0975603e8879
Opcode Fuzzy Hash: aabd5620d9836f6462feb826b6dff0dcf295ed223a11a5701017a8cfee8bcd98
Instruction Fuzzy Hash: 73D0123100E7C4AFCB03A3A0AC120807F6C4E0722936A04C7E088CA063C54E184ACBA1

Function 063CEB60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2420461350.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_63b0000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a0c5cd9ffb3dd4c6bcd297394c455439b958d1e69b5e5f099a5fcaed1520d5
Instruction ID: c1a98d92fcb24ecbaa916f1f99e0f202b21adb72df98caced2ce78cdc44e4982
Opcode Fuzzy Hash: c3a0c5cd9ffb3dd4c6bcd297394c455439b958d1e69b5e5f099a5fcaed1520d5
Instruction Fuzzy Hash: 6EC08C3009FB048AC29012546009370BAACD703322F445905700E00D224A614814E3F6

Function 01087DD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97e814b1841683155a1a4ae377f724125f922ce93084bbf18bc08f51657cf45
Instruction ID: 32f6f9f684cfafb36d2348f46aacc5eefa603eab871cfc9f84245e8b3f090bdf
Opcode Fuzzy Hash: f97e814b1841683155a1a4ae377f724125f922ce93084bbf18bc08f51657cf45
Instruction Fuzzy Hash: 9BC09BFF44E2A10FC7036364A4610C43F70BD332313D714D3D144C5862F506060E5352

Function 01080CFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ea92f559cd48960c95c2ceb63e14de72b76b2c4a8fae47ed786c933112ee4a
Instruction ID: f257a49a1b8dfb675dd0da59c264831fcabb99f36ad2834bdf27e840abc3d4c8
Opcode Fuzzy Hash: 49ea92f559cd48960c95c2ceb63e14de72b76b2c4a8fae47ed786c933112ee4a
Instruction Fuzzy Hash: 7BD02231A0C010CFE728AF14C8002DCB3E0BF0934078A48B6DEC3B702AC730A80ACB80

Function 010820C1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234d83f54fdbc21452121eca2cf2bc498855aed618c0f7cdf9972178043c0c8c
Instruction ID: 7c793348ebb38a62140c02a072b6773f4f931f7940a527e8987c167374432c0b
Opcode Fuzzy Hash: 234d83f54fdbc21452121eca2cf2bc498855aed618c0f7cdf9972178043c0c8c
Instruction Fuzzy Hash: D9D0C931A002198FCB44EFA4E650BDDB771FF50304F105519E085AB268CB382E06CF50

Function 01080882 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591fa9daeac8541c397c03e4badc82ee8f0e6ea4fb6973bb3bffc1b41f69dbee
Instruction ID: cbed1aec6576e1f433e1c063c97e513af7bfc2230c8f17af6392d4fabfc580a9
Opcode Fuzzy Hash: 591fa9daeac8541c397c03e4badc82ee8f0e6ea4fb6973bb3bffc1b41f69dbee
Instruction Fuzzy Hash: 30C04C714192804FCF02E720C8549857F74AE63B5431A51C6D481CA462D61A591EE711

Function 010808C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d2eb5f56013c3db3f89cd61550f1182162cc2ac2a9210a3aaead4fa4965119
Instruction ID: 4cfbcbd2a315110cd752db062fb299183118fe7f047342443417fce5f137a9de
Opcode Fuzzy Hash: f5d2eb5f56013c3db3f89cd61550f1182162cc2ac2a9210a3aaead4fa4965119
Instruction Fuzzy Hash: 4FC0013040E7C08EDB6387304E1A6963F258F47258B2E84CB8084994A3A15A084ECBB2

Function 01087BB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f902e23fc7ce3d9d1528d7ce194ff245b57f43220a1619fa4061f41b9470022
Instruction ID: caec16e964ca0302342391d9b48a8726f60663a3aa004972842e79b3eebcc573
Opcode Fuzzy Hash: 0f902e23fc7ce3d9d1528d7ce194ff245b57f43220a1619fa4061f41b9470022
Instruction Fuzzy Hash: C0C002718093858FD3528B34D4A0188BBB0BE532653A995E980818A172D62D9899CB52

