Edit tour

Windows Analysis Report
system.exe

Overview

General Information

Sample name:	system.exe
Analysis ID:	1552461
MD5:	71f0c1101306ebd89735b734b500fe10
SHA1:	398028832a41b64f1f1b0e865a3cccb922350fb2
SHA256:	246f939789eb66df0dc7cb67c22ebcb8c0cfe4b0ec0f222482da9b2823e9ab32
Tags:	exeuser-ummmyeah
Infos:

Detection

Phemedrone Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Generic Stealer

Yara detected Phemedrone Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

system.exe (PID: 5700 cmdline: "C:\Users\user\Desktop\system.exe" MD5: 71F0C1101306EBD89735B734B500FE10)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author
system.exe	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
system.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
system.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
system.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.1819285467.0000025216260000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.1819285467.0000025216388000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: system.exe PID: 5700	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: system.exe PID: 5700	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
Process Memory Space: system.exe PID: 5700	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.system.exe.252143a0000.0.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
0.0.system.exe.252143a0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.system.exe.252143a0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: system.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: system.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: system.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\AARONS\Downloads\Telegram Desktop\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Debug\system.pdb source: system.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: system.exe, type: SAMPLE
Source: Yara match	File source: 0.0.system.exe.252143a0000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 172.67.70.233 172.67.70.233

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: get.geojs.io

Source: system.exe, 00000000.00000002.1819285467.00000252161C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: system.exe	String found in binary or memory: https://api.telegram.org/bot
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: system.exe, 00000000.00000002.1819285467.00000252161C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io
Source: system.exe, 00000000.00000002.1819285467.00000252161C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json
Source: system.exe	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json)root
Source: system.exe, 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, system.exe, 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, [US]173.254.250.90-Phemedrone-Report.zip.0.dr	String found in binary or memory: https://t.me/
Source: [US]173.254.250.90-Phemedrone-Report.zip.0.dr	String found in binary or memory: https://t.me/TheDyer
Source: system.exe, 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, system.exe, 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, [US]173.254.250.90-Phemedrone-Report.zip.0.dr	String found in binary or memory: https://t.me/freakcodingspot
Source: [US]173.254.250.90-Phemedrone-Report.zip.0.dr	String found in binary or memory: https://t.me/webster480
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\system.exe	Code function: 0_2_00007FFD9B7E6326	0_2_00007FFD9B7E6326
Source: C:\Users\user\Desktop\system.exe	Code function: 0_2_00007FFD9B7E70D2	0_2_00007FFD9B7E70D2
Source: C:\Users\user\Desktop\system.exe	Code function: 0_2_00007FFD9B7F2659	0_2_00007FFD9B7F2659

Source: system.exe

Binary string: ParentProcessId3\Device\LanmanRedirector\

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\system.exe

File created: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip

Jump to behavior

Source: C:\Users\user\Desktop\system.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\system.exe	Mutant created: \Sessions\1\BaseNamedObjects\BestStealer

Source: system.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: system.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6800
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2580
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3872
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6456
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2144
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 784
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3864
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5584
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1176
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6440
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1724
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3420
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6308
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2552
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6428
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 824
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3404
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3832
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6848
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5552
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5116
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1236
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4856
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3816
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5108
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2044
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 364
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6396
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5964
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1652
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5484
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 356
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1216
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5092
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4660
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 776
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 344
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2496
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3788
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1200
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5076
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2488
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6896
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5724
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3768
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4196
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2900
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4192
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2036
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5052
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6196
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 736
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3752
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4180
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6276
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5900
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6824
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6756
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2004
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1572
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4348
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1136
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 696
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6728
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6296
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7156
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1552
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6596
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5860
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3704
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5856
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2924
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5816
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7140
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1104
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2396
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5408
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4544
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2388
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1956
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6264
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1948
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7116
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1940
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6680
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4092
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6244
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1932
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3924
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1496
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7096
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 628
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1488
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6224
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 620
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6288

Source: C:\Users\user\Desktop\system.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\system.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: system.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: system.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: system.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\AARONS\Downloads\Telegram Desktop\Phemedrone Stealer V2.3.2\Phemedrone-Stealer\obj\Debug\system.pdb source: system.exe

Source: C:\Users\user\Desktop\system.exe

Code function: 0_2_00007FFD9B7E00AD pushad ; iretd

0_2_00007FFD9B7E00C1

Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\system.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\system.exe	Memory allocated: 25214700000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\system.exe	Memory allocated: 2522E1C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\system.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\system.exe TID: 1456	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\system.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\system.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\system.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\system.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: system.exe	Binary or memory string: VMware
Source: system.exe	Binary or memory string: Hyper-V Video
Source: system.exe	Binary or memory string: VMware Virtual
Source: system.exe, 00000000.00000002.1818882913.00000252144D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\system.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\system.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\system.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: system.exe, ImportHider.cs	Reference to suspicious API methods: LoadLibrary(dllName)
Source: system.exe, ImportHider.cs	Reference to suspicious API methods: GetProcAddress(intPtr, methodName)
Source: system.exe, LockHelper.cs	Reference to suspicious API methods: Interop.Kernel32.OpenProcess(Interop.ProcessAccessFlags.DuplicateHandle, bInheritHandle: true, (uint)targetPid)

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: system.exe, type: SAMPLE

Source: C:\Users\user\Desktop\system.exe

Queries volume information: C:\Users\user\Desktop\system.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\system.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: system.exe, 00000000.00000002.1821120945.000002522EB4C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\system.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, type: DROPPED

Yara detected Phemedrone Stealer

Source: Yara match	File source: system.exe, type: SAMPLE
Source: Yara match	File source: 0.0.system.exe.252143a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: system.exe, type: SAMPLE
Source: Yara match	File source: 0.0.system.exe.252143a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\system.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Remote Access Functionality

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, type: DROPPED

Yara detected Phemedrone Stealer

Source: Yara match	File source: system.exe, type: SAMPLE
Source: Yara match	File source: 0.0.system.exe.252143a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1819285467.0000025216388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: system.exe, type: SAMPLE
Source: Yara match	File source: 0.0.system.exe.252143a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: system.exe PID: 5700, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	2 OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	123 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
system.exe	100%	Avira	HEUR/AGEN.1307187
system.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
get.geojs.io	172.67.70.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://get.geojs.io/v1/ip/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t.me/	system.exe, 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, system.exe, 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, [US]173.254.250.90-Phemedrone-Report.zip.0.dr	false	high
https://get.geojs.io/v1/ip/geo.json)root	system.exe	false	high
https://duckduckgo.com/ac/?q=	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t.me/freakcodingspot	system.exe, 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, system.exe, 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, [US]173.254.250.90-Phemedrone-Report.zip.0.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	system.exe	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://get.geojs.io	system.exe, 00000000.00000002.1819285467.00000252161C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t.me/TheDyer	[US]173.254.250.90-Phemedrone-Report.zip.0.dr	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	system.exe, 00000000.00000002.1819285467.00000252161C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	system.exe, 00000000.00000002.1819818977.00000252262B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t.me/webster480	[US]173.254.250.90-Phemedrone-Report.zip.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.70.233	get.geojs.io	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552461
Start date and time:	2024-11-08 20:02:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	system.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 67% Number of executed functions: 102 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target system.exe, PID 5700 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: system.exe

Simulations

Behavior and APIs

Time	Type	Description
14:03:12	API Interceptor	1x Sleep call for process: system.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.70.233	upd.ps1	Get hash	malicious	Phemedrone Stealer	Browse
	DBp7mBJwqD.exe	Get hash	malicious	Phemedrone Stealer	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==	Get hash	malicious	Unknown	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29t	Get hash	malicious	Tycoon2FA	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/mithunaads.in/M%2f45043%2FaGFucy5hbmRlcnNvbkBhZy5zdGF0ZS5tbi51cw==	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29t	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://g.page/r/CbPyKO_ogGK3EAg/review	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	P09Qwe9fqsKdQIyTGnGxNs8xS[1]	Get hash	malicious	Tycoon2FA	Browse
	vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
get.geojs.io	B6EGeOHEFm.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	Q60ZbERXWZ.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	nuVM6HVKRG.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	XCubQJqiz7.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	upd.ps1	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	WDSecureUtil.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	DBp7mBJwqD.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.70.233
	nuVM6HVKRG.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	pdLBHF2jCE.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	file.exe	Get hash	malicious	Unknown	Browse	104.26.0.100

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	INVOICE DUE.xlsx	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	INVOICE DUE.xlsx	Get hash	malicious	Unknown	Browse	172.67.186.149
	s6QYhBcJtc.exe	Get hash	malicious	Stealc	Browse	172.64.41.3
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://nleco-my.sharepoint.com/:u:/p/smartin/EYZSur4py4xKna-WAI8lgIkBS_KVLZwaA2d1wGxZA5Gdvw?e=wwT7sT	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	172.67.70.233
	fatura.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.70.233
	bG2aSZYhDR.bat	Get hash	malicious	Unknown	Browse	172.67.70.233
	http://heptagon-olive-l8hr.squarespace.com	Get hash	malicious	Unknown	Browse	172.67.70.233
	MJ5bO7kS7j.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.70.233
	TtyCIqbov8.exe	Get hash	malicious	AgentTesla	Browse	172.67.70.233
	XyXm15NU2A.exe	Get hash	malicious	AgentTesla	Browse	172.67.70.233
	asegurar.vbs	Get hash	malicious	Remcos	Browse	172.67.70.233
	segura.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	172.67.70.233
	kChWJJNUHz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.70.233