Function 0108319F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196b7fa86611e8ec9a07d1fa7e8ad4a7ea5232725331e88f895f6cbace4e1d52
Instruction ID: 2b01455de1b68a4031b1441e02e0197a67ba6f8391c98891896881868b4cda86
Opcode Fuzzy Hash: 196b7fa86611e8ec9a07d1fa7e8ad4a7ea5232725331e88f895f6cbace4e1d52
Instruction Fuzzy Hash: DDC00275605214CFD7A9AF20D5687597772BB44305F5081A9858E92794CB359981DF00

Function 010808B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85038c28d28d3deeaaa5cf30fa4503b66a374c33fc89e904f70b22843e3d36b
Instruction ID: 119e8d290058c96b50e00322fefa182677f6ac799644cb3fb7e4bc3badc505c9
Opcode Fuzzy Hash: e85038c28d28d3deeaaa5cf30fa4503b66a374c33fc89e904f70b22843e3d36b
Instruction Fuzzy Hash: EE900231045A0C8F495027957809595B75C95465367800492B54D415159A5A645046A5

Function 01083EEB Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b413fd17e41d654df3a3006e12ffc9747bd9fec01a3c3b8b34a3cc354bd889a5
Instruction ID: 7b70d42ae7459b2cbf71cf52b71a6b8c635f8c4e5d3410a9202ab3fd1ae26b79
Opcode Fuzzy Hash: b413fd17e41d654df3a3006e12ffc9747bd9fec01a3c3b8b34a3cc354bd889a5
Instruction Fuzzy Hash: 61B09B708451168BC7748F14D504798B5F09704300F0080F7555DD1A50E6350940AF10

Function 01085C24 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2373611295.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1080000_Value.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364f16adbb8cc0a34b92d1e72ce74f8527620ee1705922623f205eef625b1eb3
Instruction ID: dfa6602e971c15d3aa3599edfdcdd33dd62e35572073cdc556340a3108931adb
Opcode Fuzzy Hash: 364f16adbb8cc0a34b92d1e72ce74f8527620ee1705922623f205eef625b1eb3
Instruction Fuzzy Hash: 74A011B88082008BC380AA20E0C832CBAB0AB08200F208022A0C28AA08CA3800C0CB00

Non-executed Functions

Function 04D7ABC2 Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

8, xrefs: 04D7A41D
(, xrefs: 04D7B239
:, xrefs: 04D7A3F8
+, xrefs: 04D7ABD4

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: ($+$8$:
API String ID: 0-2044610021
Opcode ID: 37b7d8246bc520868951572b8e5fb0da381672468bce8ef2742e6ff35c45762d
Instruction ID: 5a70e3833fc9af91e9e26efb12cb460f12f488f9f480b8cc8b7273272be767f2
Opcode Fuzzy Hash: 37b7d8246bc520868951572b8e5fb0da381672468bce8ef2742e6ff35c45762d
Instruction Fuzzy Hash: C931DF70941268CFDB60CF68D888BADBBB1BB46304F8084EAD409B7640EB756AC5CF15

Function 04D7A44E Relevance: 5.1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

Strings

8, xrefs: 04D7A41D
0, xrefs: 04D7B605
:, xrefs: 04D7A3F8
", xrefs: 04D7B5DF

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: b0019103c0d428067f179c33f16dbc0c115ed4b57ba66b947641b1a015ce4580
Instruction ID: e95398159ceddf11a3393b1c39d0ff0eb9647f8a1519d0b234e7faaa30aa02da
Opcode Fuzzy Hash: b0019103c0d428067f179c33f16dbc0c115ed4b57ba66b947641b1a015ce4580
Instruction Fuzzy Hash: 6721BE709012A8CFDB61CF69C888BACBBB1BB49304F4084D6D409B7740EB75AAC4CF15

Function 04D7B4F8 Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

1, xrefs: 04D7B51D
8, xrefs: 04D7A41D
6, xrefs: 04D7B546
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: 1$6$8$:
API String ID: 0-334024651
Opcode ID: 2ca2d7dd09f772fb136d38abb72865528aaf43fbfcf05b3d2d7b39d718905708
Instruction ID: 15787719fb895ffe8572def78eac861aacc82784481299fb448cac006f76dc46
Opcode Fuzzy Hash: 2ca2d7dd09f772fb136d38abb72865528aaf43fbfcf05b3d2d7b39d718905708
Instruction Fuzzy Hash: 15219A70A01268CFDB61CF68D888B9DB7B1BB49305F4084E6D409B7740EB75AAC9CF15

Function 04D7A5B3 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

8, xrefs: 04D7A41D
0, xrefs: 04D7B605
:, xrefs: 04D7A3F8
", xrefs: 04D7B5DF

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: "$0$8$:
API String ID: 0-3399400504
Opcode ID: 539628fe77ccca6bb77308a326eaee51282432c8c17a34bf333c649ef94195b7
Instruction ID: 8309ab3959492254d797cac311c3320a1cb7b0b2d2a83c2b360348652f79267a
Opcode Fuzzy Hash: 539628fe77ccca6bb77308a326eaee51282432c8c17a34bf333c649ef94195b7
Instruction Fuzzy Hash: CC219CB0901269CFDB61CF59D888BACBBB1BB49309F4084D6D40DB6740E7B5AAC5CF15

Function 04D7B037 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

3, xrefs: 04D7B037
/, xrefs: 04D7B060
8, xrefs: 04D7A41D
:, xrefs: 04D7A3F8

Memory Dump Source

Source File: 0000000B.00000002.2417497693.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d70000_Value.jbxd

Similarity

API ID:
String ID: /$3$8$:
API String ID: 0-3974735656
Opcode ID: fac42717d5740eec2765adbc18ed8f8620ddf9bccdb3b1094d6273d2f4692f6c
Instruction ID: a81fa25c716d20ff9dd744a91ec568aa5862246829ce567b784a3fa846bd0fe0
Opcode Fuzzy Hash: fac42717d5740eec2765adbc18ed8f8620ddf9bccdb3b1094d6273d2f4692f6c
Instruction Fuzzy Hash: F3219D709402A9CFDB61CF58D888BACB7B1BB49345F8084E6D409B7740E7B56AC5CF15

Analysis Process: InstallUtil.exePID: 1896, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	78
Total number of Limit Nodes:	8

Executed Functions

Function 02756540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027565BE
GetCurrentThread.KERNEL32 ref: 027565FB
GetCurrentProcess.KERNEL32 ref: 02756638
GetCurrentThreadId.KERNEL32 ref: 02756691

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b52c870aa4dfc31c04ae65cf93fb54af9aa3feab4821df6055a51bee1811431c
Instruction ID: f17e6d24c8046ec78f46f04ecea4e1dff834f49909e0ecfd53588c62229e3dad
Opcode Fuzzy Hash: b52c870aa4dfc31c04ae65cf93fb54af9aa3feab4821df6055a51bee1811431c
Instruction Fuzzy Hash: 275177B0900209CFDB04DFAAD548BAEFBF5EF88304F208469E449A7350C779A984CB65

Function 0275BFF0 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0275C256

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72ae1725d24615d8d50b69415c5c177ba44943c5f19852e346d6ba22907f3188
Instruction ID: aba40e38cda45c48135c677d63a52e29a84a336d4ec7cb0c6985c9dbdbc4f1ce
Opcode Fuzzy Hash: 72ae1725d24615d8d50b69415c5c177ba44943c5f19852e346d6ba22907f3188
Instruction Fuzzy Hash: 358154B0A00B558FD725DF29D44475AFBF5BF88704F008A2ED88ACBA40DBB5E845CB90

Function 02757364 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02757421

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fd12366c140bf1bbf296e8c754c38bd5e12dcfebf8efd74b7d3ae94754d0e8d8
Instruction ID: 29b0282ca5ee7ff61938522808eea52fa850b462fdd5c0137825bade557738b8
Opcode Fuzzy Hash: fd12366c140bf1bbf296e8c754c38bd5e12dcfebf8efd74b7d3ae94754d0e8d8
Instruction Fuzzy Hash: 5D41D4B0C00619CFDB29DFA9C844BDEFBB6BF44304F10806AD419AB255DBB56946CF90

Function 02756414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02757421

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: abf055079255dc2c88db698a277af1fb9fecc47a2414992f49d45b78608fd262
Instruction ID: eb87c4b414b5a54ee3a8240e7c24eed37496115e3e806d1f4ac1cf0e60a05a41
Opcode Fuzzy Hash: abf055079255dc2c88db698a277af1fb9fecc47a2414992f49d45b78608fd262
Instruction Fuzzy Hash: 7F41B2B0C00619CFDB29DFA9C844B9EFBB5BF45304F20806AD419AB255DBB56945CF90