Process:	C:\Users\user\Desktop\system.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNCsXE4Np51qE4GIs0E4KD:MxHKQwYHKGSI6oPtHTHhAHKKkhHNp51D
MD5:	E2774E2BF883B32568ECD81B00874EA6
SHA1:	2795932EB8688D83408744639E31A1C762EF38B0
SHA-256:	3FFE8448DE5543D790B107D8B4B132C1C2F16E333CB4C6BD03849809394DA8C3
SHA-512:	0A60DBD6D41624A89317BDED6378395C52CBEC531C26904678623B263DAE957BB09A252496E47695A1C5C52E46E877B320D6596F2C936BEE97394A5DCA5D5B8A
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Managemen

C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip

Download File

Process:	C:\Users\user\Desktop\system.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	706224
Entropy (8bit):	7.928818843902802
Encrypted:	false
SSDEEP:	12288:jHZktCafs5ubSBzZCvQTo3NRzBWobuMJNEGwXGWplh2pF/jmNI5:jH+CfeS+QTo9moZvQXyp7
MD5:	E58ADE73162B26C1D1D1D48E17CDA4AC
SHA1:	8D6124BE2E2E1A69AA0D2EDA129C4A79F68DF41C
SHA-256:	FA849BA2CF7C18BC6F0785411F7FD54099642DE2582E0F2A1F23402E3FB6BD55
SHA-512:	AE99FF052E1A6FF5A899A5E6E904549FBA6C355C7C48803F6D41AC4C00E8CDBF2101F1C90D0AD232584309BDAB603CED9071EA2FF12D80FEC34F2244FC8AE8D3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip, Author: Joe Security
Reputation:	low
Preview:	PK........cphY..e*#...#...(.H.Browser Data/Chrome/Cookies[Default].txt.. ................................... ..........A...2...A...2...A...2...google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.FALSE./.FALSE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.FALSE./signin-oidc.FALSE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.FALSE./signin-oidc.FALSE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.FALSE./.FA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.828382353341438
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	system.exe
File size:	131'072 bytes
MD5:	71f0c1101306ebd89735b734b500fe10
SHA1:	398028832a41b64f1f1b0e865a3cccb922350fb2
SHA256:	246f939789eb66df0dc7cb67c22ebcb8c0cfe4b0ec0f222482da9b2823e9ab32
SHA512:	80497083cd21b2ae986c80378f30c6d3ad597a5720c776de5abc51ff732a8b566e0f7ae7f7f91c868443e17a1b60f1b0bfb54fa9eb3de37b4ab7454b6cffba25
SSDEEP:	3072:4KkwPHTgqHc/nREvhnQ78e5S+wbDwEKT3uj9E0G:o6z5HVpQ89gEK/0
TLSH:	CFD34A6973FC4A45E0BF5B7DECB50A088BB1F8269E12EB4D998054D82FB17814D14B73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.g.........."...0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4214b2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x672E5B86 [Fri Nov 8 18:42:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push eax
dec ebx
add dword ptr [edx], eax
pop ss
or edx, dword ptr [eax+eax]
add byte ptr [ecx], al
add al, byte ptr [ebx]
add al, 06h
or byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21460	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21328	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1f500	0x1f600	c19250d4b1796e7ec62e927c931ec243	False	0.440418015438247	OpenPGP Secret Key Version 2	5.863692514332038	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x5cc	0x600	35a37805ae555a1f327094fc173dc401	False	0.423828125	data	4.122477294185535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	0fad3046136b42da9982803d8403d9b3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x22090	0x33c	data			0.4251207729468599
RT_MANIFEST	0x223dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 20:03:06.728558064 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:06.728578091 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:06.728658915 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:06.749566078 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:06.749581099 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.365200996 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.365447998 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:07.372473955 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:07.372490883 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.372803926 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.425544977 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:07.428431034 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:07.471335888 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.649432898 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.649552107 CET	443	49731	172.67.70.233	192.168.2.4
Nov 8, 2024 20:03:07.649631977 CET	49731	443	192.168.2.4	172.67.70.233
Nov 8, 2024 20:03:07.701802015 CET	49731	443	192.168.2.4	172.67.70.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 20:03:06.714061975 CET	64545	53	192.168.2.4	1.1.1.1
Nov 8, 2024 20:03:06.722290039 CET	53	64545	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 8, 2024 20:03:06.714061975 CET	192.168.2.4	1.1.1.1	0xa52a	Standard query (0)	get.geojs.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 8, 2024 20:03:06.722290039 CET	1.1.1.1	192.168.2.4	0xa52a	No error (0)	get.geojs.io	172.67.70.233	A (IP address)	IN (0x0001)	false
Nov 8, 2024 20:03:06.722290039 CET	1.1.1.1	192.168.2.4	0xa52a	No error (0)	get.geojs.io	104.26.0.100	A (IP address)	IN (0x0001)	false
Nov 8, 2024 20:03:06.722290039 CET	1.1.1.1	192.168.2.4	0xa52a	No error (0)	get.geojs.io	104.26.1.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

get.geojs.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.70.233	443	5700	C:\Users\user\Desktop\system.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 19:03:07 UTC	76	OUT	GET /v1/ip/geo.json HTTP/1.1 Host: get.geojs.io Connection: Keep-Alive
2024-11-08 19:03:07 UTC	1093	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 19:03:07 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-request-id: 2a8c817a14b79f35667f2f2a705fd844-ASH strict-transport-security: max-age=15552000; includeSubDomains; preload access-control-allow-origin: * access-control-allow-methods: GET pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 geojs-backend: ash-01 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8S72YUixczGgTwAM5A0TZ0xNzqVRnWnR37JxjiFEZBgFc9zdWvr4cdULDS02vEvUVxocmGF7Y8gX7EbnjrjsIBwYrs2EWpqOocJlWpNpaLCNgzCF%2B8mh1lmDpzAHqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8df7d23fd8d9e79a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=690&delivery_rate=1459677&cwnd=251&unsent_bytes=0&cid=8012252b46e2ce6e&ts=297&x=0"
2024-11-08 19:03:07 UTC	276	IN	Data Raw: 31 35 66 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 33 31 2e 30 30 36 35 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 39 37 2e 38 34 30 36 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 61 73 6e 22 3a 38 31 30 30 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 43 68 69 63 61 67 6f 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 Data Ascii: 15f{"organization_name":"ASN-QUADRANET-GLOBAL","country_code":"US","country_code3":"USA","continent_code":"NA","region":"Texas","latitude":"31.0065","longitude":"-97.8406","accuracy":20,"asn":8100,"timezone":"America\/Chicago","area_code":"0","organizat
2024-11-08 19:03:07 UTC	82	IN	Data Raw: 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 7d 0a 0d 0a Data Ascii: RANET-GLOBAL","ip":"173.254.250.90","country":"United States","city":"Killeen"}
2024-11-08 19:03:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:03:05
Start date:	08/11/2024
Path:	C:\Users\user\Desktop\system.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\system.exe"
Imagebase:	0x252143a0000
File size:	131'072 bytes
MD5 hash:	71F0C1101306EBD89735B734B500FE10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819285467.0000025216258000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1819818977.00000252261D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819285467.0000025216260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1819818977.000002522625A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1739404243.00000252143A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1819818977.000002522644F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1819818977.00000252262CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1819285467.000002521621A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.1819285467.0000025216388000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD9B7F2659 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b9266675199e8e6627c1aab6c19404d9dfb274ced41762297617b369807482
Instruction ID: fcf0f3c5797e8ccb517463c49a19915ce9b43e4b2594c6276160f84e7e8398f9
Opcode Fuzzy Hash: 85b9266675199e8e6627c1aab6c19404d9dfb274ced41762297617b369807482
Instruction Fuzzy Hash: BC22C670E15A2D8EDBA8DB6888647A9B7B1FF58306F5001FE910DE32A1DB755AC0CF44

Function 00007FFD9B7E6326 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d3dae5510fbb9e4568477ce7e41afa7822e3d645d9c617931bc175c8694adb
Instruction ID: c9c86a61e2a368e791b3d11132640076adffd273858fc463a2c928790f612431
Opcode Fuzzy Hash: 33d3dae5510fbb9e4568477ce7e41afa7822e3d645d9c617931bc175c8694adb
Instruction Fuzzy Hash: 7CF1C530A09A8D8FEBA8DF28C8557E937E1FF55310F04426EE85DC72A5DB34E9458B81

Function 00007FFD9B7E70D2 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb977f1e27ff38956fe8df881d857316b090116040fda93d399941b039ae475
Instruction ID: ae19b256ff1862996b44a9ff247cfbb440a72a463fd7fd31c4edbe0e0a02fce6
Opcode Fuzzy Hash: 8bb977f1e27ff38956fe8df881d857316b090116040fda93d399941b039ae475
Instruction Fuzzy Hash: 63E1D430A09A8D8FEBA8DF28C8557E977E1FF54310F14426EE84DC72A5DF74A9418B81

Function 00007FFD9B7E8D20 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

KDBM, xrefs: 00007FFD9B7FDD27

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID: KDBM
API String ID: 0-3504354710
Opcode ID: 0a2a56bd5cb48be182631e13e69746668893f789f6f6bbe6f5db14b9563c14c4
Instruction ID: bbbceb2583e84c2170816846d28cf5deb2e17b68c1b84eff09df3b22f964ae73
Opcode Fuzzy Hash: 0a2a56bd5cb48be182631e13e69746668893f789f6f6bbe6f5db14b9563c14c4
Instruction Fuzzy Hash: 65514170E1964C8FDB54EFA8C8A5AEDBBF1FF59300F5001AED449A7292CA346941CB42

Function 00007FFD9B7ECCAD Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

WM_H, xrefs: 00007FFD9B7ECD71

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID: WM_H
API String ID: 0-1257799341
Opcode ID: d460856775af2d124505facd440ed2385a416da1c24b840778179dc61053bf69
Instruction ID: c23650e29ae93d66be377a2f56d05a3cd3de3156356b46c89e1c427f81c75416
Opcode Fuzzy Hash: d460856775af2d124505facd440ed2385a416da1c24b840778179dc61053bf69
Instruction Fuzzy Hash: AB41E470D0E6CD5FDB52DBB488659EDBFB0EF5A300F0905EAE088E72B2CA286545C751

Function 00007FFD9B7F426A Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43550fbd49c00f383f0c648494d289238c5c853ea896fa8f47b3e2774faf0df5
Instruction ID: 392e445408b9462b502f200f05d807dc26a4d962381fb2b5b51785e3f98f71d4
Opcode Fuzzy Hash: 43550fbd49c00f383f0c648494d289238c5c853ea896fa8f47b3e2774faf0df5
Instruction Fuzzy Hash: AF32FE34A1561E8FDB65EF58C894BE9B7F1FF58300F1042A9D40DE72A5DA34AA81CF40

Function 00007FFD9B7ED6BD Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c52dc3335ce3015dd055f85f3b998dc32b63fc727e78189a008e20cd310ac5
Instruction ID: 17b6a5b5b91c748e89a8f5f44b10095ce7f3a538e95dffb9a17b2480c713877e
Opcode Fuzzy Hash: 60c52dc3335ce3015dd055f85f3b998dc32b63fc727e78189a008e20cd310ac5
Instruction Fuzzy Hash: A802BA7090961D8FDBA5EF58C8A4BEDB7B1FF58300F5041A9D00EE72A5DA35A985CF40

Function 00007FFD9B7E8CD0 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4ad97de51c92798d098b8e3160992a6fd35b1dec02fbbe909fe00d34d021ec
Instruction ID: 668b8d384c949a8d70fa5c22ae7134cb57cb1b8413aa1dcd48b13732dbb78143
Opcode Fuzzy Hash: de4ad97de51c92798d098b8e3160992a6fd35b1dec02fbbe909fe00d34d021ec
Instruction Fuzzy Hash: 8CF13E70E0961D8FDB58EFA8C495AEDB7B1FF58304F1041A9D01EE72A6DB34A981CB40

Function 00007FFD9B7E9095 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90416509d50f1d4be158dbefd4b7fe16815aa4b37066ae7c9c58818104bc323e
Instruction ID: c7359866908c0ffd09ce59070426248370881b7330011af475aad59d0f63b7f1
Opcode Fuzzy Hash: 90416509d50f1d4be158dbefd4b7fe16815aa4b37066ae7c9c58818104bc323e
Instruction Fuzzy Hash: F8D17570A1891D8FDF94EF58C899BA9B7F1FB68301F1041AAD00DE7661DB75AA81CF40

Function 00007FFD9B7E6CE6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81dddff7da57afd032937b65f7e13dfe37d616e9275eca60f620087e0563215
Instruction ID: d3363a5f6664a689b1b2f5867f3683dc843ae80edba753b1e747f575558f3d72
Opcode Fuzzy Hash: d81dddff7da57afd032937b65f7e13dfe37d616e9275eca60f620087e0563215
Instruction Fuzzy Hash: 87B1C630609B8D8FDB68DF28C8557E93BE1FF55310F04426EE84DC72A2CA34A945CB82

Function 00007FFD9B7F5100 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2836562e2ddfdc23164ae402d1c4800944a0576c891ae81d504ebfb64458263d
Instruction ID: 5dc13bf53f13e02428e9e0d06d944054150032a9c31ae006596a9724f398e3c0
Opcode Fuzzy Hash: 2836562e2ddfdc23164ae402d1c4800944a0576c891ae81d504ebfb64458263d
Instruction Fuzzy Hash: D1C15F70E0961E8FDB18DF94C4A4AFDBBB2FF58304F20426DD41AA72A5CA35A941CB54

Function 00007FFD9B7E0680 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cf9dae016078406f6d3bf4f7dd61a05b70ffe5d3bd5c876d93e9fe68e9edf5
Instruction ID: bb16d6a66a7bbe1570e02ec3090c6515cc5eeea97c4a5c482639f3730cde2398
Opcode Fuzzy Hash: e9cf9dae016078406f6d3bf4f7dd61a05b70ffe5d3bd5c876d93e9fe68e9edf5
Instruction Fuzzy Hash: F4B1B274A04A1C8FCF98EF58C894BA977F1FF69301F1101A9E44EE72A1CB74A985CB40

Function 00007FFD9B7F5F89 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f023d58220759604bf2b6ea942fda7fd50c24c1b2fca3ba4b5149a961af4516
Instruction ID: 49962fbe72ef6c206e2507f742687f9ee9da7472eaf4b8c45314bd10b8ec7293
Opcode Fuzzy Hash: 0f023d58220759604bf2b6ea942fda7fd50c24c1b2fca3ba4b5149a961af4516
Instruction Fuzzy Hash: 7CB1E030E0961D8FDF64EF58C895AEDB7B1FF58305F1042A9D41D972A5CA34A981CF84

Function 00007FFD9B7EA8E9 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471f883bc806f5a70b04c19430376ac673294685f56a952afda6f2d55364664b
Instruction ID: a784c1e2341e0cb95d7aa1f52bfe9c43cb81da0ba240f1887eb1eead996cc0d5
Opcode Fuzzy Hash: 471f883bc806f5a70b04c19430376ac673294685f56a952afda6f2d55364664b
Instruction Fuzzy Hash: CC710D72B0DF0D4FEBA89A6C946967977D1EFE8751705027AD40EC32B6EE14AD038381

Function 00007FFD9B7E9AC8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d723f85688d17d94c9a7090281fd31f408bd0f6a0b1199a7ea567b508dcdca
Instruction ID: 634d4831b3b58ca6f03f679bb9e9fa919e2ecf3b06e41189dda9bbdfee778dd9
Opcode Fuzzy Hash: e2d723f85688d17d94c9a7090281fd31f408bd0f6a0b1199a7ea567b508dcdca
Instruction Fuzzy Hash: E571193171DF4A0FE7689A5CA8529B577D1EF9531070502BED48EC72B7DD25F8428381

Function 00007FFD9B7E8D00 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873deab598cb11da3887e71a418cffc1a29544bf63749542074edd996b0ad5c6
Instruction ID: 717974579ed1c136b29f30e55d43b306d88183178ba965efa20637a82b084867
Opcode Fuzzy Hash: 873deab598cb11da3887e71a418cffc1a29544bf63749542074edd996b0ad5c6
Instruction Fuzzy Hash: 9FA1FF70A19A5D8FDBA4EF68C855BADBBF1FF58301F5041A9D40DE32A1CA34A981CB40

Function 00007FFD9B7EBDE5 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d496fc26623f3cb8c956b66b39c18b7b44b810c6394d6dbb34cf6037112cf96
Instruction ID: 3b86dd3c821660ff8c12c792145e0e30bae15aa38464eedc2a0f15d5e97d9d62
Opcode Fuzzy Hash: 8d496fc26623f3cb8c956b66b39c18b7b44b810c6394d6dbb34cf6037112cf96
Instruction Fuzzy Hash: BC811E70E1565D8FDB58DFA8C895AEDBBB1FF58301F4041AAD019E72A5DE346841CB40

Function 00007FFD9B7E0490 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b98cd166fcca1bbe726fec836b9e9b8cbeecc42e9a0fe15ac28db4157c0e031
Instruction ID: c0db11fc3ce3efc633db71279b2a5b665b0f2f89e5da06d64fb7db3f5f615ffc
Opcode Fuzzy Hash: 8b98cd166fcca1bbe726fec836b9e9b8cbeecc42e9a0fe15ac28db4157c0e031
Instruction Fuzzy Hash: 2571C670D0EA9D8FDB65DB6884A5BADBFF1EF55300F4402AED049E72B1CA356845C700

Function 00007FFD9B7ED361 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4020e5ac0147f4feb50e504c4f131d413e491d12e887d696080e087762adae2
Instruction ID: 51432e667f19ac64249e9909b626aa93c49e08e02eb41b5383151093358492e0
Opcode Fuzzy Hash: b4020e5ac0147f4feb50e504c4f131d413e491d12e887d696080e087762adae2
Instruction Fuzzy Hash: 8A71A271E1965D8FDB54DBA8C8A5AFDBFF0EF59300F0402BAD049E72A2CA386541CB51

Function 00007FFD9B7F0C69 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e204003cbfcdf79eb352c5e5d07863da82640c251e5455f11b68c16ff750330
Instruction ID: 633038ccbb2bf02d7f2a7cb57a169d889c3d87c49fa7402b686aa2c11a168f76
Opcode Fuzzy Hash: 5e204003cbfcdf79eb352c5e5d07863da82640c251e5455f11b68c16ff750330
Instruction Fuzzy Hash: A8714A70E09A5C8FDBA4DFA8C8A4BECBBF1EF59700F1101A9D04DE72A1CA356941CB44

Function 00007FFD9B7EF5B5 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f318e1607b7edf79936aebcd412331dc588434a8ba2c93ba225542c3fd6a30
Instruction ID: 6ca0e249ca78749fca7f3cbccb2bf69497d5e3380452c1d5bfe58cebb85aafe6
Opcode Fuzzy Hash: b0f318e1607b7edf79936aebcd412331dc588434a8ba2c93ba225542c3fd6a30
Instruction Fuzzy Hash: CC718371E09A5D8FEBA5DF588895BE9B7B1EF69300F4002F9D04DD72A1DA346A81CF40

Function 00007FFD9B7E3C1C Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902ada15a27a82a45681e8e23cf77166d2cb78c1320813cdcfb74f551a1c15e1
Instruction ID: d299df9aeddf4f54bdcdb74308ece6b76fa4f851331bfd775b635f5dfaa47b0e
Opcode Fuzzy Hash: 902ada15a27a82a45681e8e23cf77166d2cb78c1320813cdcfb74f551a1c15e1
Instruction Fuzzy Hash: 2D518330908A1C8FDB69DB58D855BE9BBF1FF59310F0082AAD04DD3296DE74A985CF81

Function 00007FFD9B7EB1B9 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa17a84a62b524786169f37b1d7b348a4072a69f76b38ef17a63b4711cdb3fb4
Instruction ID: 8c9f67d2f3dbedcae3db1432b3852d2e6fe9ce9e1d40e42d674f8f50c8c8ac13
Opcode Fuzzy Hash: fa17a84a62b524786169f37b1d7b348a4072a69f76b38ef17a63b4711cdb3fb4
Instruction Fuzzy Hash: BD51F531B1DF4A4BDB689A5894A197977D1EF98310B0102BEE48EC72B7DD24FC068780

Function 00007FFD9B7E8A48 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e4ae79457fd2d48e4ea9f280577dbcbcb20932ce72fe7a20d93e71395b4616
Instruction ID: 184eeb28040c39537f4715790b23c45a1801120abab0b7ed8fdf248c930437d1
Opcode Fuzzy Hash: 39e4ae79457fd2d48e4ea9f280577dbcbcb20932ce72fe7a20d93e71395b4616
Instruction Fuzzy Hash: 0E515071E09A5D8FDB94DBA8C899AFDBBF1FF58301F10016AD009E72A5CA34A941CB40

Function 00007FFD9B7F3618 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579552484e1a6f529408273a1c6b203294c4e03f1a62adccd722d90cf5397f2f
Instruction ID: 96ee95def4e895ab89b4b5130245eafcd92b0c59eb374a657f82ef79338125f9
Opcode Fuzzy Hash: 579552484e1a6f529408273a1c6b203294c4e03f1a62adccd722d90cf5397f2f
Instruction Fuzzy Hash: 7251E271F0AA0E8FDB58CF9888655FD7BE2EF98300F15427AD05DE72A1CE3469018795

Function 00007FFD9B7EE531 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c602ffc2e2576bf89827d923db0f1c88283272ce8655dd838bd46b6a86d880
Instruction ID: 31c53c4c0585c4bbc8370b483822ebdaf4425864cc6340b85146b2094d86795d
Opcode Fuzzy Hash: 51c602ffc2e2576bf89827d923db0f1c88283272ce8655dd838bd46b6a86d880
Instruction Fuzzy Hash: 3A512A71E09A1D8FDBA4DF588865BE8B7B1FF58300F1145FAD01DE32A2DE356A818B40

Function 00007FFD9B7E824C Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3630c5435eb7e203f661ca84a796bed50be4299dd93b12ff0ae208e02c2d487a
Instruction ID: 837fc62c7f2a022723a2c629130862579fe86bc07293af1feb4fbef0b9d54562
Opcode Fuzzy Hash: 3630c5435eb7e203f661ca84a796bed50be4299dd93b12ff0ae208e02c2d487a
Instruction Fuzzy Hash: D9513F71A19A5D8FDFA8DF58D8A5BA9B7F1FF58300F0001A9D40DE72A1DB35A981CB00

Function 00007FFD9B7F049F Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb083a9d8de6d590337232f2aaedd37994657a5ea3b0de7f17aae735f02d649a
Instruction ID: 82c52b1f0af84ed422de0e4f2d3034310a00cdf7fb73a7d9209f053047eef33c
Opcode Fuzzy Hash: fb083a9d8de6d590337232f2aaedd37994657a5ea3b0de7f17aae735f02d649a
Instruction Fuzzy Hash: B9514271E0965D8FEBA4DF5888A5BE9B7F1EF59300F4146E9C04DD72A1CA346A81CF40

Function 00007FFD9B7FB1A0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bc03ea3116fa1c55b033006e74d22f9d5ac7c3127787c40a7ba465405236e6
Instruction ID: 6cf0d2a118c757f7b4909692ea8d26a12e7d63632e514c62dc817d27c5ddb716
Opcode Fuzzy Hash: 92bc03ea3116fa1c55b033006e74d22f9d5ac7c3127787c40a7ba465405236e6
Instruction Fuzzy Hash: F851C370E18A1D8FDF98EF98D8A4BADBBB1FF58305F10016AD41DE72A5CA356941CB40

Function 00007FFD9B7EA7BD Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d810fd5534b924f31ac4d47b864c492f86b46f8e66165147a3c76174ba12d0e
Instruction ID: 2017793680ee644747ee36eb130015827dab38ab0655bd5ed352df70136e8c88
Opcode Fuzzy Hash: 8d810fd5534b924f31ac4d47b864c492f86b46f8e66165147a3c76174ba12d0e
Instruction Fuzzy Hash: F841F222B0FBDE0FD762E66C98754A97FA0EF5622470943FBD089DB0B3D805A846C351

Function 00007FFD9B7F7765 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0b007722a2ac1b8f58e6623117a2f22461aa2b5269109110e5bac8c5932f31
Instruction ID: 94ad23315e021be16b7eae83eeb5a04787763a2341318c636e68b742fa3ca208
Opcode Fuzzy Hash: 2f0b007722a2ac1b8f58e6623117a2f22461aa2b5269109110e5bac8c5932f31
Instruction Fuzzy Hash: 4851A170709B8E8FDB99CF1888B09653BA1FF59304B1506ADE46DCB2E2CB31E912C755

Function 00007FFD9B7F212F Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915d7d08bd815525dcd2273039aa159c89aadee4b01f2a7140e38205d19f7a2f
Instruction ID: 0a11da18b4f937f1e8d56057cbf25c2a2dc4693b7c5e9341d9c2f3ff13e9a13c
Opcode Fuzzy Hash: 915d7d08bd815525dcd2273039aa159c89aadee4b01f2a7140e38205d19f7a2f
Instruction Fuzzy Hash: A851D470E0961C8FDBA4DF98C8947E9B7B1EB59301F5041AAD00DE72A1CB38AA85CF44

Function 00007FFD9B7EA830 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500bfa443b4ffd426b7b2fa020614f0c2b92ef0079879d522b92fa07698d0909
Instruction ID: 205be034cf5af149e15292d8abbd508ce7cbd3a56ce82041842867385d0931fd
Opcode Fuzzy Hash: 500bfa443b4ffd426b7b2fa020614f0c2b92ef0079879d522b92fa07698d0909
Instruction Fuzzy Hash: 5641F222B0FBCA0FD762E76C98B54A57FA0EF5622470942FBD489CB1B3D804A846C351

Function 00007FFD9B7E2CCF Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5ec20e1e636d7383f57ed9f4509f0421c2ad50e699c521669a38884af33efb
Instruction ID: 4aca42592a29f0e0d395669970ee92d04ad8e621202fc0ce2ae1b61c4456e386
Opcode Fuzzy Hash: 8c5ec20e1e636d7383f57ed9f4509f0421c2ad50e699c521669a38884af33efb
Instruction Fuzzy Hash: 66418B74E0A65D9FDB55DBE888A46ECBBF1FF59301F5402B9D049A72B1CB386942CB00

Function 00007FFD9B7E827D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a09a03c81f1fca1a8f0f29594a979d37eac1928edf0fe2141fb576345bc331
Instruction ID: a5f6435bf442941c253c69fe2980f6703df1832f8257bd39be784b7d4d9f8e1a
Opcode Fuzzy Hash: a5a09a03c81f1fca1a8f0f29594a979d37eac1928edf0fe2141fb576345bc331
Instruction Fuzzy Hash: 7B41FE30A19A5D8FDF98DF58D8A4BA9B7F1FF68300F1001A9D40DE72A1CB75A981CB00

Function 00007FFD9B7E87E0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2483cc7b7a0e490ec29b6b93931d4d9f91553e43b786cc285be3250c230cad
Instruction ID: b174e7ec018b50ef9f86ef19bb2426505b34049c1cc39790d364649b9f07d15f
Opcode Fuzzy Hash: 2e2483cc7b7a0e490ec29b6b93931d4d9f91553e43b786cc285be3250c230cad
Instruction Fuzzy Hash: E141D771E0D98D9FDB50EFA8D855AEDBFF1FF99710F0406AAE048E3265CA246841C781

Function 00007FFD9B7EF90D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d07083879daf45edcbb0c68476f6d30794a2b39e9dea9cea30e01185a4cec5b
Instruction ID: 626b2451cd534a0c2f57cca3c13c0b328d4809f06442adce8a893a95583cb089
Opcode Fuzzy Hash: 5d07083879daf45edcbb0c68476f6d30794a2b39e9dea9cea30e01185a4cec5b
Instruction Fuzzy Hash: 81418670D0D99D5FDB95DF6888A5AE8BBF0EF69300F0006E9C08DD7166CA346D82CB40

Function 00007FFD9B7E1330 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdb277ef8f1ae570d525fa25faf1d6e3aabf9c5e918937fd56417faa61f5496
Instruction ID: a5c0f653b7e66e95f49bbc88407481930d31570c8bd5695496617b47eb9aa843
Opcode Fuzzy Hash: dbdb277ef8f1ae570d525fa25faf1d6e3aabf9c5e918937fd56417faa61f5496
Instruction Fuzzy Hash: 5A41E471E0F29A4FD7158BB458621BD7FF0AF46310F0542BED099A7AF2CA286A05CB15

Function 00007FFD9B7F3D71 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28a27be888dc27f69ebce327c76e2829759c9da6840a9f4acf19e6017726acc
Instruction ID: b5650ba60e19f211c702f447525706fc4410655ff16333eb411a378c05c9ad0d
Opcode Fuzzy Hash: b28a27be888dc27f69ebce327c76e2829759c9da6840a9f4acf19e6017726acc
Instruction Fuzzy Hash: 8A415370A14A4D8FDB88EF58D455BEEBBB1FFA8300F51457AE419D32E5CA34A851C780

Function 00007FFD9B7F6980 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21324aca7b395bc040b4af11fcda7c1b5307a9846a636c17f7612d76c6bec22
Instruction ID: b983b8c37489dbd8fcaf3e0d7ea74ba9e3e5c7bd8a4696b2159c7e9a57aa7452
Opcode Fuzzy Hash: a21324aca7b395bc040b4af11fcda7c1b5307a9846a636c17f7612d76c6bec22
Instruction Fuzzy Hash: 0B41B231A0DB4D4FDB59DB68C865AAA7FF1EF99310F0501BEE049D32A2DE249941C781

Function 00007FFD9B7EEF59 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf98dc1df8472b32cd79cab48478682eef43a692074a0a445ab4b9d0d454305
Instruction ID: a63bd00fb6939e8a70e0dec3068b6c73faa2501d3eb673cf95fe70c461d4cf0c
Opcode Fuzzy Hash: 6cf98dc1df8472b32cd79cab48478682eef43a692074a0a445ab4b9d0d454305
Instruction Fuzzy Hash: C831D47188E3C95FD7929B6488665E57FB0EF02210F0A06EBE448CB4B3C52DA656C351

Function 00007FFD9B7EF081 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6933a7b22f364add8de4a770add87432c22603e08523c9ee8c48d2b957bb5a45
Instruction ID: 255c32df732d3dfbf22267790785c95a14e824fbc27c6dc81d8ad9b6f8eef1ad
Opcode Fuzzy Hash: 6933a7b22f364add8de4a770add87432c22603e08523c9ee8c48d2b957bb5a45
Instruction Fuzzy Hash: DD418171E0AB4D8FEB98DFA8D4656AD7BB1EF59300F41016AE009D62B1DB356941C740

Function 00007FFD9B7E8CA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4682452292484bdbbc39845e0324e2afb7d7d6662ede12d12d6a99fcb8e06e
Instruction ID: d8d19e39252c9259881310a545b59a8d523ce03214f70d9d05f70a8dc54ce829
Opcode Fuzzy Hash: aa4682452292484bdbbc39845e0324e2afb7d7d6662ede12d12d6a99fcb8e06e
Instruction Fuzzy Hash: 8A314070A14A4E8FDB88EF58D454BEEBBB1FFA8300F110579E419D32E5CA34A8518780

Function 00007FFD9B7ECFDE Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ec48ed005eddd8317eb9cc18c46d85cd89372c9ab0e001a6f91cddcad2cd40
Instruction ID: 4a29d0a15cc2251a5138a878628d87bc628bb356a97221a0ac0ce26b6a13369a
Opcode Fuzzy Hash: 96ec48ed005eddd8317eb9cc18c46d85cd89372c9ab0e001a6f91cddcad2cd40
Instruction Fuzzy Hash: F7313270E09A4C8FDF94EFA8C495AEDBBF1EF59301F14056ED009E76A5CA356842CB40

Function 00007FFD9B7EF474 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b866555bd5769c14955cc37415de9dd818604bbec0f59d44504fcec2ae24279b
Instruction ID: b6e92e469ffc97254d2692deefb8ada63563af739e2a478def710c6f81bac2af
Opcode Fuzzy Hash: b866555bd5769c14955cc37415de9dd818604bbec0f59d44504fcec2ae24279b
Instruction Fuzzy Hash: A931A271E0A65D4FEBA5DF6488A57E8B7B0EF25300F0105F9D04DDB6B1DA342A858B40

Function 00007FFD9B7E1573 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21dfe1c2c3e911b04bc1e75bc5c8de1d2e3fa5d20459cc1c45e0b27b2b33230
Instruction ID: 1510cdd52bbfa926f73842b95ed9d0a51c6d9e37b01a99225c318c48254319ee
Opcode Fuzzy Hash: a21dfe1c2c3e911b04bc1e75bc5c8de1d2e3fa5d20459cc1c45e0b27b2b33230
Instruction Fuzzy Hash: D6319770A0D9CD9FDF51EBB8C4669EDBFF1EF5921070945EAE089D7262C638A5438700

Function 00007FFD9B7EED60 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d1b3a58548189d65ed0defe20ab4dffa6f1d7ee84ffddaca4e5b3384a5c082
Instruction ID: b2bfceaddf1efdb01342a9ab45cf7dbd4b6211574b02d77d71b7fe549a69bf33
Opcode Fuzzy Hash: 75d1b3a58548189d65ed0defe20ab4dffa6f1d7ee84ffddaca4e5b3384a5c082
Instruction Fuzzy Hash: 1C317830A28B4D8FDB58DF58C8A6ABD7BB1FF59704F01066DD44AA32A0CB346841CB81

Function 00007FFD9B7E2D72 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7934bb7894a89c6731f28443fce62ab3893a81e99d26f64b8beded7ae2b1386d
Instruction ID: 90b624d89da3e290889d43750a9fbc3e79b4627cc58096e49f7037eb05168386
Opcode Fuzzy Hash: 7934bb7894a89c6731f28443fce62ab3893a81e99d26f64b8beded7ae2b1386d
Instruction Fuzzy Hash: 5731B97090962D8FDBA4DBA8C495BACBBF1FF59305F5041ADC04DE32A1CA755A84CF00

Function 00007FFD9B7F2077 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5506a9ed0718f69f26a3d06bb08cd0f8263e713287907d54f9c6215b298fa2b
Instruction ID: 917a8c7c75b83baed7bedd651f547bfef80ec6211d502c2af0c6545d6e98d0b3
Opcode Fuzzy Hash: a5506a9ed0718f69f26a3d06bb08cd0f8263e713287907d54f9c6215b298fa2b
Instruction Fuzzy Hash: 4431DC71E0961D8FDBA4DFA8C4557EDBBB0EF19301F5145A9D00DE72A1CA385A85CF40

Function 00007FFD9B7E0840 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0663cb19f045768b7c66284eb5d26aac673952ecc7f09a7a793b16ddcb2f2c
Instruction ID: 4025a20447652633100715de9929246eb21e54b94898c230b978b4116dcf09f7
Opcode Fuzzy Hash: 8f0663cb19f045768b7c66284eb5d26aac673952ecc7f09a7a793b16ddcb2f2c
Instruction Fuzzy Hash: 4C21E616E0F7CA1ED712A77858B65E93FB09F42618B0942F3D0D99A0F7DC182589C341

Function 00007FFD9B7ED3C9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fde17dd30c794a179f17a18b40e102be660ba2e190e514b713e3c2a22c2d359
Instruction ID: e655721c011604107aed5d0615a9d829382522cff8b5e93bb47458d916ef9e00
Opcode Fuzzy Hash: 3fde17dd30c794a179f17a18b40e102be660ba2e190e514b713e3c2a22c2d359
Instruction Fuzzy Hash: A9219131A1E79C8FDB51DBA8C854BE9BBF0EF16300F0442B6D04CD71A2DA24A9458791

Function 00007FFD9B7F1F95 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9631c857ebf7ee23c5ad6b3e42a6ac8a01d5c907c4646ddec79a3b99c95ad0e6
Instruction ID: 4fbebf5723f5e6ebca08723d3b56b4b417271c7035a7546ccc11d86ffd4c81e9
Opcode Fuzzy Hash: 9631c857ebf7ee23c5ad6b3e42a6ac8a01d5c907c4646ddec79a3b99c95ad0e6
Instruction Fuzzy Hash: CA319131E0AA5D8FDB65DB688855BEA7BF1EF99300F0541FAD00DE31A2CA341A45CB40

Function 00007FFD9B7EA261 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46e2e578c7e32e59da4ef6f7db90d0db36ec9f82b5d0f9f399fd1eae5dbe6f8
Instruction ID: 70ac488ac0a00ad32e09ef7c5f1b49ab731d2c3bb8d3106485db78b4bb671b3f
Opcode Fuzzy Hash: e46e2e578c7e32e59da4ef6f7db90d0db36ec9f82b5d0f9f399fd1eae5dbe6f8
Instruction Fuzzy Hash: D411083270DF5D0FDBA89A1C54691BA3BD1EFAD25170902BBD40ED32B5DD15AD018381

Function 00007FFD9B7E099A Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a69d30397e02d8fcabff69f23cb13602ab914bcd7e88bc6c1356b9d5d7d5f2e
Instruction ID: e84e673564f225001c9abc86f996a5cb72b8f22fec0ade197dd4793065ab3ff5
Opcode Fuzzy Hash: 1a69d30397e02d8fcabff69f23cb13602ab914bcd7e88bc6c1356b9d5d7d5f2e
Instruction Fuzzy Hash: FD219B74E18A1D8FDF94EF98D895AADBBF1FF68300F01056AD409E7265DB34A841CB40

Function 00007FFD9B7E90F2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7093be49313cb537c265c7ec7e2a8f9455b2a242dc3162de4e8e96b08f2e92aa
Instruction ID: 5b3d206043615334db9953d53e961b8cb8d0c49d7642e8ff80c0381c0465a581
Opcode Fuzzy Hash: 7093be49313cb537c265c7ec7e2a8f9455b2a242dc3162de4e8e96b08f2e92aa
Instruction Fuzzy Hash: 0D21E031E0969D9FDB14DBA8D4646FEBFF0EF55301F04417AE049A32A1CA386A85DBC0

Function 00007FFD9B7F0CCC Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f0e794f37fea6b20846a66b59d5ba423a2ad2be41724308930eb0bd221a28e
Instruction ID: 7b9079643d34cfba66c0ca3a65e0fc854dd8c1e5658aa9b380889da03f62d3ab
Opcode Fuzzy Hash: 83f0e794f37fea6b20846a66b59d5ba423a2ad2be41724308930eb0bd221a28e
Instruction Fuzzy Hash: B5211C71E09A5D8EDFA4DFA89891AECBBF1EF18700F1141A9D04DE3361CA346A81CB45

Function 00007FFD9B7EF80C Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c84e2d3b2c18f8921b7b9785b0a74132c2eca2699d79061b3f9a7eae514f73
Instruction ID: df0ca84e4d1dab9671dd46a00d034744bbf408c8153408077c6993ef55bccae3
Opcode Fuzzy Hash: f6c84e2d3b2c18f8921b7b9785b0a74132c2eca2699d79061b3f9a7eae514f73
Instruction Fuzzy Hash: D131C770A19A5D8FDBA4EB14C8A8AE9B7B1EF58301F0146E9904DE7265CA345A85CF40

Function 00007FFD9B7F50F8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6daced4d0b5b31bc4c4e10fd3e9579f4e6410823c64de5f2af43f100ba8879fb
Instruction ID: bd3ec2b339bb7edcc9216e256da9b3e6cf45980f3e541168641108f453c971b1
Opcode Fuzzy Hash: 6daced4d0b5b31bc4c4e10fd3e9579f4e6410823c64de5f2af43f100ba8879fb
Instruction Fuzzy Hash: DE216971E1965D8FDB58DF68D8617ED7AA0FB08305F01427EE059E2290DB345A84CB85

Function 00007FFD9B7E1705 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485a59dc208c3a4192e19b996f926042daabebefc8b1927bd7a5142d486a4dd0
Instruction ID: 62cbcd94588a7d36e6e2043aa7470e91e68bb3ca117a9278e37e1f2c4816c891
Opcode Fuzzy Hash: 485a59dc208c3a4192e19b996f926042daabebefc8b1927bd7a5142d486a4dd0
Instruction Fuzzy Hash: CB118471E0EA8D8FDB51DBA888266FDBBF1FF99310F410279D149E35B2DA3866448740

Function 00007FFD9B7E7F91 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770ae134cd4bce38e6dc1171995d7966a40a23818f38ea2015e2e98b2259097a
Instruction ID: cfb60b9e025497830f44a23925695e12353e29e45bafcccee836b994648c2e29
Opcode Fuzzy Hash: 770ae134cd4bce38e6dc1171995d7966a40a23818f38ea2015e2e98b2259097a
Instruction Fuzzy Hash: 41215B6090D7C96FC70697788838BDDBFA1AF97310F5942EEE0949B2E3DA183415C712

Function 00007FFD9B7ED121 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a25ba46f3700b6e634a9fc8f8db7a1e031003bca50513f061604150d26ee469
Instruction ID: d258b75170765ce64713e2130f2249cd6fa68f1e359e55bd6b0ad056a68cba0b
Opcode Fuzzy Hash: 2a25ba46f3700b6e634a9fc8f8db7a1e031003bca50513f061604150d26ee469
Instruction Fuzzy Hash: 42113C71D08A0D8FCF94EF58D455AEDBBF0EF69310F05016AE009E3261CB31A954CB90

Function 00007FFD9B7F1F09 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfae054861777e9a456983c2ac9d8f7b50ed60bcd18813bc8eb8464e6411f0fd
Instruction ID: 65590c9dd0077dc1302d2d0369fd52d62f2cc45261ca2a63f07fe0fc058af61c
Opcode Fuzzy Hash: bfae054861777e9a456983c2ac9d8f7b50ed60bcd18813bc8eb8464e6411f0fd
Instruction Fuzzy Hash: C9119E32F09A4E8FDF54DF68A8256FEBFE0EF59310F050176E408E36A5CA2469508BD4

Function 00007FFD9B7F3620 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b74a668f83aa4b9b08b7239ea128f105b0165d1098b01a66255edf4d3aaef2
Instruction ID: 7f6e4e8a6c03a602b9e5b1d457dab9d51d43bc1d043be92fddb435c2c2055234
Opcode Fuzzy Hash: 26b74a668f83aa4b9b08b7239ea128f105b0165d1098b01a66255edf4d3aaef2
Instruction Fuzzy Hash: C201DC23F2EA180BE7B04D6CBC610B5FBC0EB85231715077BE41CC22B4DA25284383C1

Function 00007FFD9B7E909D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23184ec586256a56e329e280a8cc332dfe8e018115b0fd0c77bd6d767c7633be
Instruction ID: 875161d535e286675ce3fa425216894566129c2b3c1905609b6a8835c919f779
Opcode Fuzzy Hash: 23184ec586256a56e329e280a8cc332dfe8e018115b0fd0c77bd6d767c7633be
Instruction Fuzzy Hash: 7211B132E0964E8FEB50EFA888696FD77F0EF04308F0541B6D45CC71A6DA34A685C701

Function 00007FFD9B7E1384 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708c369c5e0c849b02e398058f960bb06bce6098c17286a764bd3c296c92a6be
Instruction ID: ac033d1d9188cc23fdd9d12f21e9c1de152002a7c00413f60fddc2f86668a999
Opcode Fuzzy Hash: 708c369c5e0c849b02e398058f960bb06bce6098c17286a764bd3c296c92a6be
Instruction Fuzzy Hash: 1511E760E0F28A4FD71687B558315BDBBB1AF42304F0982BFD0699B9F7C92C6618CB51

Function 00007FFD9B7ECE45 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b77c11def351fce3dccc4cc3291481acd575dfa1f8fff7d57148c504627efaa
Instruction ID: 607e58ffa39bf28a0e4e205d0759ac55808aec142906534fbce8725cc9cf3cc1
Opcode Fuzzy Hash: 1b77c11def351fce3dccc4cc3291481acd575dfa1f8fff7d57148c504627efaa
Instruction Fuzzy Hash: EA11043294E2CE5FD31297B45C695FA7FA4DF46210F0A01F7E458CB0F3D829265A8352

Function 00007FFD9B7F1662 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307cbceb73361aa216da0a207e8570cbd3586c12e7325d7219cb5583a8f537a7
Instruction ID: 6d58b7b820c58dd8039d3c7c42dc4f2036592d28d1812e33d2aec33bb07773e8
Opcode Fuzzy Hash: 307cbceb73361aa216da0a207e8570cbd3586c12e7325d7219cb5583a8f537a7
Instruction Fuzzy Hash: 2611B97090969C5FCB51DB6888A8BE97FF1EF69300F0402EDC04DE7563CA346E868B41

Function 00007FFD9B7F03E4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d01aded902b44e96d3d2656dc953972e56eaa5782ad5964be0cc21a58f58fd
Instruction ID: fdf72462cfc6418b3ab3ad4ead6390b6fd75c96874a1095108891c6fb11fdaed
Opcode Fuzzy Hash: 54d01aded902b44e96d3d2656dc953972e56eaa5782ad5964be0cc21a58f58fd
Instruction Fuzzy Hash: 94214D30E0966D8FDBA9DF548850BE9BBB5FF59700F5441E5C04CA72A6CA34AA81CF40

Function 00007FFD9B7E2D05 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a3e93bc788db54648584669fce1ecc20fb1e9f5e94416ba199c556118f65e4
Instruction ID: 82ac2bd28099123cc96e468c1195fda879cb74285f5e702539051263b45df370
Opcode Fuzzy Hash: 22a3e93bc788db54648584669fce1ecc20fb1e9f5e94416ba199c556118f65e4
Instruction Fuzzy Hash: 1111F330E0A66D9FDB68EBE4C4686BCBBB1FF19305F51057DD00AA62A1CB795A40CB00

Function 00007FFD9B7E0A54 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50981e256e1e948f11eecdbddaf650895ed5e8ea65e6c3b7c3f6a46a22bb12b
Instruction ID: 59509c7659ed7d6371616370d8650871f5a050bc2fe133b001f6bb67d6b6ed3c
Opcode Fuzzy Hash: a50981e256e1e948f11eecdbddaf650895ed5e8ea65e6c3b7c3f6a46a22bb12b
Instruction Fuzzy Hash: 6E118AB1D0E68D4FEB64DBA848696AD7FF1EF69740F05016EC049E72B1CA346951C700

Function 00007FFD9B7EF165 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f663d7b4c66e24062a67ab0c4bbc98e5ce465a93b3a6b4b51d25cc725bec084
Instruction ID: 4b5ef2cf9a15c756cba48bcd7169ba224e22aba89cd7b5d2dbaff7a3fa2eb963
Opcode Fuzzy Hash: 8f663d7b4c66e24062a67ab0c4bbc98e5ce465a93b3a6b4b51d25cc725bec084
Instruction Fuzzy Hash: EF111571E09A1D8FEB58EFA8C4656ADB7B2FF58301F51012AE00DE72A1CB3469418B41

Function 00007FFD9B7ED140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566c940673d9c8742d1279ebedc344316cba0e2c291c48d748d4cc4d34e74015
Instruction ID: ccc85416f4a986409212e22f017f13be7141145d13a2f1f5cf4cbbdfa93c30a0
Opcode Fuzzy Hash: 566c940673d9c8742d1279ebedc344316cba0e2c291c48d748d4cc4d34e74015
Instruction Fuzzy Hash: 9D01E931908A0D8FDF94EF58D454AEEBBF1EF69310F01016AE009E3260CA31A994CB81

Function 00007FFD9B7E0BF7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c330eb4b847ce97a990e5b60163018292a30a4327b032adc4cb0d8c8c79d3480
Instruction ID: d934bdbb63fa487616384fe7c3d572a3320548f816496fea64b3a170186ec2e7
Opcode Fuzzy Hash: c330eb4b847ce97a990e5b60163018292a30a4327b032adc4cb0d8c8c79d3480
Instruction Fuzzy Hash: AC11A230A1991D8FDBA0EB58C895BA9B3B2FF59300F5046A5D01DE32B6CA34AD81CF51

Function 00007FFD9B7E9065 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b9dce9d984a32d796e50e51081089e6433fbe095bea7fb06b50ee8dde5b21f
Instruction ID: ae1eac87f19aa3d2f11921553e76a1a4da98e2c685069ec7591a7791e86b7948
Opcode Fuzzy Hash: b9b9dce9d984a32d796e50e51081089e6433fbe095bea7fb06b50ee8dde5b21f
Instruction Fuzzy Hash: 9F118231E0868E9FE741EFA88868AFE7BF0EF15304F0445A6D45CC71A6DA34A655C741

Function 00007FFD9B7EFEF1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b779203ee32656c4365401c01a29d5906752f6865b4426f3625ce54b1b1a1045
Instruction ID: 02a205cd19ae17469024a11162801388941dd05251aed77f0ddf16bc864da73b
Opcode Fuzzy Hash: b779203ee32656c4365401c01a29d5906752f6865b4426f3625ce54b1b1a1045
Instruction Fuzzy Hash: AE11A430A09A1D8FCFA5EB58C891E99B7F5EF59700F5046E4900DE7266CA34AEC1CF40

Function 00007FFD9B7E0648 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4c52cba5d238d5aad254bbbf12f83bd2ca15964361283a459e90f859080521
Instruction ID: e96d3d9f41b7d8a29bd8a761c190a9244bd1f09135ba384809ca66ffb360d54f
Opcode Fuzzy Hash: 9e4c52cba5d238d5aad254bbbf12f83bd2ca15964361283a459e90f859080521
Instruction Fuzzy Hash: 4E11E570918A0D8FDF90EF58C8456EE7BE0FF6C355F11462AA85CD3260DB34A6908B81

Function 00007FFD9B7E0868 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1867646622473a2afd70a4ba4a56aed7bd501645b120c77b6f2fde94e0b35e3c
Instruction ID: f2313895132741d1775bcbd49122018e1cb806cc4ef75e9d3efd731f6fc89a42
Opcode Fuzzy Hash: 1867646622473a2afd70a4ba4a56aed7bd501645b120c77b6f2fde94e0b35e3c
Instruction Fuzzy Hash: 0811CE21E0E7CD1EE762A7A8487A5E97FB0AF42604F0A02F7D098D60F3DC182945C341

Function 00007FFD9B7F1005 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbceec5d79737cd6dc4fefaa582289e5d3b8c433374b47094ed81e14a78e62a
Instruction ID: 687b9a5b6ddc990236cd0801ed7cdeecf6fdc31d71aaf6ac5d2dcbcfb067162e
Opcode Fuzzy Hash: ffbceec5d79737cd6dc4fefaa582289e5d3b8c433374b47094ed81e14a78e62a
Instruction Fuzzy Hash: FB01F130A4E28E5FD3159B64486A9F97FA0EF45200F0606FAE05CC70B3D92C26568382

Function 00007FFD9B7ED1E9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6c70695dfb15a172feb09ba6f1a43433c5ccdab2c444a05084753c3cc3116e
Instruction ID: f0211ad6dddfa8d2085ff168838ea60fb2b2e0793ce2513b657b63d0cdd40e90
Opcode Fuzzy Hash: af6c70695dfb15a172feb09ba6f1a43433c5ccdab2c444a05084753c3cc3116e
Instruction Fuzzy Hash: 96012630D5828E6FDB05AB60985A9EA7BB4EF05314F0501F6E41CC70B2DA3CA792C751

Function 00007FFD9B7EF229 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200532c177245395536ff8ed6cff51d8ce854377c4809d337028105920639ba8
Instruction ID: c8f2683a153ebfe10d4ecd8452c4680b70c33884b536236eb8ac4436b5cce089
Opcode Fuzzy Hash: 200532c177245395536ff8ed6cff51d8ce854377c4809d337028105920639ba8
Instruction Fuzzy Hash: 9EF0FF2188E3CA0FE7032BB018745F17FA5AF03210F0906F7E498CA4A3CA69561AC311

Function 00007FFD9B7EECD1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9061340172302e8da6832d676ffa11bd7cc1375b857a804e6561e7e0d009324d
Instruction ID: 58c0c497a629152eed4250ecf4b96fb772ce5b39620276c1ed18dd263020bfbf
Opcode Fuzzy Hash: 9061340172302e8da6832d676ffa11bd7cc1375b857a804e6561e7e0d009324d
Instruction Fuzzy Hash: C101D17090874C8FCB95DF24D8596E97BF0FF59300F0106A6E808C7161DB30AAA0CB81

Function 00007FFD9B7EBC28 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145189e24303bab7f6e7a24df1c6a411d897e91bdd8b03dd1414ac6414cc703
Instruction ID: c8c63d152d6a22b8fce921cd87995572681368288d527f24cedccbb9d7006c0c
Opcode Fuzzy Hash: 9145189e24303bab7f6e7a24df1c6a411d897e91bdd8b03dd1414ac6414cc703
Instruction Fuzzy Hash: D001DB70A09A1D8FDBA8DF6884957A8BBB1FF59304F5005AED04DE72A1DA35A945CB00

Function 00007FFD9B7E908D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f1aed8622ddc8794a9c28002b615cb434f53bad6e13454ec8ac5de45ae7071
Instruction ID: 0d6917f0585e7bd8e5b7ed4ff7b3b0e82e00a9603b633bc4e23b785af7b83851
Opcode Fuzzy Hash: d5f1aed8622ddc8794a9c28002b615cb434f53bad6e13454ec8ac5de45ae7071
Instruction Fuzzy Hash: 78014F70E18A4D9FDB90EFA88858AFEBBF0FF18304F0005AAD41DD3165DA349591CB41

Function 00007FFD9B7E9190 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ce0d56305c41b482ac1639f44074e68b6ba146f9ae35de01814993cafaa869
Instruction ID: c997f4e2780ff7e03153e02ac48c0dea99d5d50dd950a2f972b5cd87c2d1dc96
Opcode Fuzzy Hash: d1ce0d56305c41b482ac1639f44074e68b6ba146f9ae35de01814993cafaa869
Instruction Fuzzy Hash: 4B01DF3190938D9FE741EB6888695ED3BA0EF00308F1445BAE45CC60A6DA3469818700

Function 00007FFD9B7F1573 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e759f4ff31b856222b291d799865b19d0a3c0822e5c196a2dbf394350fb3d3d5
Instruction ID: 1b03540cbef84f92c5335fb4f8eef99e98de225c38b11ead15ba754f6b3ab89c
Opcode Fuzzy Hash: e759f4ff31b856222b291d799865b19d0a3c0822e5c196a2dbf394350fb3d3d5
Instruction Fuzzy Hash: 2A012C7091965D8FDB99DBA484A47ECBBF1EF59301F0440EDD04AE75A1CA382B81CF40

Function 00007FFD9B7E922D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d677a78ef5f0bcad132234e046f4810d0d8736cd587b02707ab8a0663e3a6d
Instruction ID: f692c3bc12bf745bf169ad8ece0b349683dc5df113006be065e83922e8a11958
Opcode Fuzzy Hash: 14d677a78ef5f0bcad132234e046f4810d0d8736cd587b02707ab8a0663e3a6d
Instruction Fuzzy Hash: B9F06230A1860D9FDB95EF68D8556EE7BF0FF14304F114666E81DD3175CA30A5A0CB80

Function 00007FFD9B7F3D11 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d251cbcb3068529ea21786d2beb82fe8722c625721f470fd0e31f7895a4de0ae
Instruction ID: 29f338695aa83b3c08d172920c95a4b848c89662909c12be5d24daf8f047d0ad
Opcode Fuzzy Hash: d251cbcb3068529ea21786d2beb82fe8722c625721f470fd0e31f7895a4de0ae
Instruction Fuzzy Hash: 33F0903191864D8FDB41EF6488686E97BB0FF18300F4500FAE40CC71A6DA34A554C701

Function 00007FFD9B7E0931 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3b87d91249d1ee906cdfe494b0d9687a76cea84e1ebf536fb5d979e59c4f23
Instruction ID: a934586ed63c91debafcb44a7cfbdcec45e8a14dcd5f9b9c7368cd3c9b31b78a
Opcode Fuzzy Hash: 8c3b87d91249d1ee906cdfe494b0d9687a76cea84e1ebf536fb5d979e59c4f23
Instruction Fuzzy Hash: D1F09732E0FB8E0FF3725A6889363E93790EF01300F4205B2D1088A0F7EE382A048342

Function 00007FFD9B7EBD91 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d776cdd9e1bb274d3a820e6ac57902b7d2e175204471913fb463d0934963777
Instruction ID: d44b1f26524ff092627ec519fc56fd1447a9ae0a363cfbab2435ed0cbaa3aed9
Opcode Fuzzy Hash: 6d776cdd9e1bb274d3a820e6ac57902b7d2e175204471913fb463d0934963777
Instruction Fuzzy Hash: 31F02031C0A38E8FD726DF2088652E97FA0FF01300F4102FAE048871A2CB39A664C781

Function 00007FFD9B7EF551 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8118e5d4b4d4a4611aa81a7b0e0b78ffc9c450ef12bafbcaabc91cbfdef7b14a
Instruction ID: 863781303bc1ca873ba41085ffdb8c50fddec773d7a1534c00a44e4f3f528182
Opcode Fuzzy Hash: 8118e5d4b4d4a4611aa81a7b0e0b78ffc9c450ef12bafbcaabc91cbfdef7b14a
Instruction Fuzzy Hash: F8F0AF30E0A72D8FDB64DF248890ADAB7B1EF44304F4005F9D04DA71A5CB346A81CF01

Function 00007FFD9B7EEB31 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0302ec5985332840a0772f035744f63013db84ec7b54ee7d8d35110cfdced
Instruction ID: 577f9016b284f10487b6cad5c015e8597b5e494e9df52d89128418b48734fae0
Opcode Fuzzy Hash: 7ba0302ec5985332840a0772f035744f63013db84ec7b54ee7d8d35110cfdced
Instruction Fuzzy Hash: 34E0687181DA8C4BDBB0AA98A854AD4BBB1FF85308F010559E45CCB0B1D2355660C340

Function 00007FFD9B7E93CD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02eeba999a6b4b1006e31940ab330b7ae60b5f918b5ff1397cb6ec32743f9375
Instruction ID: ce8640b67cda3c1e5c34371c1342378bb581f7ff24dc526e53d51ec52e71a4a6
Opcode Fuzzy Hash: 02eeba999a6b4b1006e31940ab330b7ae60b5f918b5ff1397cb6ec32743f9375
Instruction Fuzzy Hash: 64F01C31A18A4D9FDB50EFA8C858ABD7BA0FF04308F5045AAE41DC21A5DB34A694CB41

Function 00007FFD9B7EA2DD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa3b39f02fb2d7fcbe45c4104296d2d603232ef24e94f620f0329833cef396b
Instruction ID: 0347a7d105a0ac05c17a53e734fc61273a736a9ea1fda93e82a926b4fed5eab4
Opcode Fuzzy Hash: 7aa3b39f02fb2d7fcbe45c4104296d2d603232ef24e94f620f0329833cef396b
Instruction Fuzzy Hash: 30E01222B1DE2C0B9A98E65C74261BDA3C1E7C853170503BFD00ED33A9DD1A5D0202C5

Function 00007FFD9B7E91AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddb8d83200545a2f294301d3ac3ba3576b47de7e53958359dd82ef23d534d6f
Instruction ID: 4f6608764ded23d56280d89590a97345f2b06a6f3b5b6bad093f78244bcac6ca
Opcode Fuzzy Hash: 7ddb8d83200545a2f294301d3ac3ba3576b47de7e53958359dd82ef23d534d6f
Instruction Fuzzy Hash: CEF0A030A2864DAFDB80EF68C8596ED77E4FF04304F5004BAE81CC21A5DA30A6A4CB00

Function 00007FFD9B7F16CF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b56cd461a264406f0dcd2260e580a5d1d1937be86254c5237c01e428d379ed0
Instruction ID: 879399f2959b4eccb3cc3ee01f7cf959847cc0b2ffa2241b80c8f7c3bfab892f
Opcode Fuzzy Hash: 1b56cd461a264406f0dcd2260e580a5d1d1937be86254c5237c01e428d379ed0
Instruction Fuzzy Hash: 3AF0C07094855D5FCB90DB589899BD9BBF1EF69301F0047E9904CE7266CA346EC18F40

Function 00007FFD9B7EF567 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec96961274a43603b68be8bd22274567012c6a05f3006de745f1b6d7a26d648e
Instruction ID: 86cd0e84cab6712c286cf96e785f95e65819c5975949d3c8955acb61a4d67930
Opcode Fuzzy Hash: ec96961274a43603b68be8bd22274567012c6a05f3006de745f1b6d7a26d648e
Instruction Fuzzy Hash: 10F0AC30A0AB2D8FDB65DE14D8557E9B3B1EF55301F4002FAD04DA71A5CF315A858F41

Function 00007FFD9B7EC4A4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2209c7e53ae65390c278ce013c61fbad55b85bb3b82703401625175af3d1e91
Instruction ID: c1a554c700a1535aa035227198d4cc00223998e82848e8f2cb133d0819ab5bb0
Opcode Fuzzy Hash: a2209c7e53ae65390c278ce013c61fbad55b85bb3b82703401625175af3d1e91
Instruction Fuzzy Hash: 70F0127091855D8FDB44EB2488A5BE9B7B0FF48300F4440F9D44DE7196CE2429858B10

Function 00007FFD9B7EAC31 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cd66d578c186b2ef829e91e533e554d17ba7889c64e41dffbd8931c345506a
Instruction ID: cca042a4987ad592c797023e13e616fe608b1f3c9c2425adc577ab615a9a68d8
Opcode Fuzzy Hash: 08cd66d578c186b2ef829e91e533e554d17ba7889c64e41dffbd8931c345506a
Instruction Fuzzy Hash: C0E02B3154E3CC0FC7256B7444AB0D9BF70FE46200B4A03DEE089874B3DA0C6646C342

Function 00007FFD9B7E8A51 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636f2f36517447bb22af43e635a85828a430038ecef5c4993eb28bfa447c0f6b
Instruction ID: 979c8467d63a0138c253f4450e8cb3b42acb7695a41c1e7c176cb42257aefa1e
Opcode Fuzzy Hash: 636f2f36517447bb22af43e635a85828a430038ecef5c4993eb28bfa447c0f6b
Instruction Fuzzy Hash: E3E0DFB220D2814FD3038B688CA15867FF0EE4221832A02E6D480CB426F1149E1BC390

Function 00007FFD9B7E0BC4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9454aaa6c735368f7264c4ea315bc030333b8fa2f2ea9481ceeb3b1235292384
Instruction ID: de1d67b2308ac435146c4ebde84d9877a9ef5115013d49b2f79f567b36962db7
Opcode Fuzzy Hash: 9454aaa6c735368f7264c4ea315bc030333b8fa2f2ea9481ceeb3b1235292384
Instruction Fuzzy Hash: B1E086B1D1AB4A4EE3D48A684C5E665B7F1EF10641F0001AED00DD61F2EE2025448601

Function 00007FFD9B7E0AF1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ec9618e0a5516e6c6ae69b59420f7d08b3cd260b478c2a8467b5a2aa7fe776
Instruction ID: 1dec53860e2a002846d7847f269f763e873b77da8eacca481fa228e0dfca07ae
Opcode Fuzzy Hash: 31ec9618e0a5516e6c6ae69b59420f7d08b3cd260b478c2a8467b5a2aa7fe776
Instruction Fuzzy Hash: 7EC08CB080A6884FC346DB2448AC79CBFF0AF05200B0080DE808AEB530C924254A8B00

Function 00007FFD9B7E8CBD Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1822349444.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9340111c8c559c57e4f6e85a06c2a85ad815bc5ac91230e71a4a7e1f7c280a
Instruction ID: 2d24121d43170f5946bc2d83e2cad7f41ac8d0eb4bf523865151fade77644c04
Opcode Fuzzy Hash: 8f9340111c8c559c57e4f6e85a06c2a85ad815bc5ac91230e71a4a7e1f7c280a
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report system.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system.exe.log

C:\Users\user\Desktop\[US]173.254.250.90-Phemedrone-Report.zip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
system.exe