Function 02756780 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275680F

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e6bce4a67c01c9b6b0127e33e83d319977830524c4a775c5591d933af26336e
Instruction ID: e975cfaf6f72442d2a083292788d81cb93023ee0b02021f2b479de1b429acd92
Opcode Fuzzy Hash: 4e6bce4a67c01c9b6b0127e33e83d319977830524c4a775c5591d933af26336e
Instruction Fuzzy Hash: F52106B5900258DFDB10CF99D584AEEFBF9FB48310F14802AE914A3350D378A945CFA1

Function 02756788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275680F

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c694d3b8903932f207da3a63aff46b421ee68ca3f5ab4565a7eab85d6d7a9a9
Instruction ID: d1794e3315fb86f1a60771c935e150de891f2947630cc9f6662ae474181e48a7
Opcode Fuzzy Hash: 7c694d3b8903932f207da3a63aff46b421ee68ca3f5ab4565a7eab85d6d7a9a9
Instruction Fuzzy Hash: 6021C4B59002589FDB10CF9AD984ADEFFF9FB48320F14841AE918A3350D379A944CFA5

Function 0275C1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0275C256

Memory Dump Source

Source File: 0000000C.00000002.2552220312.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2750000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d27a5df322ef35fad2dc9e7e455fdb9e85a6415ff4dd1fc10d6d4b6601ca708e
Instruction ID: c4c1fb0130f2be9e52d5e9f256f9e3c2392125e5a242e2b3a888c7b78d796aac
Opcode Fuzzy Hash: d27a5df322ef35fad2dc9e7e455fdb9e85a6415ff4dd1fc10d6d4b6601ca708e
Instruction Fuzzy Hash: 2B110FB5C003498FCB10DF9AC444B9FFBF9AB88624F10842AD829A7600C3B9A545CFA1

Function 00CDD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2549925608.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cdd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2800858f329e43386d89aabbd4b6c3c0d058e01d0a9532e4f6d93fbac8615d69
Instruction ID: 39667b88a20650e05d764a5335b16f4f4c1dd985312ca58dcd8cd14fec6cf91e
Opcode Fuzzy Hash: 2800858f329e43386d89aabbd4b6c3c0d058e01d0a9532e4f6d93fbac8615d69
Instruction Fuzzy Hash: 432128B1900204DFCB15DF14E9C0F26BF65FB98318F20856AEA0A0B356D33AD956D7A2

Function 00CED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2549986498.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ced000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143d2b7c83fe8f30301b3346d3e4bbf3d7215e9dc67d05884a0e09f0947f85a9
Instruction ID: 7ff28ad15f7f968203b0c5229bf5d1f2c65647e030b9b030b4c0095a548447c9
Opcode Fuzzy Hash: 143d2b7c83fe8f30301b3346d3e4bbf3d7215e9dc67d05884a0e09f0947f85a9
Instruction Fuzzy Hash: 4D21F271604284DFCB14DF25D9C4B26BF65FB88314F28C569E90A4B296C33AD807CA62

Function 00CED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2549986498.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ced000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57837b697f10bac818b1f0a8b459cb24bc254e86979b3b5cc24bd7e57c2a17a0
Instruction ID: b12e832e64e8c5015cb4b36d9df506f5a904598f436d060f5b00e88b6e9128be
Opcode Fuzzy Hash: 57837b697f10bac818b1f0a8b459cb24bc254e86979b3b5cc24bd7e57c2a17a0
Instruction Fuzzy Hash: 5E216F755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A990ACB62

Function 00CDD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2549925608.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cdd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7c9a8a73ae5963ea275310cd891f54770b827e05957f4479e28c30616f6973de
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: BD11D3B6904240DFCB16CF14D5C4B16BF71FB98314F24C6AAD90A0B356C33AD95ACBA2

Analysis Process: InstallUtil.exePID: 6004, Parent PID: 2408COMMON

Executed Functions

Function 00D304EC Relevance: 1.7, Strings: 1, Instructions: 452COMMON

Download Yara Rule

Strings

8aq, xrefs: 00D30851

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 0328200df617d327b591afd77d9272a6f6c11419142e891411a230280807f6cc
Instruction ID: dda682f7c51125257db8cdc551ae621aa3a46de6ed3f570605664cd68c1417be
Opcode Fuzzy Hash: 0328200df617d327b591afd77d9272a6f6c11419142e891411a230280807f6cc
Instruction Fuzzy Hash: 8BF0A73454A284DFC702DFB8ED5198E7FB49F4720071045DAC448EB262C5745E06CB11

Function 00D30888 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

tP]q, xrefs: 00D30963

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 8d68aa71059e10a27334a67a5a44a7aa2a5db874c0574b2b52f5bb921f2c3f94
Instruction ID: c43fb80d3e928f69300dffd6671724fd58e39a400fb8563c284906334b17a650
Opcode Fuzzy Hash: 8d68aa71059e10a27334a67a5a44a7aa2a5db874c0574b2b52f5bb921f2c3f94
Instruction Fuzzy Hash: 6E4139347402108FCB58EF78D56892E7BE2BF8971572509A9E806CB3B6DA35DC02CB91

Function 00D30898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

tP]q, xrefs: 00D30963

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 6f3df6b516271bc9090871340fb8c1083c3742f712c430f4cebe1b4a56ed09b6
Instruction ID: ca5d8ba226a688b221d7d6bdb68e6971701b6f9fd82299568917d6866e2e24e7
Opcode Fuzzy Hash: 6f3df6b516271bc9090871340fb8c1083c3742f712c430f4cebe1b4a56ed09b6
Instruction Fuzzy Hash: 354137747402108FCB58EF79D56892D7BE6BF8871572509A8E80ACB3B6DA35DC02CB91

Function 00D30A40 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$]q, xrefs: 00D30A98

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 738e4c64de67ad983f5a7bd3cb5601131214bec3315c5e3fbdb7569ef6bc844a
Instruction ID: 754957607b69e4b7e7371b33b9aeb369d3031a678a52ddec50f6ac2bcfa62514
Opcode Fuzzy Hash: 738e4c64de67ad983f5a7bd3cb5601131214bec3315c5e3fbdb7569ef6bc844a
Instruction Fuzzy Hash: 3C21DE327443119FDB249A7DF8A0A6A7BE9FF84714F18413AD40AD7251DA71DC0287A0

Function 00D30848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

8aq, xrefs: 00D30851

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 315db38a26588a12ec35e7eec75572b1856a47b9e44dd83865bcb688797e5a3e
Instruction ID: 5ad21ce62b724fe0d94ba3eed7d3c1aa8e0c53ba1bcba249de3754f1561f3a3f
Opcode Fuzzy Hash: 315db38a26588a12ec35e7eec75572b1856a47b9e44dd83865bcb688797e5a3e
Instruction Fuzzy Hash: 97E01274A0120DEFCB04EFBDEA5195EB7BDEB84244B2086E9D408E7254DA31EF019B95

Function 00A4D508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2609098197.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a4d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fea090b337ffafe3936e2536af4058c5b78f0ef5c18d3f785cdc36837c73054
Instruction ID: 5d8d05f7cf8721804c9ddea0b7328ad985ab6fb28e66f5b12a5ce238914ab94c
Opcode Fuzzy Hash: 2fea090b337ffafe3936e2536af4058c5b78f0ef5c18d3f785cdc36837c73054
Instruction Fuzzy Hash: 2E213779504204DFCB05DF14D9C0F26BF65FBD8318F24C5A9E9094B25AC73AD816DBA2

Function 00A4D503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2609098197.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a4d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: b92a546229195560924ca02169dede0dc6be0d799c1bc4a1dbc3916dee9d75d8
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3A11D376504240DFCB16CF10D5C4B16BF72FB94318F24C5A9D9094B256C336D85ACBA2

Function 00D30A10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2611656502.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52098a1f254d67b99cc44cc79b0dde6e18f7d0c6c3a4dbea1b9dee9e5bd209f3
Instruction ID: 52e8fd7d90a4a33d6531e91af51d81fa65af7fce3747aed9b4365011f668c2bd
Opcode Fuzzy Hash: 52098a1f254d67b99cc44cc79b0dde6e18f7d0c6c3a4dbea1b9dee9e5bd209f3
Instruction Fuzzy Hash: DFD0C976B842148FCA04ABB8E96489CB7A4EF8837571006B6E139C72B1EA61D911C622

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Xp7zCcGiGj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Temp\E6ikBcGmgYAV.bat

C:\Users\user\AppData\Local\Temp\NexSZleDljOR.bat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs

C:\Users\user\AppData\Roaming\Value.exe

C:\Users\user\AppData\Roaming\Value.exe:Zone.Identifier

\Device\ConDrv

\Device\Null

Static File Info

General

Windows Analysis Report
Xp7zCcGiGj.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre