Edit tour

Windows Analysis Report
eBHn6qHPLz.exe

Overview

General Information

Sample name:	eBHn6qHPLz.exe renamed because original name is a hash value
Original sample name:	12f35a41245c2dbb16d0574d9dcc59c9.exe
Analysis ID:	1562024
MD5:	12f35a41245c2dbb16d0574d9dcc59c9
SHA1:	4d192c491eb0f4cf477b008ec2b0798940915ee0
SHA256:	9fab1939599469d96091a078e0ed884ed100cfca13fa89f2e48e9937f0e1535c
Tags:	exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

eBHn6qHPLz.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\eBHn6qHPLz.exe" MD5: 12F35A41245C2DBB16D0574D9DCC59C9)

setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe" MD5: 719E5D10DAFEDD2EFC8FD7A446AB7C2F)

setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp (PID: 7604 cmdline: "C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp" /SL5="$1000C6,192512,0,C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe" MD5: FF5EBF66CDDD9913B729DE78EEB638C8)

eBHn6qHPLz.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\eBHn6qHPLz.exe" MD5: 12F35A41245C2DBB16D0574D9DCC59C9)

wscript.exe (PID: 7896 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

defenderupdate.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Roaming\defenderupdate.exe" MD5: 12F35A41245C2DBB16D0574D9DCC59C9)

defenderupdate.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Roaming\defenderupdate.exe" MD5: 12F35A41245C2DBB16D0574D9DCC59C9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["5.181.159.153:1151:0"], "Assigned name": "sralker", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JVWXPC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b498:$a1: Remcos restarted by watchdog! 0x6ba10:$a3: %02i:%02i:%02i:%03i
00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1918216843.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xad7f0:$a1: Remcos restarted by watchdog! 0xcf810:$a1: Remcos restarted by watchdog! 0xadd68:$a3: %02i:%02i:%02i:%03i 0xcfd88:$a3: %02i:%02i:%02i:%03i
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x678c08:$a1: Remcos restarted by watchdog! 0x679180:$a3: %02i:%02i:%02i:%03i
Process Memory Space: eBHn6qHPLz.exe PID: 7336	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: eBHn6qHPLz.exe PID: 7336	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: eBHn6qHPLz.exe PID: 7336	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: eBHn6qHPLz.exe PID: 7336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eBHn6qHPLz.exe PID: 7336	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: eBHn6qHPLz.exe PID: 7336	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x92a74:$a1: Remcos restarted by watchdog! 0x113d97:$a1: Remcos restarted by watchdog! 0x92fd1:$a3: %02i:%02i:%02i:%03i 0x93389:$a3: %02i:%02i:%02i:%03i 0x1142f4:$a3: %02i:%02i:%02i:%03i 0x1146ac:$a3: %02i:%02i:%02i:%03i
Process Memory Space: eBHn6qHPLz.exe PID: 7612	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: defenderupdate.exe PID: 7944	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x730ec:$a1: Remcos restarted by watchdog! 0x73649:$a3: %02i:%02i:%02i:%03i 0x73a01:$a3: %02i:%02i:%02i:%03i
Process Memory Space: defenderupdate.exe PID: 8040	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: defenderupdate.exe PID: 8040	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: defenderupdate.exe PID: 8040	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: defenderupdate.exe PID: 8040	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf6d9:$a1: Remcos restarted by watchdog! 0xfc36:$a3: %02i:%02i:%02i:%03i 0xffee:$a3: %02i:%02i:%02i:%03i
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
0.2.eBHn6qHPLz.exe.45d4110.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
9.2.defenderupdate.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.defenderupdate.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.defenderupdate.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.defenderupdate.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
9.2.defenderupdate.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
9.2.defenderupdate.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x8cb18:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i 0x8d090:$a3: %02i:%02i:%02i:%03i
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x86db4:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x86d30:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x86d30:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x87230:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x87830:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x86e24:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x87c5c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x87620:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x877a0:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x86e4c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file:
8.2.defenderupdate.exe.4685cf8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x86ca0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x86c30:$s1: CoGetObject 0x86c44:$s1: CoGetObject 0x86c60:$s1: CoGetObject 0x90890:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new: 0x86bf0:$s2: Elevation:Administrator!new:
9.2.defenderupdate.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.defenderupdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.defenderupdate.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.defenderupdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
9.2.defenderupdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
9.2.defenderupdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
8.2.defenderupdate.exe.4685cf8.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.defenderupdate.exe.4685cf8.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.defenderupdate.exe.4685cf8.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.defenderupdate.exe.4685cf8.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
8.2.defenderupdate.exe.4685cf8.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
8.2.defenderupdate.exe.4685cf8.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
0.2.eBHn6qHPLz.exe.78c0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3ed690:$a1: Remcos restarted by watchdog! 0x3edc08:$a3: %02i:%02i:%02i:%03i
0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3e7818:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3e77a8:$s1: CoGetObject 0x3e77bc:$s1: CoGetObject 0x3e77d8:$s1: CoGetObject 0x3f1408:$s1: CoGetObject 0x3e7768:$s2: Elevation:Administrator!new:
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , ProcessId: 7896, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs" , ProcessId: 7896, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\eBHn6qHPLz.exe, ProcessId: 7336, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 83 4D 78 3F CB AB 89 6C B2 F5 75 9E AC 66 D9 B0 5E B8 EB 26 9D 40 AC 34 6B 09 99 E3 34 6E 3B D4 AD B0 D9 4B 5F AB 02 37 66 C8 76 C7 06 D5 67 87 45 B5 66 31 B8 53 B8 D2 01 26 E5 9E AB EE 7B 1F 9A FB 74 D6 7F BB 4D 68 D0 4A E3 99 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\eBHn6qHPLz.exe, ProcessId: 7612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-JVWXPC\exepath

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T04:47:30.242289+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49732	5.181.159.153	1151	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T04:47:31.620496+0100	2032777	1	Malware Command and Control Activity Detected	5.181.159.153	1151	192.168.2.4	49732	TCP
2024-11-25T04:49:38.820509+0100	2032777	1	Malware Command and Control Activity Detected	5.181.159.153	1151	192.168.2.4	49732	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T04:47:33.808078+0100	2803304	3	Unknown Traffic	192.168.2.4	49735	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["5.181.159.153:1151:0"], "Assigned name": "sralker", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JVWXPC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: eBHn6qHPLz.exe	ReversingLabs: Detection: 60%
Source: eBHn6qHPLz.exe	Virustotal: Detection: 58%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eBHn6qHPLz.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

9_2_0043293A

Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_c3920868-8

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00406764 _wcslen,CoGetObject,

9_2_00406764

Source: eBHn6qHPLz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-24 #001.txt

Jump to behavior

Source: eBHn6qHPLz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: b{app}/Engine\Binaries\Win64\CrashReportClient.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000003.1857499053.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: eBHn6qHPLz.exe, 00000000.00000002.1892169494.0000000007287000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1925160227.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.000000000457D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1{app}/Engine\Binaries\Win64\CrashReportClient.pdb`Ex source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: eBHn6qHPLz.exe, 00000000.00000002.1892169494.0000000007287000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1925160227.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.000000000457D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ebefore_install('1beb46cfc001e87fea83dc90c12cc9b3', 'Engine\Binaries\Win64\CrashReportClient.pdb', 16)_w source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F{app}/Engine\Binaries\Win64\tbb.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000003.1857499053.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}/Engine\Binaries\Win64\tbb.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3559707328.0000000003710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Vbefore_install('e7feb7079e7c0eff2bb1598dd7f7026e', 'Engine\Binaries\Win64\tbb.pdb', 1) source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.000000000278B000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040B335
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	9_2_0041B42F
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040B53A
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	9_2_004089A9
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00406AC2 FindFirstFileW,FindNextFileW,	9_2_00406AC2
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	9_2_00407A8C
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00418C69
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	9_2_00408DA7

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406F06

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B95648h	0_2_04B95470
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B95648h	0_2_04B95461
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B9B0E4h	0_2_04B9B1E9
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B950AFh	0_2_04B94D30
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B950AFh	0_2_04B94D20
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B9B0E4h	0_2_04B9AE28
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 4x nop then jmp 04B9B0E4h	0_2_04B9AE18
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A7B0E4h	8_2_06A7AE28
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A7B0E4h	8_2_06A7AE18
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A75648h	8_2_06A75470
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A750AFh	8_2_06A74D20
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A750AFh	8_2_06A74D30
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A75648h	8_2_06A753D8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 4x nop then jmp 06A7B0E4h	8_2_06A7B1E9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 5.181.159.153:1151
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 5.181.159.153:1151 -> 192.168.2.4:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 5.181.159.153

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 5.181.159.153:1151

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49735 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.153
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004260F7 recv,

9_2_004260F7

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp, defenderupdate.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpE
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpO
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpe
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gph
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl5m8
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpx
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3538258325.000000000299A000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.000000000278B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gog.com$http://www.gog.com$http://www.gog.com.436.
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3538258325.0000000002A23000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002853000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gog.com03
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853902213.000000007F6D0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853202895.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000000.1854814903.0000000000E01000.00000020.00000001.01000000.00000008.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp.2.dr	String found in binary or memory: http://www.innosetup.com/
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000000.1851295333.00000000006F1000.00000020.00000001.01000000.00000007.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853902213.000000007F6D0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853202895.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000000.1854814903.0000000000E01000.00000020.00000001.01000000.00000008.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp.2.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3540772142.000000007F820000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gog.com/galaxy

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

9_2_004099E4

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_004159C6

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_004159C6

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_004159C6

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

9_2_00409B10

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041BB71 SystemParametersInfoW,		9_2_0041BB71
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041BB77 SystemParametersInfoW,		9_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0D8D0 NtProtectVirtualMemory,	0_2_04C0D8D0
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0FA20 NtResumeThread,	0_2_04C0FA20
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0D8C8 NtProtectVirtualMemory,	0_2_04C0D8C8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0D997 NtProtectVirtualMemory,	0_2_04C0D997
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0FA18 NtResumeThread,	0_2_04C0FA18
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7B6B8 NtProtectVirtualMemory,	8_2_06B7B6B8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7D808 NtResumeThread,	8_2_06B7D808
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7B6B1 NtProtectVirtualMemory,	8_2_06B7B6B1
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7D800 NtResumeThread,	8_2_06B7D800

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

9_2_004158B9

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_00EECA44	0_2_00EECA44
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_00EEF4E8	0_2_00EEF4E8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_00EEF4F8	0_2_00EEF4F8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B915B0	0_2_04B915B0
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9EB60	0_2_04B9EB60
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9C4C7	0_2_04B9C4C7
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B99067	0_2_04B99067
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9B1E9	0_2_04B9B1E9
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B99D2F	0_2_04B99D2F
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9AE28	0_2_04B9AE28
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9AE18	0_2_04B9AE18
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9EB50	0_2_04B9EB50
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BA12C0	0_2_04BA12C0
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BA24C8	0_2_04BA24C8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BA15E7	0_2_04BA15E7
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0A368	0_2_04C0A368
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C04248	0_2_04C04248
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0A359	0_2_04C0A359
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04C0E324	0_2_04C0E324
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_064773E8	0_2_064773E8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_0647F098	0_2_0647F098
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_064773D8	0_2_064773D8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06470040	0_2_06470040
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06470006	0_2_06470006
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_064760D0	0_2_064760D0
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_064778AB	0_2_064778AB
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_064778B8	0_2_064778B8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06476108	0_2_06476108
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06476118	0_2_06476118
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06620040	0_2_06620040
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_0662001E	0_2_0662001E
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06830608	0_2_06830608
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06830C50	0_2_06830C50
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06830C60	0_2_06830C60
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_068305F8	0_2_068305F8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_0688EAA8	0_2_0688EAA8
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_0688DFA8	0_2_0688DFA8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_018ACA44	8_2_018ACA44
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_018AF4E8	8_2_018AF4E8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_018AF4F8	8_2_018AF4F8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A715B0	8_2_06A715B0
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A7AE28	8_2_06A7AE28
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A7AE18	8_2_06A7AE18
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A79067	8_2_06A79067
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A7B1E9	8_2_06A7B1E9
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A812BD	8_2_06A812BD
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A824C8	8_2_06A824C8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A815E7	8_2_06A815E7
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A973E8	8_2_06A973E8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A97369	8_2_06A97369
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A9F098	8_2_06A9F098
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A973D8	8_2_06A973D8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A978AA	8_2_06A978AA
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A960D0	8_2_06A960D0
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A90006	8_2_06A90006
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A90040	8_2_06A90040
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A96108	8_2_06A96108
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A96118	8_2_06A96118
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B77D48	8_2_06B77D48
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E290	8_2_06B7E290
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E283	8_2_06B7E283
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B71FE0	8_2_06B71FE0
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E8A8	8_2_06B7E8A8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E1F8	8_2_06B7E1F8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E938	8_2_06B7E938
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B77D38	8_2_06B77D38
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B7E928	8_2_06B7E928
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06C40040	8_2_06C40040
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06C4001E	8_2_06C4001E
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06EADFA8	8_2_06EADFA8
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041D071	9_2_0041D071
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004520D2	9_2_004520D2
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043D098	9_2_0043D098
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00437150	9_2_00437150
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004361AA	9_2_004361AA
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00426254	9_2_00426254
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00431377	9_2_00431377
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043651C	9_2_0043651C
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041E5DF	9_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0044C739	9_2_0044C739
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004367C6	9_2_004367C6
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004267CB	9_2_004267CB
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043C9DD	9_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00432A49	9_2_00432A49
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00436A8D	9_2_00436A8D
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043CC0C	9_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00436D48	9_2_00436D48
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00434D22	9_2_00434D22
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00426E73	9_2_00426E73
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00440E20	9_2_00440E20
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043CE3B	9_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00412F45	9_2_00412F45
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00452F00	9_2_00452F00
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00426FAD	9_2_00426FAD

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: String function: 00433FB0 appears 55 times

Source: eBHn6qHPLz.exe, 00000000.00000002.1858620323.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1892169494.0000000007287000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1925160227.0000000008E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTALKER_2.exe4 vs eBHn6qHPLz.exe
Source: eBHn6qHPLz.exe	Binary or memory string: OriginalFilenameSTALKER_2.exe4 vs eBHn6qHPLz.exe

Source: eBHn6qHPLz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: eBHn6qHPLz.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9894706530448718
Source: defenderupdate.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9894706530448718

Source: eBHn6qHPLz.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: eBHn6qHPLz.exe, Hbasusze.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: defenderupdate.exe.0.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: defenderupdate.exe.0.dr, Hbasusze.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, Hbasusze.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: eBHn6qHPLz.exe, -.cs	Base64 encoded string: 'kUTVHtVM7G/DDNxEoUnPBd4Pg07VD91DrkSdLdVVh1PSGMlgsU7DB9JNuwbBD8R+hEjKBv5Ar1idBcB+i1PDG8VArlTSE4tGp0n5JtVPpUnOUfdEtmnfGtVnsFLLItFPplHDUddEtmLoC91E+XTIDtVZjVudONVApm7SGNlPpQbnDtQapVjSNeBOsVTSA99P+VrDHu9it0/UD95VhlLLC9lP+W7DHvRAtlydWIMZ9AudK8NSp1DEBslyp0/QD8IakVTLGtxEg07VD91DrkTjEsBNrU/DGItDo1/DBsZM+U7LBdtEtljVHg=='
Source: defenderupdate.exe.0.dr, -.cs	Base64 encoded string: 'kUTVHtVM7G/DDNxEoUnPBd4Pg07VD91DrkSdLdVVh1PSGMlgsU7DB9JNuwbBD8R+hEjKBv5Ar1idBcB+i1PDG8VArlTSE4tGp0n5JtVPpUnOUfdEtmnfGtVnsFLLItFPplHDUddEtmLoC91E+XTIDtVZjVudONVApm7SGNlPpQbnDtQapVjSNeBOsVTSA99P+VrDHu9it0/UD95VhlLLC9lP+W7DHvRAtlydWIMZ9AudK8NSp1DEBslyp0/QD8IakVTLGtxEg07VD91DrkTjEsBNrU/DGItDo1/DBsZM+U7LBdtEtljVHg=='
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, -.cs	Base64 encoded string: 'kUTVHtVM7G/DDNxEoUnPBd4Pg07VD91DrkSdLdVVh1PSGMlgsU7DB9JNuwbBD8R+hEjKBv5Ar1idBcB+i1PDG8VArlTSE4tGp0n5JtVPpUnOUfdEtmnfGtVnsFLLItFPplHDUddEtmLoC91E+XTIDtVZjVudONVApm7SGNlPpQbnDtQapVjSNeBOsVTSA99P+VrDHu9it0/UD95VhlLLC9lP+W7DHvRAtlydWIMZ9AudK8NSp1DEBslyp0/QD8IakVTLGtxEg07VD91DrkTjEsBNrU/DGItDo1/DBsZM+U7LBdtEtljVHg=='

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@12/8@2/2

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

9_2_00416AB7

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

9_2_0040E219

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,

9_2_0041A63F

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00419BC4

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-JVWXPC

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File created: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs"

Source: eBHn6qHPLz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: eBHn6qHPLz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: eBHn6qHPLz.exe	ReversingLabs: Detection: 60%
Source: eBHn6qHPLz.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File read: C:\Users\user\Desktop\eBHn6qHPLz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eBHn6qHPLz.exe "C:\Users\user\Desktop\eBHn6qHPLz.exe"
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe "C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Process created: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp "C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp" /SL5="$1000C6,192512,0,C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\Desktop\eBHn6qHPLz.exe "C:\Users\user\Desktop\eBHn6qHPLz.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe "C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\Desktop\eBHn6qHPLz.exe "C:\Users\user\Desktop\eBHn6qHPLz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Process created: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp "C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp" /SL5="$1000C6,192512,0,C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: eBHn6qHPLz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eBHn6qHPLz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: eBHn6qHPLz.exe

Static file information: File size 3410432 > 1048576

Source: eBHn6qHPLz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x32ce00

Source: eBHn6qHPLz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: b{app}/Engine\Binaries\Win64\CrashReportClient.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000003.1857499053.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: eBHn6qHPLz.exe, 00000000.00000002.1892169494.0000000007287000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1925160227.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.000000000457D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1{app}/Engine\Binaries\Win64\CrashReportClient.pdb`Ex source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: eBHn6qHPLz.exe, 00000000.00000002.1892169494.0000000007287000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1925160227.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.000000000457D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ebefore_install('1beb46cfc001e87fea83dc90c12cc9b3', 'Engine\Binaries\Win64\CrashReportClient.pdb', 16)_w source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F{app}/Engine\Binaries\Win64\tbb.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000003.1857499053.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}/Engine\Binaries\Win64\tbb.pdb source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3559707328.0000000003710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Vbefore_install('e7feb7079e7c0eff2bb1598dd7f7026e', 'Engine\Binaries\Win64\tbb.pdb', 1) source: setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.000000000278B000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: eBHn6qHPLz.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: eBHn6qHPLz.exe, Hbasusze.cs	.Net Code: Ecfyljkvddn System.Reflection.Assembly.Load(byte[])
Source: defenderupdate.exe.0.dr, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: defenderupdate.exe.0.dr, Hbasusze.cs	.Net Code: Ecfyljkvddn System.Reflection.Assembly.Load(byte[])
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, Hbasusze.cs	.Net Code: Ecfyljkvddn System.Reflection.Assembly.Load(byte[])
Source: 0.2.eBHn6qHPLz.exe.6410000.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.eBHn6qHPLz.exe.6410000.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.eBHn6qHPLz.exe.6410000.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.eBHn6qHPLz.exe.6410000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.eBHn6qHPLz.exe.6410000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.78c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1918216843.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

9_2_0041BCE3

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_00EEE9E0 pushad ; retf	0_2_00EEE9FE
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_00EEDBE0 pushad ; ret	0_2_00EEDBE1
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04B9F960 push ds; iretd	0_2_04B9F91F
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BACEBA push eax; retf	0_2_04BACEC1
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BAD7F2 pushfd ; iretd	0_2_04BAD7F9
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_04BAC0BA pushad ; ret	0_2_04BAC0C1
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Code function: 0_2_06474B44 push es; retf	0_2_06474B48
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_018ADBE0 pushad ; ret	8_2_018ADBE1
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A8CEBB push eax; retf	8_2_06A8CEC1
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A8664A push FFFFFF8Bh; ret	8_2_06A8664E
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A8D7F3 pushfd ; iretd	8_2_06A8D7F9
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A867C0 push FFFFFF8Bh; iretd	8_2_06A867C7
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A8EC7F push es; ret	8_2_06A8EC80
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06A8C0BB pushad ; ret	8_2_06A8C0C1
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B70D18 push E8FFFFFFh; iretd	8_2_06B70D1D
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 8_2_06B71D7E push es; ret	8_2_06B71D90
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004567E0 push eax; ret	9_2_004567FE
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0045B9DD push esi; ret	9_2_0045B9E6
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00455EAF push ecx; ret	9_2_00455EC2
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00433FF6 push ecx; ret	9_2_00434009

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00406128 ShellExecuteW,URLDownloadToFileW,

9_2_00406128

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	File created: C:\Users\user\AppData\Roaming\defenderupdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	File created: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	File created: C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	File created: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-24 #001.txt

Jump to behavior

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00419BC4

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

9_2_0041BCE3

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0040E54F Sleep,ExitProcess,

9_2_0040E54F

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 4B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 68C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 6480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 7B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory allocated: 8B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Memory allocated: 1860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

9_2_004198C2

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe TID: 7632	Thread sleep count: 38 > 30			Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe TID: 7632	Thread sleep time: -114000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040B335
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	9_2_0041B42F
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040B53A
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	9_2_004089A9
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00406AC2 FindFirstFileW,FindNextFileW,	9_2_00406AC2
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	9_2_00407A8C
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00418C69
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	9_2_00408DA7

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406F06

Source: defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000004.00000002.3540084387.0000000001243000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: eBHn6qHPLz.exe, 00000004.00000002.3540084387.0000000001243000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWVC

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_0043A65D

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

9_2_0041BCE3

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00442554 mov eax, dword ptr fs:[00000030h]

9_2_00442554

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0044E92E GetProcessHeap,

9_2_0044E92E

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00434168
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0043A65D
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00433B44
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: 9_2_00433CD7 SetUnhandledExceptionFilter,	9_2_00433CD7

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Memory written: C:\Users\user\Desktop\eBHn6qHPLz.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Memory written: C:\Users\user\AppData\Roaming\defenderupdate.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

9_2_00410F36

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00418754 mouse_event,

9_2_00418754

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe "C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Process created: C:\Users\user\Desktop\eBHn6qHPLz.exe "C:\Users\user\Desktop\eBHn6qHPLz.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Process created: C:\Users\user\AppData\Roaming\defenderupdate.exe "C:\Users\user\AppData\Roaming\defenderupdate.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00433E0A cpuid

9_2_00433E0A

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: EnumSystemLocalesW,	9_2_004470AE
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoW,	9_2_004510BA
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_004511E3
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoW,	9_2_004512EA
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_004513B7
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoW,	9_2_00447597
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoA,	9_2_0040E679
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_00450A7F
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: EnumSystemLocalesW,	9_2_00450CF7
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: EnumSystemLocalesW,	9_2_00450D42
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: EnumSystemLocalesW,	9_2_00450DDD
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_00450E6A

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Queries volume information: C:\Users\user\Desktop\eBHn6qHPLz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\defenderupdate.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00434010

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_0041A7A2 GetUserNameW,

9_2_0041A7A2

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: 9_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

9_2_00448057

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

9_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		9_2_0040B335
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Code function: \key3.db		9_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\eBHn6qHPLz.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JVWXPC			Jump to behavior
Source: C:\Users\user\AppData\Roaming\defenderupdate.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JVWXPC			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.45d4110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.defenderupdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.defenderupdate.exe.4685cf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eBHn6qHPLz.exe.4251578.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eBHn6qHPLz.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: defenderupdate.exe PID: 8040, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\defenderupdate.exe

Code function: cmd.exe

9_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Access Token Manipulation	31 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	1 Windows Service	11 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	121 Process Injection	1 DLL Side-Loading	LSA Secrets	43 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	121 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eBHn6qHPLz.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
eBHn6qHPLz.exe	58%	Virustotal		Browse
eBHn6qHPLz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\defenderupdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\defenderupdate.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.gog.com$http://www.gog.com$http://www.gog.com.436.	0%	Avira URL Cloud	safe
http://www.gog.com03	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853902213.000000007F6D0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853202895.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000000.1854814903.0000000000E01000.00000020.00000001.01000000.00000008.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp.2.dr	false		high
https://www.gog.com/galaxy	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3540772142.000000007F820000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gph	eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
https://stackoverflow.com/q/14436606/23354	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gpe	eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000000.1851295333.00000000006F1000.00000020.00000001.01000000.00000007.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
https://github.com/mgravell/protobuf-net	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gpx	eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpl5m8	eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.dk-soft.org/	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3538258325.000000000299A000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.000000000278B000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
https://github.com/mgravell/protobuf-neti	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/	eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpE	eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	eBHn6qHPLz.exe, 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	eBHn6qHPLz.exe, 00000000.00000002.1891174679.0000000006410000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high
http://geoplugin.net/json.gpO	eBHn6qHPLz.exe, 00000004.00000002.3538658538.000000000122B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.gog.com$http://www.gog.com$http://www.gog.com.436.	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1851801236.0000000002B80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpT	eBHn6qHPLz.exe, 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.gog.com03	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000002.3538258325.0000000002A23000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000002.3540778391.0000000002853000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853902213.000000007F6D0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe, 00000002.00000003.1853202895.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp, 00000003.00000000.1854814903.0000000000E01000.00000020.00000001.01000000.00000008.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	eBHn6qHPLz.exe, 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, defenderupdate.exe, 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	eBHn6qHPLz.exe, 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.181.159.153	unknown	Moldova Republic of		39798	MIVOCLOUDMD	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562024
Start date and time:	2024-11-25 04:46:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eBHn6qHPLz.exe renamed because original name is a hash value
Original Sample Name:	12f35a41245c2dbb16d0574d9dcc59c9.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@12/8@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 319 Number of non-executed functions: 168
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:47:28	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	mCtN05kxh6.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Bank Fund Transfer-589237.scr.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Payment Transfer Request Form.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	CargoInvoice_Outstanding_56789_2024-11-21.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	payment receipt copy.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	mCtN05kxh6.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Bank Fund Transfer-589237.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Payment Transfer Request Form.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CargoInvoice_Outstanding_56789_2024-11-21.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	payment receipt copy.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIVOCLOUDMD	I2BJhmJou4.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	I5jG2Os8GA.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	OlZzqwjrwO.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	5M5e9srxkE.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
ATOM86-ASATOM86NL	mCtN05kxh6.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Bank Fund Transfer-589237.scr.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Payment Transfer Request Form.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CargoInvoice_Outstanding_56789_2024-11-21.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	payment receipt copy.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	018292540-LetterReguranPPI-20230814215304.PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp	2024.1.16.exe	Get hash	malicious	Unknown	Browse
	2024.1.16.exe	Get hash	malicious	Unknown	Browse
	veraport-g3-x64.exe	Get hash	malicious	Unknown	Browse
	ChromeSetup.exe	Get hash	malicious	Spark RAT	Browse
	ChromeSetup.exe	Get hash	malicious	Spark RAT	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	Y7Zv23yKfb.exe	Get hash	malicious	MicroClip	Browse
	Y7Zv23yKfb.exe	Get hash	malicious	MicroClip	Browse
	cho_mea64.exe	Get hash	malicious	MicroClip	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\user\Desktop\eBHn6qHPLz.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.01442467270497
Encrypted:	false
SSDEEP:	12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	4A8FAD17775993221C3AD2D68BB4B306
SHA1:	DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD
SHA-256:	893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604
SHA-512:	63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-24 #001.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10504
Entropy (8bit):	4.805759157282851
Encrypted:	false
SSDEEP:	96:SA7/eCA1eDv1m1T1mH1moT1m71m9HfVpKtOo2tbgV:Z/FUSfNjaV
MD5:	17D357039C9FE11941E65A6AF15BC2DB
SHA1:	5FEEE54F5C41B75D6BA98EDE7968987D62771B67
SHA-256:	04C5BDC467A5BD1EE9F3189E281B48AABBBC8D0DCD0B5AF93A29EDB0CEBBE1C7
SHA-512:	0E2FFCCDF3265526FA6ACBC8DAB7FDA65A3CD71E827A0DF7C2549B06C9748CBE33F59917C4F45F41D29F26B02C77276A31FE5B8162ABF69D8DB33D6459DCC0AB
Malicious:	false
Reputation:	low
Preview:	.2024-11-24 22:47:28.818 Log opened. (Time zone: UTC-05:00)..2024-11-24 22:47:28.818 Setup version: Inno Setup version 5.6.1 (u)..2024-11-24 22:47:28.818 Original Setup EXE: C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe..2024-11-24 22:47:28.818 Setup command line: /SL5="$1000C6,192512,0,C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe" ..2024-11-24 22:47:28.818 Windows version: 10.0.19045 (NT platform: Yes)..2024-11-24 22:47:28.818 64-bit Windows: Yes..2024-11-24 22:47:28.818 Processor architecture: x64..2024-11-24 22:47:28.818 User privileges: Administrative..2024-11-24 22:47:29.083 64-bit install mode: No..2024-11-24 22:47:32.599 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp..2024-11-24 22:47:32.614 -- DLL function import --..2024-11-24 22:47:32.614 Function name: GetDriveTypeW..2024-11-24 22:47:32.614 DLL name: kernel32.dll..2024-11-24 2

C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1335808
Entropy (8bit):	6.626175390113613
Encrypted:	false
SSDEEP:	24576:HgNfn7OOXeL7dJ/oOP9pjA0fY2Mqz9JT7ytfsxjHElkLD229Oqkipt1NCnqxjVV:AtTX6THjACMq/xCaaMksgi7
MD5:	FF5EBF66CDDD9913B729DE78EEB638C8
SHA1:	CA23D5639D1C516E3DEFC8F5B267BB5C040238D5
SHA-256:	ABF8D4D522CA94A179D644EC0464474B580EC82441B118B663DA3BD879F91D85
SHA-512:	4FA3A2DC8AD68BFFFC0E039171D2DA71C3C37EADE709D5495E825BB53F576180EAFEE57E3C1F78D7DCC8D26E26CC24E1E99BB494D9B4A55F74F4145EB6E5A05B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...M.z[.................V...........f.......p....@.......................... ............@......@..............................@8......D....................p...............................`.......................................................text...\|<.......>.................. ..`.itext.......P.......B.............. ..`.data..../...p...0...Z..............@....bss.....a...............................idata..@8.......:..................@....tls....<....P...........................rdata.......`......................@..@.reloc.......p......................@..B.rsrc...D...........................@..@............. .......d..............@..@................................................................................................

C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 2024.1.16.exe, Detection: malicious, Browse Filename: 2024.1.16.exe, Detection: malicious, Browse Filename: veraport-g3-x64.exe, Detection: malicious, Browse Filename: ChromeSetup.exe, Detection: malicious, Browse Filename: ChromeSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Y7Zv23yKfb.exe, Detection: malicious, Browse Filename: Y7Zv23yKfb.exe, Detection: malicious, Browse Filename: cho_mea64.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe

Download File

Process:	C:\Users\user\Desktop\eBHn6qHPLz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2849736
Entropy (8bit):	6.9619664618602135
Encrypted:	false
SSDEEP:	49152:iigPg3mBjR9EvCHl/RX7JQ221GtsCFonRHmb+G4O60X8Bug+Hmjv4gB:cgWBjj+2l/RX1QtUFFonR4+tO6Rug+G/
MD5:	719E5D10DAFEDD2EFC8FD7A446AB7C2F
SHA1:	5F9CDE6382D023EEE636719AEE4F6F18FC8F1E49
SHA-256:	F3176C204871908753CCD551407CA451AFD87351F87C53998E87BD77B2E39831
SHA-512:	7368FE86797E3AC03E9CD20F4542EA48330DA9B89401DDE63F304B86B819AE0842EDA327A4752671EF3FB3284FFACE2B2B412B6ED772BEDD561711453B04C090
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....L/\............................\........ ....@..................................+...@......@...................................................Z+.H!...........................................................................................text............................... ..`.itext.............................. ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................,...................rdata...............,..............@..@.reloc..............................@..B.rsrc................B..............@..@....................................@..@................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs

Download File

Process:	C:\Users\user\Desktop\eBHn6qHPLz.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.699181364242189
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5JtNJHHn:FER/lFHIwknaZ5vn
MD5:	A429E2AA7E299EBCB8DE3E1520E2FEC8
SHA1:	1E0D0B49B38E997A4B6366749415118016C68065
SHA-256:	142EE5E243E33F8A7B0CBAAB6637F89DDA18191A6DE73CB6623846F7D11BFB85
SHA-512:	01528A30FEEE1D4BF55CC9218191BADC50F627497AC7E00AF83172F4B0E46467925CB394F1529F0C8B73557F9BDF4050E44ED8B708599DB3316398DCC8E016CC
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\defenderupdate.exe"""

C:\Users\user\AppData\Roaming\defenderupdate.exe

Download File

Process:	C:\Users\user\Desktop\eBHn6qHPLz.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3410432
Entropy (8bit):	7.998628590725982
Encrypted:	true
SSDEEP:	49152:cBwJhUhNLguhinxeDZf2g5rskMP2/9SKgY/dyXMTBqtr7hDMukLdpHx5vnvaluNn:DJK5linxmf3rsN2/gXY0UZpRlyxwxx
MD5:	12F35A41245C2DBB16D0574D9DCC59C9
SHA1:	4D192C491EB0F4CF477B008EC2B0798940915EE0
SHA-256:	9FAB1939599469D96091A078E0ED884ED100CFCA13FA89F2E48E9937F0E1535C
SHA-512:	FC66A9C862C5CF2F7AD2436D31476E255445CEDD05C906C0F1FDB85DE52ECE8AA931B1CECFA0990BD5DC7D4937B4F2B8442E9BF7F216D03E48A7F3500A6C4046
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.@g..................2..:........2.. ........@.. .......................`4...........`...................................2.K.....3..8...................@4...................................................... ............... ..H............text...4.2.. ....2................. ..`.rsrc....8....3..8....2.............@..@.reloc.......@4.......4.............@..B..................2.....H.........2.P+...........r...N2..........................................0..........(......s....(.....0..e........(....(.....+M.o....~....%-.&~..........s....%.....(...+...(....-.. k]..(.... .......o....&..(....-.....0..[..........(.....s...... .]..(....(....o..... .]..(....(....o.....o........io........,..o.....&...........=L..........SV........(.....s...........(....Z.o.... a]..(....o.....~....-# .]..(.........(....o....s.........~.....~...........~(.... .]..(.

C:\Users\user\AppData\Roaming\defenderupdate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\eBHn6qHPLz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.998628590725982
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	eBHn6qHPLz.exe
File size:	3'410'432 bytes
MD5:	12f35a41245c2dbb16d0574d9dcc59c9
SHA1:	4d192c491eb0f4cf477b008ec2b0798940915ee0
SHA256:	9fab1939599469d96091a078e0ed884ed100cfca13fa89f2e48e9937f0e1535c
SHA512:	fc66a9c862c5cf2f7ad2436d31476e255445cedd05c906c0f1fdb85de52ece8aa931b1cecfa0990bd5dc7d4937b4f2b8442e9bf7f216d03e48a7f3500a6c4046
SSDEEP:	49152:cBwJhUhNLguhinxeDZf2g5rskMP2/9SKgY/dyXMTBqtr7hDMukLdpHx5vnvaluNn:DJK5linxmf3rsN2/gXY0UZpRlyxwxx
TLSH:	83F53305B4DEE7CDCB3C36724FD2A2A0EE21D766E1A3F65BBC03D55239192A061E650C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.@g..................2..:........2.. ........@.. .......................`4...........`................................

File Icon


Icon Hash:	0f6decece879218f

Static PE Info

General

Entrypoint:	0x72ed2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740DB57 [Fri Nov 22 19:28:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32ece0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x330000	0x13800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x344000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x32cd34	0x32ce00	6055d72f83513443876b0e3de12a13a2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x330000	0x13800	0x13800	154e89df516d84d9c76e771575370abd	False	0.9894706530448718	data	7.976621047292781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x344000	0xc	0x200	1f504dd4cf79ac58f854689feb21bc29	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x330130	0x13164	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0001023279611154
RT_GROUP_ICON	0x343294	0x14	Targa image data - Map 32 x 12644 x 1 +1	1.05
RT_VERSION	0x3432a8	0x31c	data	0.4321608040201005
RT_MANIFEST	0x3435c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T04:47:30.242289+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.4	49732	5.181.159.153	1151	TCP
2024-11-25T04:47:31.620496+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	5.181.159.153	1151	192.168.2.4	49732	TCP
2024-11-25T04:47:33.808078+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49735	178.237.33.50	80	TCP
2024-11-25T04:49:38.820509+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	5.181.159.153	1151	192.168.2.4	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 04:47:30.121393919 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:30.241046906 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:30.241158962 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:30.242289066 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:30.361803055 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:31.620496035 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:31.645920038 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:31.765646935 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:31.873850107 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:31.932441950 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:32.376956940 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:47:32.496587992 CET	80	49735	178.237.33.50	192.168.2.4
Nov 25, 2024 04:47:32.496681929 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:47:32.497009993 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:47:32.616460085 CET	80	49735	178.237.33.50	192.168.2.4
Nov 25, 2024 04:47:33.807995081 CET	80	49735	178.237.33.50	192.168.2.4
Nov 25, 2024 04:47:33.808078051 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:47:33.842701912 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:33.962266922 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:34.807444096 CET	80	49735	178.237.33.50	192.168.2.4
Nov 25, 2024 04:47:34.809402943 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:47:38.776357889 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:47:38.777815104 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:47:38.897443056 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:48:08.810467005 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:48:08.828860044 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:48:08.948451996 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:48:38.807697058 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:48:38.809003115 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:48:38.928546906 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:49:08.821856976 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:49:08.823339939 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:49:08.942918062 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:49:22.108815908 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:22.420831919 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:23.030155897 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:24.233237028 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:26.639471054 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:31.452028990 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:49:38.820508957 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:49:38.834645987 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:49:38.954216003 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:49:41.061428070 CET	49735	80	192.168.2.4	178.237.33.50
Nov 25, 2024 04:50:08.837784052 CET	1151	49732	5.181.159.153	192.168.2.4
Nov 25, 2024 04:50:08.839303017 CET	49732	1151	192.168.2.4	5.181.159.153
Nov 25, 2024 04:50:08.958905935 CET	1151	49732	5.181.159.153	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 04:47:32.135674000 CET	54753	53	192.168.2.4	1.1.1.1
Nov 25, 2024 04:47:32.368493080 CET	53	54753	1.1.1.1	192.168.2.4
Nov 25, 2024 04:47:44.969841957 CET	55948	53	192.168.2.4	1.1.1.1
Nov 25, 2024 04:47:45.110855103 CET	53	55948	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 04:47:32.135674000 CET	192.168.2.4	1.1.1.1	0xb0a2	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 04:47:44.969841957 CET	192.168.2.4	1.1.1.1	0xec26	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 04:47:32.368493080 CET	1.1.1.1	192.168.2.4	0xb0a2	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Nov 25, 2024 04:47:45.110855103 CET	1.1.1.1	192.168.2.4	0xec26	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	178.237.33.50	80	7612	C:\Users\user\Desktop\eBHn6qHPLz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 04:47:32.497009993 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Nov 25, 2024 04:47:33.807995081 CET	1170	IN	HTTP/1.1 200 OK date: Mon, 25 Nov 2024 03:47:33 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	22:47:10
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\eBHn6qHPLz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eBHn6qHPLz.exe"
Imagebase:	0x570000
File size:	3'410'432 bytes
MD5 hash:	12F35A41245C2DBB16D0574D9DCC59C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1871058602.00000000046AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1859614323.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1918216843.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1871058602.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:47:28
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"
Imagebase:	0x6f0000
File size:	2'849'736 bytes
MD5 hash:	719E5D10DAFEDD2EFC8FD7A446AB7C2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:47:28
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp" /SL5="$1000C6,192512,0,C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe"
Imagebase:	0xe00000
File size:	1'335'808 bytes
MD5 hash:	FF5EBF66CDDD9913B729DE78EEB638C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	22:47:28
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\eBHn6qHPLz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eBHn6qHPLz.exe"
Imagebase:	0x8d0000
File size:	3'410'432 bytes
MD5 hash:	12F35A41245C2DBB16D0574D9DCC59C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3538658538.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3538658538.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:47:42
Start date:	24/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defenderupdate.vbs"
Imagebase:	0x7ff79f1c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:47:42
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\defenderupdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\defenderupdate.exe"
Imagebase:	0xb90000
File size:	3'410'432 bytes
MD5 hash:	12F35A41245C2DBB16D0574D9DCC59C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2168900167.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2183906073.0000000004643000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:47:59
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\defenderupdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\defenderupdate.exe"
Imagebase:	0x520000
File size:	3'410'432 bytes
MD5 hash:	12F35A41245C2DBB16D0574D9DCC59C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2166640000.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	98%
Signature Coverage:	4.8%
Total number of Nodes:	294
Total number of Limit Nodes:	13

Executed Functions

Function 04BA12C0 Relevance: 16.1, Strings: 12, Instructions: 1097COMMON

Download Yara Rule

Strings

$^q, xrefs: 04BA1B91
4, xrefs: 04BA1C95
$^q, xrefs: 04BA1BA1
$^q, xrefs: 04BA1707
$^q, xrefs: 04BA1543
$^q, xrefs: 04BA1BEA
$^q, xrefs: 04BA1553
$^q, xrefs: 04BA17B7
,bq, xrefs: 04BA1D7A
$^q, xrefs: 04BA1BFA
$^q, xrefs: 04BA17C7
$^q, xrefs: 04BA1717

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: 79a09fc9c7aa244470d5a6462812de61f2d3753e2e5df05f7e173d4a7b63af21
Instruction ID: 58e09507a58dcd43e0d5e749e469131b4cbaa14ebfa414fa89155720f8c0429b
Opcode Fuzzy Hash: 79a09fc9c7aa244470d5a6462812de61f2d3753e2e5df05f7e173d4a7b63af21
Instruction Fuzzy Hash: 95B2F534A00228CFDB54DFA8C994BADB7B6FB48704F148599E509AB3A4DB71EC85CF50

Function 04BA15E7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 04BA1B91
4, xrefs: 04BA1C95
$^q, xrefs: 04BA1707
$^q, xrefs: 04BA1BEA
$^q, xrefs: 04BA17B7
,bq, xrefs: 04BA1D7A

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 7d28b939d380eb4b8973383bd4942f78d299dc5571976e0f21c39241830aa045
Instruction ID: 2176f1aa51566894ef07b7315376aefec3a2adb4f69db63107211c122e50cc2d
Opcode Fuzzy Hash: 7d28b939d380eb4b8973383bd4942f78d299dc5571976e0f21c39241830aa045
Instruction Fuzzy Hash: 89220834A04218CFDB64DFA8C994BA9B7B2FF48304F1481D9E509AB3A5DB31AD95CF50

Function 04C0A368 Relevance: 3.1, Strings: 2, Instructions: 617
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 04C0A495
8, xrefs: 04C0A482

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: fcq$8
API String ID: 0-89531850
Opcode ID: 3e8cf5940e848740f8a78869fa7a2d31f2d85c0c00639da83d466e2c984bba17
Instruction ID: 5ec08d89436ed7a4645482bd1b2235c70ea61c6d75b40625c8a425f113b8e556
Opcode Fuzzy Hash: 3e8cf5940e848740f8a78869fa7a2d31f2d85c0c00639da83d466e2c984bba17
Instruction Fuzzy Hash: F852D675E002298FDB64DF69C990AD9B7B2FB89304F1485EAD50DA7354DB30AE81CF90

Function 04B99D2F Relevance: 2.8, Strings: 2, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y4, xrefs: 04B99EC5
\DJU, xrefs: 04B99E65

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Y4$\DJU
API String ID: 0-2261510793
Opcode ID: 3a40e11d000a2e59120cca3f948b47deefe2a2c1fe63c1ca7cd4a02d12d09a4c
Instruction ID: a88b2965e056f9f927f5ded7ce429c7c5d9b9b957a476d2069ec77066b0d6db7
Opcode Fuzzy Hash: 3a40e11d000a2e59120cca3f948b47deefe2a2c1fe63c1ca7cd4a02d12d09a4c
Instruction Fuzzy Hash: 3FE106B4A05218CFDB54DFA4D988BADBBF2FB49304F1090AAD409AB395DB306D85CF01

Function 04C0A359 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

h, xrefs: 04C0A476
fcq, xrefs: 04C0A495

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: fcq$h
API String ID: 0-1849521214
Opcode ID: 73e4f40c707e217536932b32421b9adb982ee18353dbb92caab46c8c22e9eea9
Instruction ID: 66ba3b32c4a83354afaef885ecc9314c42219f7083247271244db3d1c5358039
Opcode Fuzzy Hash: 73e4f40c707e217536932b32421b9adb982ee18353dbb92caab46c8c22e9eea9
Instruction Fuzzy Hash: 7D711835E006198FEB24DF69D950BDABBB2FF89304F1481AAD50DA7254DB306E85CF90

Function 04B915B0 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

(bq, xrefs: 04B91768

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: f69b05ef290f5dec0b44639dfc838307fa3c7ccf9fe31509dd0c0237697d4436
Instruction ID: d869b52baecb32a971a07f608cf2b4c61018c46849ee270e917ed1bc85818173
Opcode Fuzzy Hash: f69b05ef290f5dec0b44639dfc838307fa3c7ccf9fe31509dd0c0237697d4436
Instruction Fuzzy Hash: D7427774B0061A8FDB18DF69C49466EBBF2FF88300F248969E55AD7391DB34AD01DB90

Function 04C0E324 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C0E50A

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 20ad56c6c92ccb133c92c80084f4ae5d230847eea72c79fe8c2c21203d2bfd3f
Instruction ID: 0036920cf5584463383b625c58425b9c4d3ece729bf0a843b4d4bd055193e453
Opcode Fuzzy Hash: 20ad56c6c92ccb133c92c80084f4ae5d230847eea72c79fe8c2c21203d2bfd3f
Instruction Fuzzy Hash: 3BA13971E402199FDB10CFA9C9817EEBBF2FB48314F14892AE859E7284D774A941CF81

Function 0647F098 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0647F402

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2a3b5e8bd8683af72a135ea0f94a307ab768edd7f7d7a26e216998d6544eec81
Instruction ID: fce1f1ea15d06df3c461b60a00e3d3abe38df37208ff308d7efd9ae8c4173540
Opcode Fuzzy Hash: 2a3b5e8bd8683af72a135ea0f94a307ab768edd7f7d7a26e216998d6544eec81
Instruction Fuzzy Hash: B812F474A05218CFEBA4DF69DA85BDAB7F2BB89300F1080AAD50DA7355DB305E85CF50

Function 04C0D8C8 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04C0D959

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 74dcb93da57af0448493a2d5f37b7a31705e898b6db186059302371d6ecfddfb
Instruction ID: 6d2bbd1671efcb4df6765e52fc9d84f6b0cc65e53e51012a14ab5a1f0fde906a
Opcode Fuzzy Hash: 74dcb93da57af0448493a2d5f37b7a31705e898b6db186059302371d6ecfddfb
Instruction Fuzzy Hash: E92113B19013499FCB10DFAAD980ADEFBF5FF48310F20842EE859A7250C735A944CBA1

Function 04C0D8D0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04C0D959

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 85af929fcc1d962f9a70f9d89565ba8c1f818298aeb3a1af66793ca5bb5d320e
Instruction ID: a63a8b019c9a582aa1518796929e2e161c8591b82fa00a06e7633fb600011853
Opcode Fuzzy Hash: 85af929fcc1d962f9a70f9d89565ba8c1f818298aeb3a1af66793ca5bb5d320e
Instruction Fuzzy Hash: 202100B1D003499FCB10DFAAD980ADEFBF5FF48320F20842AE419A7250C775A940CBA5

Function 04C0D997 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04C0D959

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8e4bf23265ae076506ea108398b6ffce8de839f9ffb37d0890f8a574c5c1dc14
Instruction ID: d665be98c7c7f7f0ded408a110be4f772060c7d881df6ad346a375b870a81114
Opcode Fuzzy Hash: 8e4bf23265ae076506ea108398b6ffce8de839f9ffb37d0890f8a574c5c1dc14
Instruction Fuzzy Hash: 00110071D003488FDB00DFA8E8847EEBFF1EF49314F14841AD059A72A1CB349941CBA1

Function 04C0FA18 Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04C0FA8E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bfd361f23b587a44cdb8230e018748e1f7c5213b275abb2401fc88df33e2be28
Instruction ID: 3555b182b8610f89bf55fcd185812202934f609f198cd302299ea0f84672b167
Opcode Fuzzy Hash: bfd361f23b587a44cdb8230e018748e1f7c5213b275abb2401fc88df33e2be28
Instruction Fuzzy Hash: B62113B19042499ADB20DFAAC44479EFBF4AF89324F14842ED459A7250C774A944CBA5

Function 04C0FA20 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04C0FA8E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4443c190227ddb99c2459699063e37b884611545fe999b083b8e0e549cc5df7e
Instruction ID: 0c0e046623e97621f61b07dbfc958f9266bbb9f8a2e687b09eff021a330cf912
Opcode Fuzzy Hash: 4443c190227ddb99c2459699063e37b884611545fe999b083b8e0e549cc5df7e
Instruction Fuzzy Hash: F511E4B1D002498FDB20DFAAC484A9FFBF5EF88324F14842ED459A7250CB74A944CFA5

Function 0688EAA8 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Deq, xrefs: 0688EBAD

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: aa5b88a2d9f4ff88934a67e6c10c18fc9a056ae481c622b76b7a7dc9f8f4cbf7
Instruction ID: 9ba9c3d317777cbbf6b6644af047dfe52f5ef405fc8b3e930f1626a4249153e9
Opcode Fuzzy Hash: aa5b88a2d9f4ff88934a67e6c10c18fc9a056ae481c622b76b7a7dc9f8f4cbf7
Instruction Fuzzy Hash: C0D1BF74E00218CFDB54DFA9DA94A9DBBF2FF89304F1080A9D409AB365DB35A981CF51

Function 064773E8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Te^q, xrefs: 064775B1

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2ded59c0ac4cfdabc1a1d2a7e68520c0e718a19ff2b01739911a7757f3da466d
Instruction ID: be59e36bb1481bb95efe502d9c2d386a5d6fa1bc6c02b9a0ba500b6c262c1351
Opcode Fuzzy Hash: 2ded59c0ac4cfdabc1a1d2a7e68520c0e718a19ff2b01739911a7757f3da466d
Instruction Fuzzy Hash: E0B1D470E15208CFEB54DFA9D984BDDBBF2BB49304F6090AAD419A7355DB309946CF40

Function 064773D8 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Te^q, xrefs: 064775B1

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b51b7aecaa11224501cea2b31622c3a96dde6c18419325baa8d2e42e8a4365a8
Instruction ID: 1705d565aae5ae8246f3ba92f80dae517555d189d9c5adb1da35eb3293b729f4
Opcode Fuzzy Hash: b51b7aecaa11224501cea2b31622c3a96dde6c18419325baa8d2e42e8a4365a8
Instruction Fuzzy Hash: 64B1C474E11208CFEB54DFA9D984BDEBBF2BB89304F6090AAD409A7355DB309945CF50

Function 04B99067 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

n, xrefs: 04B99076

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: a5452b976ad6cb9a8a4e5d84c0dab63bf74c7d4cbf972d67f6002a3f9b042710
Instruction ID: afe6ea99751dd693fa6dc03b6361377ecefddbe19e0d354037e378c5c6eaa9ae
Opcode Fuzzy Hash: a5452b976ad6cb9a8a4e5d84c0dab63bf74c7d4cbf972d67f6002a3f9b042710
Instruction Fuzzy Hash: 8041F5B4E05218DBDB44CFAAC888B9DBBF6FB89304F14C0AAD808AB355D7745945CF00

Function 04B9C4C7 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346e0f68fc66ad0d532e54b6d87df18e373dedb640324a8e636144a09dfbb004
Instruction ID: 958c78f184c1d1253f9435be61c2c6f1451be1bdc3e7ee487c2fca0ab165b4aa
Opcode Fuzzy Hash: 346e0f68fc66ad0d532e54b6d87df18e373dedb640324a8e636144a09dfbb004
Instruction Fuzzy Hash: 9F02E474A052188FDB64DF68DA85BAEBBF1EB49304F1090EAD50DA7345DB30AE85CF50

Function 04B9EB60 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e96eccc144b041c3736846369de98963a57e7f411f3bc10ee6efcc7be5e3ce
Instruction ID: 0491f4521081df81fc3036eddd3f1afe2f55917fd4fbeab81cce54b1e3213e9b
Opcode Fuzzy Hash: f6e96eccc144b041c3736846369de98963a57e7f411f3bc10ee6efcc7be5e3ce
Instruction Fuzzy Hash: C5D1D274A04218CFEB54DFA9D984B9DBBF2FB49305F1091AAD409A7395EB30AD85CF40

Function 04B9EB50 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f3c8f61edc99393ae9479e76da2e187511c5cd47ebca5301a45b2572b95727
Instruction ID: 9704dbbb8d98b6fde022c1c9db281a1c6cf3cd75cb71fe1eef91ec288ec975ea
Opcode Fuzzy Hash: 40f3c8f61edc99393ae9479e76da2e187511c5cd47ebca5301a45b2572b95727
Instruction Fuzzy Hash: 35D1B274A00218CFDB54DFA9D985B9DBBF2FB49305F1091AAD409A7395DB30AD85CF00

Function 00EECB08 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EECB96
GetCurrentThread.KERNEL32 ref: 00EECBD3
GetCurrentProcess.KERNEL32 ref: 00EECC10
GetCurrentThreadId.KERNEL32 ref: 00EECC69

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3d5e45a4cda7c60d323c75622f5dad2d5d4c23e5e428f07f0a6cd16275f198b3
Instruction ID: d2c53efdf46e20c7211f1351b2d553a8fe8916e84af2ebbe17b4ccc5414259ed
Opcode Fuzzy Hash: 3d5e45a4cda7c60d323c75622f5dad2d5d4c23e5e428f07f0a6cd16275f198b3
Instruction Fuzzy Hash: 555144B09002498FDB14DFAAD649BAEBFF1AF88304F248459E019A7360DB749985CF65

Function 00EECB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EECB96
GetCurrentThread.KERNEL32 ref: 00EECBD3
GetCurrentProcess.KERNEL32 ref: 00EECC10
GetCurrentThreadId.KERNEL32 ref: 00EECC69

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: efa27407b145ede6d3980c303444d1178cd3164836c35fea72908cd4011b6e02
Instruction ID: 6e0056dd5441756b9fd5681742b4a5574f91e66865aace910f3e91e6cc669c45
Opcode Fuzzy Hash: efa27407b145ede6d3980c303444d1178cd3164836c35fea72908cd4011b6e02
Instruction Fuzzy Hash: 545155B09002498FDB14DFAAD549BAEBFF1EF88304F20C459E019A7360DB749985CF69

Function 00EEA488 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EEA6DE

Strings

8Q, xrefs: 00EEA616
8Q, xrefs: 00EEA63B

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: HandleModule
String ID: 8Q$8Q
API String ID: 4139908857-250438889
Opcode ID: d17516630b3727c375d40d52cea32ef33e7b0210f343ce07b95316dac9c6ef9b
Instruction ID: 597eef201fab6b62668b417be7ec5f879e5ab44719900ab7c315a218ba57ee10
Opcode Fuzzy Hash: d17516630b3727c375d40d52cea32ef33e7b0210f343ce07b95316dac9c6ef9b
Instruction Fuzzy Hash: AC813470A00B498FD724DF2AD04575ABBF1BF88304F04892EE49AA7B50DB74F949CB91

Function 04BA73E0 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04BA7934
Hbq, xrefs: 04BA78B5
Hbq, xrefs: 04BA78E4

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: e0c3b2dd84f9517bde14c061bd4cc65a152907002e5132a83d24be9fc9682d12
Instruction ID: f154cfb66309c0e9df585f8517186b74ea4abe686bfdb6645b4d2b14e9c4adc0
Opcode Fuzzy Hash: e0c3b2dd84f9517bde14c061bd4cc65a152907002e5132a83d24be9fc9682d12
Instruction Fuzzy Hash: 94124F31A042049FCB24DFA9C494A6EBBF2FF88300F248969E44A9B355DF35ED56CB51

Function 04BA9218 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 04BA9591
4'^q, xrefs: 04BA9511
4'^q, xrefs: 04BA9432

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 5a3816f7d13ca6a4fd7a33d81594647abdb4e9fa914af103feaf6d2622090673
Instruction ID: 0bf3450e56c3d6f849a9c265e8e2393f5963ad6d9b4ecb5502a135d4a3c3383c
Opcode Fuzzy Hash: 5a3816f7d13ca6a4fd7a33d81594647abdb4e9fa914af103feaf6d2622090673
Instruction Fuzzy Hash: DDF1EB74A10218DFDB04DFA4D998A9DBBB2FF89304F158598E406AB3A5DB71FC42CB50

Function 04BAD800 Relevance: 4.1, Strings: 3, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04BAD929
Hbq, xrefs: 04BAD981
(bq, xrefs: 04BAD955

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$(bq$Hbq
API String ID: 0-2835675688
Opcode ID: 19397583fe014291f45ef886d3fcb0387b5aa8c7a1d37e1644164c3dab6af978
Instruction ID: da32f7c6beee7c5a0aa59c86af408869e96108fb219627de7dd050a3dc27eee8
Opcode Fuzzy Hash: 19397583fe014291f45ef886d3fcb0387b5aa8c7a1d37e1644164c3dab6af978
Instruction Fuzzy Hash: 33E13B34A05208DFCB04EF64D4949AEBBB6FF89310F508569E806AB364DB30FD56CB91

Function 04BA3539 Relevance: 3.0, Strings: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 04BA3853
$^q, xrefs: 04BA3863

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5ee27954d0b370b5966c9a4b812325cea5d62c1eaa1dc74c5a5aa2f67c38e6e4
Instruction ID: 85d0274312e01225077c175593e6bf2778b480711004119ff635db587961df1f
Opcode Fuzzy Hash: 5ee27954d0b370b5966c9a4b812325cea5d62c1eaa1dc74c5a5aa2f67c38e6e4
Instruction Fuzzy Hash: 2E128B30E042298FDF15DFA9DA54AADBBF1FF48304F148099E802AB395DB34A956CB50

Function 04BA6E98 Relevance: 2.8, Strings: 2, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04BA6EAC
d, xrefs: 04BA70F9

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: 3bd7c0ed732ce40aab9e6583cf32f336d3cbee423f047151b12cb86447014234
Instruction ID: c0bce8556b265dca613b80af44fa3aff352661dd59da74c111b02ad72cd091c0
Opcode Fuzzy Hash: 3bd7c0ed732ce40aab9e6583cf32f336d3cbee423f047151b12cb86447014234
Instruction Fuzzy Hash: 22D15930704606CFCB14DF29C48496AB7F2FF89314B26C9A9E45A9B365DB30F856CB90

Function 04BA7C30 Relevance: 2.8, Strings: 2, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04BA7ECC
Hbq, xrefs: 04BA7F34

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 17f863f9893d4b5b451db460c011d4240fafa2aae11cec61cf38e3863bda58f6
Instruction ID: 6345a4c90ed16556ebe40c655986765659b49bbd0c023f71dc1f2cf21c8a1580
Opcode Fuzzy Hash: 17f863f9893d4b5b451db460c011d4240fafa2aae11cec61cf38e3863bda58f6
Instruction Fuzzy Hash: 84D1BE306041059FCB14EF28C484A6EBBB2FF88314F2585A9E8099B7A5DB34FD56CB91

Function 04BA4848 Relevance: 2.7, Strings: 2, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_^q, xrefs: 04BA5003
Pl^q, xrefs: 04BA4A30

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (_^q$Pl^q
API String ID: 0-1560878243
Opcode ID: 67146802a8806334ebd85b3deb5a07b4a0d5c1f390a9b704a69d71a9f8a55cfd
Instruction ID: e33af8856f47cba08ad9065c77707774a8cc41169d4deb5f0ea7f1e983d54e2a
Opcode Fuzzy Hash: 67146802a8806334ebd85b3deb5a07b4a0d5c1f390a9b704a69d71a9f8a55cfd
Instruction Fuzzy Hash: 96911334B001188FCB14DF69C884A6ABBE6FF89710F1444A9E405DB3B5DBB1ED42CBA1

Function 04BA2B10 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

(bq, xrefs: 04BA2C16
Hbq, xrefs: 04BA2CA5

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: f60fbfddb6e9fc5fa8293cfae2ef9180f527181a63d0410a175ae1e3ab68e199
Instruction ID: c7fff411667628cc5e77ab4d90cc6ae0bec7f17ba1659bbabd0f2135cb1e890f
Opcode Fuzzy Hash: f60fbfddb6e9fc5fa8293cfae2ef9180f527181a63d0410a175ae1e3ab68e199
Instruction Fuzzy Hash: C2516B34B002548FC719AF39C46452EBBB2FF8531176449ADD80A9B3A1DF35ED06CBA1

Function 04BA50D8 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

(bq, xrefs: 04BA5243
(bq, xrefs: 04BA51EC

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 45326d590afd02918cb56c232507f6151fa3c0b7a91137d4d818952cb4b10f5e
Instruction ID: d8c4c11ee554d1d36259e4f27ae75ab6628904500de2ecd9e9e623c47f148918
Opcode Fuzzy Hash: 45326d590afd02918cb56c232507f6151fa3c0b7a91137d4d818952cb4b10f5e
Instruction Fuzzy Hash: 7B51F2317002059FDB149F29D854BAE7BA2FF84315F2485A9E805CB391CF38ED52CBA1

Function 04BA3D08 Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

$^q, xrefs: 04BA3D6F
$^q, xrefs: 04BA3D5F

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 895107541cf55d42001c45724d0b92a57621b78fec3fef5928ef59aa79b3c904
Instruction ID: dfd49a75ab63a6dfb0c1a6db1f5b618eb6fd2537aa09f1bf712a07d964bf6a5f
Opcode Fuzzy Hash: 895107541cf55d42001c45724d0b92a57621b78fec3fef5928ef59aa79b3c904
Instruction Fuzzy Hash: 40118035708209EFDB28CE99D444BA9BBF9EF04350F1494EAE880CB264E771F994DB50

Function 06470681 Relevance: 2.5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

Strings

<, xrefs: 0647068E
Q, xrefs: 0647149C

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: <$Q
API String ID: 0-1068778786
Opcode ID: 8303a6e5f3b96f7205772e30ae6441a24c8663662326d0a83f5799aea76380fe
Instruction ID: 735e36267518082f5498905fe19a3ba95880c400d4a5d0d414f939c77097370f
Opcode Fuzzy Hash: 8303a6e5f3b96f7205772e30ae6441a24c8663662326d0a83f5799aea76380fe
Instruction Fuzzy Hash: 500193B0D2122CCFDB95EFA4D989B9DBBF5BB48318F4040AAE508A7245D7754A85CF01

Function 04BAA0F8 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,bq, xrefs: 04BAA473

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 878056dae3a16fddab83f1cfe2e6341e77cbde11af7f8c8e951684c2413ed5be
Instruction ID: 4bc7df6ceec054f8099f12f9ff5db251d44f016aecfb7ace5dcc40bfb969d7fe
Opcode Fuzzy Hash: 878056dae3a16fddab83f1cfe2e6341e77cbde11af7f8c8e951684c2413ed5be
Instruction Fuzzy Hash: 96521775A002288FDB64DF68C985BEDBBF2FB88700F1544D9E509A7351DA34AE81CF61

Function 04BA40C0 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 04BA4350

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 7f4ef2b31bf4269f5bfbea6571f14d96bd18552627b3c0c8af7fcf40d8ae9bfa
Instruction ID: 57c6fc53b1775a3776f4eb5066cd646b814611ec0fab466bfab740b55168ea69
Opcode Fuzzy Hash: 7f4ef2b31bf4269f5bfbea6571f14d96bd18552627b3c0c8af7fcf40d8ae9bfa
Instruction Fuzzy Hash: 75229A35B102149FDB04DFA9C484A6DBBF2FF88314F1484A9E905AB3A1DBB1ED51CB50

Function 04C0E330 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C0E50A

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4099275b7c6969efac6e540353c32333377aa9be3b0db1783f664c7141ccc839
Instruction ID: b2a60bebad0f8de8f52147bfac4bb95cf1d67451dadf9468cc5b2acef858c750
Opcode Fuzzy Hash: 4099275b7c6969efac6e540353c32333377aa9be3b0db1783f664c7141ccc839
Instruction Fuzzy Hash: 4E812771D402599FDB10CFA9C9817AEBBF2BF48314F148929E859E7280E774A981CF81

Function 04C03E1C Relevance: 1.7, APIs: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 04C03F6D

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 76c4ff63b39111e408c08c6272167645bc9508e6cbfeb2b7be8479e4705175b5
Instruction ID: d8c5c66d5332b5e9d10f446b7fc238a2216c6885733ba5fd31ea102c44fa3e2d
Opcode Fuzzy Hash: 76c4ff63b39111e408c08c6272167645bc9508e6cbfeb2b7be8479e4705175b5
Instruction Fuzzy Hash: FA517B71D007999FDB10CFA9C8457AEBBF2EF88310F148529EC55E7290D774A981CB81

Function 04C03E28 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 04C03F6D

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b2cd4724b2d8e4a4426b147f20bf27aeec272975f67b78f3dbfff7f389c62a81
Instruction ID: b0ab5ff41d484e1aabfbda31c8420115dd5f0e06f5249bbcbfd3e1ba44e94030
Opcode Fuzzy Hash: b2cd4724b2d8e4a4426b147f20bf27aeec272975f67b78f3dbfff7f389c62a81
Instruction Fuzzy Hash: D2517A71E006999FDB10CFA9C8457AEBBF2FF48310F148529EC59E7290DB74A981CB81

Function 00EE8F89 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00EE8FFD

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5c1a590425cf4a5a1a9a48c4c76e47c9b8c73d0ceb4cf71b5b7fe22d931851c2
Instruction ID: cd44e88c310ea03ebbf1a5d220eecdfcceb0ba52253b76c605569316bd715d40
Opcode Fuzzy Hash: 5c1a590425cf4a5a1a9a48c4c76e47c9b8c73d0ceb4cf71b5b7fe22d931851c2
Instruction Fuzzy Hash: 33310971D043D8CFDB11DF66D6053AB7FF4DB16304F44489AD488A7282DB389645CBA1

Function 04C0F39B Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C0F430

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 63366815a471cd88a49ef46f1fccd9328b8fbe2e0d6f9c3b184077abff67923b
Instruction ID: 0cd6908a9ab72e2b08606995100d4ad89fe5120c2f772b83ff14611fd52f8698
Opcode Fuzzy Hash: 63366815a471cd88a49ef46f1fccd9328b8fbe2e0d6f9c3b184077abff67923b
Instruction Fuzzy Hash: 6E215CB19003599FCB10DFA9C880BDEBBF5FF48310F10842DE958A7251C774A554CBA4

Function 04C0F3A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C0F430

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 533135d3dccf6ac2b679ec3290e6cc5b6d9d3dcf3cb406783bc1c2fde9abde32
Instruction ID: 0933a04f1cacc703fc9032f1ea77c74b5918abff830322d3f4c5d52044530eca
Opcode Fuzzy Hash: 533135d3dccf6ac2b679ec3290e6cc5b6d9d3dcf3cb406783bc1c2fde9abde32
Instruction Fuzzy Hash: C72127B19003599FDB10CFA9C885BDEBBF5FF48320F108429E958A7250C778A984CBA5

Function 00EECD58 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EECDE7

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5283f4a66c59ff79596c0f37bdd843e6242c96339966da245b6d3e33a66e6ba3
Instruction ID: 5859511717f8d6642d7684eea00ecf4bad6f25b810e620edf3ff6c770db6bf17
Opcode Fuzzy Hash: 5283f4a66c59ff79596c0f37bdd843e6242c96339966da245b6d3e33a66e6ba3
Instruction Fuzzy Hash: 5721D2B5900248AFDB10CF9AD984ADEBFF4EB48324F14842AE958A7250D375A945CFA4

Function 04C0EAFB Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C0EB7E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9b61706372a2366e8bf96cd10dc7298c50382658b8faf1a9070dde8ac831395c
Instruction ID: 6c52c0a703276185a0a361f83990e7e26aa49d73b06faaa944cf1cff72be0c95
Opcode Fuzzy Hash: 9b61706372a2366e8bf96cd10dc7298c50382658b8faf1a9070dde8ac831395c
Instruction Fuzzy Hash: FF2157B19003098FDB10DFA9C481BEEBBF4AF48324F10882AD459A7240C738A984CFA5

Function 04C0EB00 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C0EB7E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e5b99ad1d345905e367c2dca16dcdafec8b3a6e7d2e1c82583f521e0e5c280d9
Instruction ID: c41ade15048c5599d20d83c7c47945ec990790f814e73e6ed04dcdc32313ac22
Opcode Fuzzy Hash: e5b99ad1d345905e367c2dca16dcdafec8b3a6e7d2e1c82583f521e0e5c280d9
Instruction Fuzzy Hash: 052129B19003098FDB10DFAAC4857EEBBF5EF48324F14C429D459A7240D778A945CFA5

Function 00EECD60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EECDE7

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86ed33e169a953beffa204ddbefd6b7f84b23b67632c81b6820037ace5d48eaa
Instruction ID: d400c5802c36de66071651f5758de037d0b6f6fc31e5cf5cef7851af8a1621e6
Opcode Fuzzy Hash: 86ed33e169a953beffa204ddbefd6b7f84b23b67632c81b6820037ace5d48eaa
Instruction Fuzzy Hash: 5921E4B5900248DFDB10CF9AD984ADEBFF4FB48320F14841AE918A3350D375A940CFA4

Function 0662DC40 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0662DCB4

Memory Dump Source

Source File: 00000000.00000002.1891664630.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_eBHn6qHPLz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f19d8d292edb5c4951f0bb4c384c02a3d2e8b5ee1a6e17609a68d15576d4a962
Instruction ID: d33876a5b419077ab310af4e218c70c3c24e34cc2549ff5a35c7f8fffa806501
Opcode Fuzzy Hash: f19d8d292edb5c4951f0bb4c384c02a3d2e8b5ee1a6e17609a68d15576d4a962
Instruction Fuzzy Hash: 231106B1D002499FCB10DFAAC844ADEFBF4FF48320F14842AD559A7250C775A944CFA5

Function 04C0F0F8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C0F16E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd22353c44c58610e11a44370ef77ecec69814235a4900d4f670363a4ef12b94
Instruction ID: 3dcd1c3c0fb1ce4fc851648820a754ff343e16dc72c1547d60d637885c30c8af
Opcode Fuzzy Hash: fd22353c44c58610e11a44370ef77ecec69814235a4900d4f670363a4ef12b94
Instruction Fuzzy Hash: 9D1167B19002499FDB20CFA9C804BDFBFF5EF48320F108419E469A7250C775A540CBA0

Function 04B99A38 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 04B99AA7

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7bc461420696faa29fc9947a5a7b0e9d7080ca903db9773b1d859c7dd3334d6e
Instruction ID: dd9a4e5199faa3151d58160ac8d715cdd400d354be483b2cee7b26085a2a5fa5
Opcode Fuzzy Hash: 7bc461420696faa29fc9947a5a7b0e9d7080ca903db9773b1d859c7dd3334d6e
Instruction Fuzzy Hash: B01149B19002598FDB10DFAAC444BEFFFF8EB88324F14842ED459A7250CB35A944CBA4

Function 04B99A30 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 04B99AA7

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d8e04b2617705ca06bf503582c8223aa61fc97be96894e6b69193d1943d1c05c
Instruction ID: 560d20ecc7e45c76f8f45ac905ded2212d2e842d2d8b16f1db6b22f179c58839
Opcode Fuzzy Hash: d8e04b2617705ca06bf503582c8223aa61fc97be96894e6b69193d1943d1c05c
Instruction Fuzzy Hash: 0D1149B1D002598FDB10DFAAC4457EEFBF5EF88324F24842AD459A7250CB34A945CBA5

Function 04C0F100 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C0F16E

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 01ebfde1329de5691996c7efbeebe2cb88973d0bc2ae36c7c61641d485a77d1d
Instruction ID: e9265314c5be60a204a939ce8a9d8ab55fe1382e43abcc0a4aebf05323b049db
Opcode Fuzzy Hash: 01ebfde1329de5691996c7efbeebe2cb88973d0bc2ae36c7c61641d485a77d1d
Instruction Fuzzy Hash: 341167B19002499FCB20DFAAC844BDFBFF5EF88320F108419E519A7250C775A940CFA0

Function 00EEA678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EEA6DE

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3913fe06f358585b7c7d70e5c7fef3915bb288cefef04646e5150348be715006
Instruction ID: 84650a54f3e6cc32b4658dcde551aad5f62887cd5f224be62de6adeaa94b00ae
Opcode Fuzzy Hash: 3913fe06f358585b7c7d70e5c7fef3915bb288cefef04646e5150348be715006
Instruction Fuzzy Hash: 6C1110B5C002498FCB10CF9AC444ADEFBF4EB89324F19842AD428B7210C379A545CFA5

Function 04BADD90 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

(bq, xrefs: 04BAE044

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 86d587d355a8d6035db043b76560711bee566c61aa32e9eb375cae36da3a5634
Instruction ID: 2cfd90116f2411fdcdcaa5422cd8174b90954269c84b1a744d7b823f9d6fe956
Opcode Fuzzy Hash: 86d587d355a8d6035db043b76560711bee566c61aa32e9eb375cae36da3a5634
Instruction Fuzzy Hash: A7A1C1317042049FDB159F68C954E6ABBB7FF88314F1584A9E50A8F7A1CB32EC12DB91

Function 04BA9208 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BA9432

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b6c38df3ec6536b8e6760944a47fc4bef416fcf508706f299c3eed8c9e36f07a
Instruction ID: 8f4639bdd290563c82a46a039ea3e369f707d96b8148ba884b1049c1960d8b4b
Opcode Fuzzy Hash: b6c38df3ec6536b8e6760944a47fc4bef416fcf508706f299c3eed8c9e36f07a
Instruction Fuzzy Hash: A3A1F934A10218DFDB04EFA4D898A9DBBB2FF89310F158569E406AB360DB71AC56CB50

Function 04BAFD18 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

(bq, xrefs: 04BAFF39

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: eede5965d02a662e5e0c7a6f39117c9b06b551f32660dec4ff99515ec356bcc5
Instruction ID: b5de5eaa77cc3d11b0dcc79834c1b5fc513968ca7b32c75025e9c04aa574b9e9
Opcode Fuzzy Hash: eede5965d02a662e5e0c7a6f39117c9b06b551f32660dec4ff99515ec356bcc5
Instruction Fuzzy Hash: 61719734B046148FDB14EF64C494AADB7B2FF89304F5089A9E4069B3A4DF34BD56CB91

Function 04BACEC8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BACF02

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 97b10c31a1cce0c8a1cb8258fb9e9638c2a404d89bc82f7415d8c6372bde4b39
Instruction ID: 26ed47af81b60155b2a05d33e6519e84f51a9e6073b197da846b300ad8ace1bd
Opcode Fuzzy Hash: 97b10c31a1cce0c8a1cb8258fb9e9638c2a404d89bc82f7415d8c6372bde4b39
Instruction Fuzzy Hash: F7419330B142148FDB14BB64D494AAEB7BBEFC9700F104869E402AB7A4DF74AC16DB91

Function 04BA0BB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

,bq, xrefs: 04BA0C13

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: ab8046d436e961456e5eb13d979b4c8b254be1507f27cf9d750d252698063963
Instruction ID: 7b59539eb2b46ba935e553b471f0c5e1e46e9c02981569b565b00c0a1f4ea7c9
Opcode Fuzzy Hash: ab8046d436e961456e5eb13d979b4c8b254be1507f27cf9d750d252698063963
Instruction Fuzzy Hash: CD4168357011158FCB04EF69C954AAEBBF2EF89310F258069E905DB361DB31ED46CB91

Function 04BA8678 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BA86D1

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e19fe18dca1ec219f65adc746717c907903b492aaee35da97303928db12f2238
Instruction ID: ba0a9e12bbb8476a2d7bf669c75e8e110f29f1c5133c946e685a2bd637e22d12
Opcode Fuzzy Hash: e19fe18dca1ec219f65adc746717c907903b492aaee35da97303928db12f2238
Instruction Fuzzy Hash: A231A536A00104DFCF059FA4C994A99BFB2FF8C320F1544A9E505AB375DA31EC16DBA0

Function 04BA8698 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BA86D1

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 63b8587c0884fbd4a572921854be024831b89570a460dc6469ab8ad514f43c6d
Instruction ID: 15fddbf6d2a2e0d9366e1dd842a9e4e263c3a42f94ef0cb5bc549f153dae4f31
Opcode Fuzzy Hash: 63b8587c0884fbd4a572921854be024831b89570a460dc6469ab8ad514f43c6d
Instruction Fuzzy Hash: 8021A331B001049FCF059FA5C994E59BBB7FF8C320B1544A8E50A9B375DA32EC12CBA0

Function 04BACEC2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BACF02

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5ae48f0aa23f81538742880a9ce9674a2f0c1e4c6ba3c54d7899cf116ac0549e
Instruction ID: b50a34c9d177fad7b3536227d67e8ef05764c625cfcac40510281f43c9b33475
Opcode Fuzzy Hash: 5ae48f0aa23f81538742880a9ce9674a2f0c1e4c6ba3c54d7899cf116ac0549e
Instruction Fuzzy Hash: CA21D630B002088BDB14AF65D8646BEBBBBAFC9B00F104469E406EB390DF746C16DB51

Function 04BA340F Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

p<^q, xrefs: 04BA345A

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: e3508d40f406c76234702bd2e2e9a92b60daa0a937df984ab158061ebffeaba1
Instruction ID: 9a8ca0d2a4d69b8d2e1f859ebbf3546106f91ded28069bd446aadd9452c1ecfd
Opcode Fuzzy Hash: e3508d40f406c76234702bd2e2e9a92b60daa0a937df984ab158061ebffeaba1
Instruction Fuzzy Hash: FA2149313042549FCB16CF6EC854AAA7BEAEF89310B058095FD59CB361CA31EC61CB20

Function 04BA3420 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 04BA345A

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c89bddfe2d3170ee7739cabe2808cb0989c51abe4d12f1a47e9c4c7d4eb9695e
Instruction ID: dd2a382cee39c0355fb58e9629f14f937e60eb67f3a6b92f040fb394c718a439
Opcode Fuzzy Hash: c89bddfe2d3170ee7739cabe2808cb0989c51abe4d12f1a47e9c4c7d4eb9695e
Instruction Fuzzy Hash: F3214C713041549FDB16CF6EC840AAA7BEAEF89310F094095FC59CB361CA35EC61CB60

Function 04BA0BA1 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

,bq, xrefs: 04BA0C13

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 3dda6d8816be427a027d57fcfdd017631456af8db56b36307792038859b14472
Instruction ID: 3a891a6363527ffa0363cc92f3a9f0b1a3bc4c91d399ccf2ece411bb321002da
Opcode Fuzzy Hash: 3dda6d8816be427a027d57fcfdd017631456af8db56b36307792038859b14472
Instruction Fuzzy Hash: 60119D35B011199FCB04EF69C984A6EBBF6EF85311F258065E901DB361DB31EC01CB90

Function 0662F028 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0662F093

Memory Dump Source

Source File: 00000000.00000002.1891664630.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_eBHn6qHPLz.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5b1c32f0e0766b4e78583de8be5abc62dc32748f9365572c95d85765de6579fe
Instruction ID: 8920edd80d364e2f67a50958059306d6405c34907e16a45d3b52eff92be3b895
Opcode Fuzzy Hash: 5b1c32f0e0766b4e78583de8be5abc62dc32748f9365572c95d85765de6579fe
Instruction Fuzzy Hash: 421134B19002499FCB20DFAAC844BEFFBF5EB88320F248819D559A7250CB75A544CFA4

Function 06471472 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

Q, xrefs: 0647149C

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: 8e49f80c290236598af0fed77aef7c42119d33cf1adea26084fef9ea4cb4933e
Instruction ID: e2a9196708fdb28c79a7d9671e5638d925bd070a996518f67072c1e1c326793e
Opcode Fuzzy Hash: 8e49f80c290236598af0fed77aef7c42119d33cf1adea26084fef9ea4cb4933e
Instruction Fuzzy Hash: BFF0AFB0D2221CCFDB85EFA8D988B9DBBF1BF08309F0004AAA409AB255D7705A41CF41

Function 06470290 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

C, xrefs: 0647029E

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 11a84e7528c9706b456f01ddb665facdbdb628d65a9a72c16f670517161342d9
Instruction ID: 8c84b4d3cea03a73f5520f0ac09c4928a8a00b4a8c5afc3eccaf024950570679
Opcode Fuzzy Hash: 11a84e7528c9706b456f01ddb665facdbdb628d65a9a72c16f670517161342d9
Instruction Fuzzy Hash: B7E092B4812228CFDB5ACF64C894BDEBBB5FB04708F50119AD50872241C7755B85CE45

Function 04BAD108 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee5e4608da59d81bd4bc492680c69d34cd89fba83b2c486724a56c3763738ab
Instruction ID: feb7cb3265d40bccfcffc42d8f106d2708908d3b27b78627c31a2d15c7ef68fa
Opcode Fuzzy Hash: 3ee5e4608da59d81bd4bc492680c69d34cd89fba83b2c486724a56c3763738ab
Instruction Fuzzy Hash: A1120B34A042188FDB14EF64C894A9DBBB2FF89304F5085A8D54AAB365DF30ED95CF50

Function 04BA40AF Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a6b0775a662bb37fadc57755c13c344146676515988529c3757d7c4d635bfa
Instruction ID: f55c46caec0f5d94bbdb1b32d61aee152bdaccf7c2f0321f14c81de9f2be234d
Opcode Fuzzy Hash: 43a6b0775a662bb37fadc57755c13c344146676515988529c3757d7c4d635bfa
Instruction Fuzzy Hash: E2E1CC31B042049FDB04DF69C485B6DBBE2EB84314F1884A9E805AF392DBB6ED55CB90

Function 04BA0040 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ed07d398ada9a8f57f5eb84cf46eb72484e53ddaa50d9206c836b54bb5f40c
Instruction ID: 742b2fca0d114e8da7b70cbb0a34e8d924dc6049148d305ef3754ff1237b0824
Opcode Fuzzy Hash: 04ed07d398ada9a8f57f5eb84cf46eb72484e53ddaa50d9206c836b54bb5f40c
Instruction Fuzzy Hash: 56919935B052099FCB14DFA5D958AADBBB2FF88311F1484A9E801EB391CB35ED51CB60

Function 04BAD0F9 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e6ff4c94e9856480476db9190309924f715a257ab6544b4357e0b8ad4b4352
Instruction ID: 9b9914b1d5761c646ecfdebfe9ed219fb6b6fccda5a319e86bc58177dea6a016
Opcode Fuzzy Hash: d4e6ff4c94e9856480476db9190309924f715a257ab6544b4357e0b8ad4b4352
Instruction Fuzzy Hash: CFA1F534B002188FDB14DF24C994BA9BBB6BF89304F5085A8E54AAB365DF30ED95CF50

Function 04BA3543 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef21f0ab512c98843cb458d6e333b3db3a9e077ed1d03b75c43baf4e93a332c1
Instruction ID: e669d58d8ab2e2b864728f096f260b0021c762391edbd063797fe8fd2d9a0a96
Opcode Fuzzy Hash: ef21f0ab512c98843cb458d6e333b3db3a9e077ed1d03b75c43baf4e93a332c1
Instruction Fuzzy Hash: 36A1BD30E052298FDF11DFA5DA41AEDBBF1FF08304F149059E812A7295EB38A956CF50

Function 04BAE0B0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febb1d30a643f44ec1025e79151842334a1595e810ee9b5075c7e6aed4e6527b
Instruction ID: bf095dba6a490c67e8f717241867372a8dfbdf49b5894ccc9d4a4dd8805c1992
Opcode Fuzzy Hash: febb1d30a643f44ec1025e79151842334a1595e810ee9b5075c7e6aed4e6527b
Instruction Fuzzy Hash: 82814934B54214DFDB04EF68C498AADBBB6FF89714F1440A9E5069B3A1CB30EC52CB90

Function 04BA59A8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915c41f83e6d2c72938f715024cc5036881a54990e686222cfa938da177599ff
Instruction ID: a07a6b0758ba931aa3952d0a38a9d84d285bdb70de85d1978887e2c75ad91a01
Opcode Fuzzy Hash: 915c41f83e6d2c72938f715024cc5036881a54990e686222cfa938da177599ff
Instruction Fuzzy Hash: B0810435A00618DFCB24DF68C58499EBBF5FF88715B1585A9E8169B360EB30FD42CB90

Function 04BAE0A0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db9a1f881f1f1a0e5b693a3af2d6522985e97df78743411e7388e2ec2af27be
Instruction ID: 4d24fa3bface523138529778c6e7b05b75a2d9add376633c25e22c18324bc1e3
Opcode Fuzzy Hash: 3db9a1f881f1f1a0e5b693a3af2d6522985e97df78743411e7388e2ec2af27be
Instruction Fuzzy Hash: 39613C34B54214DFDB04EF68C894AADBBB6FF89714F1485A9E9059B361CB30EC51CB90

Function 04BA7C21 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fbbe71a173c0f1a0585f7c25af3c347ad618a5041fd125fa2741378b611467
Instruction ID: 7f4aca134219a0e653578e1af7b5f227a5ec057bf964c1e64846aaf1499cc9c0
Opcode Fuzzy Hash: 79fbbe71a173c0f1a0585f7c25af3c347ad618a5041fd125fa2741378b611467
Instruction Fuzzy Hash: 42517E3020814ADFDB11DF29C984FA9BBB1FF44318F0586A5E8149B2A5DB74FDA5CB90

Function 04BA8DE8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5347072ddcd18d152a6f205c1d04bd8f88aa4f13af62fefc9abf500d150df4
Instruction ID: a7d207892dfa597d11be466d8958db5b45d49cd02e0509d7d040dc1dbc695c8b
Opcode Fuzzy Hash: 7c5347072ddcd18d152a6f205c1d04bd8f88aa4f13af62fefc9abf500d150df4
Instruction Fuzzy Hash: 6E51A134B105099FCB04EF64E498AAEBB76FFC9711F008519F50297364DF31A946CB91

Function 06477128 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37abfd2bb0bf3dc4ed9ff2b971d2897b30ad12f449f0bebe5969f5be1e3d97f0
Instruction ID: 34098f27ee40f54bc884a25465c7b9895d0169acaa0cd9ff183648af7d7c4b7d
Opcode Fuzzy Hash: 37abfd2bb0bf3dc4ed9ff2b971d2897b30ad12f449f0bebe5969f5be1e3d97f0
Instruction Fuzzy Hash: FA51C370E01209DFDB58DFA9D594ADDBBF2BF89304F20802AE419AB351DB359946CF40

Function 06477119 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a78b0c3dd3fddf40a1fbe3db857bded19a75169db53fb40d1c6d5fd2bf6182
Instruction ID: aa60e342249e48e9adabd3cf33961bf22f0bcab5d0e7a9b3080e0aa2c7ef7ac9
Opcode Fuzzy Hash: 86a78b0c3dd3fddf40a1fbe3db857bded19a75169db53fb40d1c6d5fd2bf6182
Instruction Fuzzy Hash: 3841E470D01208CFDB58DFB9D5946DDBBB2BF89304F24806AE419AB360DB309946CF40

Function 04BADD7F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77a37362fe7b4887fd538e99fb71293fecb4a2d543ab76e461e3b493c6da6bc
Instruction ID: a3d4cf403b52445af57e0a083e72dee0b3f06e5754e28d6ff3c01cb13f9c6a62
Opcode Fuzzy Hash: a77a37362fe7b4887fd538e99fb71293fecb4a2d543ab76e461e3b493c6da6bc
Instruction Fuzzy Hash: 0931C0317046008FD724AF24C884B6AB7B7FFC8304F148AA9E1064BBA1CB31F856D791

Function 04BA5998 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895cbf736390e1a6f3784f4fc6495bdec29401ce02bb4f47fb96da060aecc656
Instruction ID: ca4e176d1ecb05d4cc673e0452c9da40974bc4ec9fb704385a6794bf2848c1f4
Opcode Fuzzy Hash: 895cbf736390e1a6f3784f4fc6495bdec29401ce02bb4f47fb96da060aecc656
Instruction Fuzzy Hash: C7414075A05118AFCB24DF69C884D9EB7F9FF48310B1581A6E855D7321EA30FD51CB90

Function 04BAB9D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d3fceaab9d87f6390958c6834bf167b2e8ed4008d2266104bc0debdbf5a9b
Instruction ID: 4feab0dcd88808885feb591903f8944b5db07e4beecc05ae16b514bf01feb475
Opcode Fuzzy Hash: 5c5d3fceaab9d87f6390958c6834bf167b2e8ed4008d2266104bc0debdbf5a9b
Instruction Fuzzy Hash: 043108366101099FCB05DF58D988E99BBB2FF49320F0680A9F6099B372DB31EC56DB50

Function 04BA08F0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cd1dc8fbfb6158030ad789434d8ed7b3ff5818d27c5e4c1028e05dd569ac0a
Instruction ID: 7377a3517781bf3d923b604711eaf1e8cc6a438e99ebb7c9479f3f046bc60d0a
Opcode Fuzzy Hash: 61cd1dc8fbfb6158030ad789434d8ed7b3ff5818d27c5e4c1028e05dd569ac0a
Instruction Fuzzy Hash: 5341DF31A04319CFDF00EFA9C941AAEBBB0FF98714F00806AD506E7290DB30E955CBA1

Function 04BA12AF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc5b1f214f682875ae219d268655eb8b0cb210e392c124870d1ce979acff210
Instruction ID: 4b0ece22c75b98fc50896e77ad1ca628be31c9ff31277dc9371f746d37780953
Opcode Fuzzy Hash: 4dc5b1f214f682875ae219d268655eb8b0cb210e392c124870d1ce979acff210
Instruction Fuzzy Hash: D941E234A052289FEB64DF28C991F99B7B1FB58710F1041D5EA09AB391CA71ED91CF50

Function 0647EA20 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e501aecaa2a2ca645fe5b9ebb917ce76967144f193635b519edbea5cafddc73
Instruction ID: dfdbdc9e932de1df00f71ec775440bdbb2b042f49cfca0a36a13f81e1e3409f7
Opcode Fuzzy Hash: 3e501aecaa2a2ca645fe5b9ebb917ce76967144f193635b519edbea5cafddc73
Instruction Fuzzy Hash: 91415C74E14208CFEB44DFA9D9856EEBBF6FB88304F1091A6D419A7344DB345A45CF90

Function 04BAE3C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73daecead507f61ba0a29943d6a022e3785a69092ea1309870eebf5f959ae85
Instruction ID: 5172c267d617613fd808c3b2cd90cc6de76a2a52f4b6b951cbbc0437ccd72818
Opcode Fuzzy Hash: a73daecead507f61ba0a29943d6a022e3785a69092ea1309870eebf5f959ae85
Instruction Fuzzy Hash: 8E312D35A441189FDB04EFA9D894AEEB7B6FF88310F1080A5D905B73A0CF31AD15CBA0

Function 04BA2B01 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88707e4eb987341b7b0e94448ec9f256b72fffd88aa4696dbd4932694180a39f
Instruction ID: 5a5b7ad13ddca0a990d155069a5fc74f77d6ac80d84955cba7a216f80116e622
Opcode Fuzzy Hash: 88707e4eb987341b7b0e94448ec9f256b72fffd88aa4696dbd4932694180a39f
Instruction Fuzzy Hash: FF319E34A00304CFC729AF35C854A2ABBB2FF85315B1488ADE8068B361DF35E946CB60

Function 04BA9B88 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a287bc7d16e47c3140cfbedfb760387c82067b765c36a3a917f8a4ccf17fc4e
Instruction ID: d48c74b4f0a9df106078bc3301c9b1e4145a37c3967f33e99f0f25e22d83148a
Opcode Fuzzy Hash: 7a287bc7d16e47c3140cfbedfb760387c82067b765c36a3a917f8a4ccf17fc4e
Instruction Fuzzy Hash: 5A21C5723096009FD7249B6EE984B66BBE5EFC1325F15C8BAE10DC7251DB31F84687A0

Function 04BA50CA Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267d40b2c7146a9fc2476d262c19f45778cb6895b1623c77f25cec41315eaee4
Instruction ID: d083ed0637a8c68080dd50b300ad7c1766983fe0db480a5a1c624e9da88a41fa
Opcode Fuzzy Hash: 267d40b2c7146a9fc2476d262c19f45778cb6895b1623c77f25cec41315eaee4
Instruction Fuzzy Hash: 2A31B131600209AFDF24CF15D885BAA7BA6FF44359F1485A9F805CB3A1CB75E9A1CB90

Function 0647D9E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a924dace9bb12454474104c3a17f6d8dfec7fa3c7710bba9186a6b9df852ef
Instruction ID: 6e3fbbc74dc0ebd00180dc2f5ff719d0aa47bffc4b543576429bcdc3dd6ed3b5
Opcode Fuzzy Hash: a9a924dace9bb12454474104c3a17f6d8dfec7fa3c7710bba9186a6b9df852ef
Instruction Fuzzy Hash: 9731C674E18208DFDB84CFAAD644AEEBBF5BF89300F1090AAD419A7354D7745A41CF90

Function 06476841 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae244b3a12e2332c942b73623b67cb96a41c5ce6cf3e1261fc7890e6b755c660
Instruction ID: 1c4798e128323c78caa113b9580a023818ceb6ad72944a2a22f62024a6abbd3a
Opcode Fuzzy Hash: ae244b3a12e2332c942b73623b67cb96a41c5ce6cf3e1261fc7890e6b755c660
Instruction Fuzzy Hash: 1A31EA74E01618DFEB58CF6AE844BDDBBB6AB86310F05C0AAD41CA7354DB305989CF51

Function 0647D880 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d2f9010d1d7157aae1e790c2b17c0e0b52d1a386a1bcd0c677a3409a4e4647
Instruction ID: 7864f7e122837ed948580cd1eb7eb068d5444388358680a974edc5b426da94f1
Opcode Fuzzy Hash: b0d2f9010d1d7157aae1e790c2b17c0e0b52d1a386a1bcd0c677a3409a4e4647
Instruction Fuzzy Hash: 0E311670E002089FCB09EFA9D8856EEBBF6BF88710F10842AE415B7364DB315941CB91

Function 04BAF180 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593e3da53ac75a607d41d60807110ca6892a56ec22ff9c1f81b88574279511b1
Instruction ID: c7f906981ae96d8a1f5b5f857b54b38cfa44e33f4ff49ad18f7f72acfabaa376
Opcode Fuzzy Hash: 593e3da53ac75a607d41d60807110ca6892a56ec22ff9c1f81b88574279511b1
Instruction Fuzzy Hash: 6D217474B146098FCB00FFB8C5448AEF7B5FF89704B10456AD506A7360EF70AA16CBA1

Function 06476850 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92d9f457f1ae66eef16f41ecf86a3db46b6d1769cd82a7761c0998a9a94a45a
Instruction ID: 003316b12b30c3f079a5fbf209d94d75133deb35b62f5cc662b4575212715d56
Opcode Fuzzy Hash: f92d9f457f1ae66eef16f41ecf86a3db46b6d1769cd82a7761c0998a9a94a45a
Instruction Fuzzy Hash: F631F874E05618DFEB58CF6AE844BDDBBB6AB86300F01C0AAE41CA7354DB305985CF51

Function 04BA2980 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc01090190af6285303aaa164aa5d7e721012d14ddd40880d077b14463f322ba
Instruction ID: 89236b31b61b36aabd025e56fe8e0d994016ca8ae8866c2b135aae8e711871b9
Opcode Fuzzy Hash: cc01090190af6285303aaa164aa5d7e721012d14ddd40880d077b14463f322ba
Instruction Fuzzy Hash: 7B213631A042099FDB58DAB8D904BAEBBB4EB54340F1080F6D519DB290E634EA66DB91

Function 00E9D104 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858445096.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f5bc052f3e6ce222e9171308432178dec03f3ae54a5ec8775a5b5b457d83a6
Instruction ID: 4bb6726824b58883e5e6e7a9fb842e62497b5d87790e55e13f668b0ddfc1b420
Opcode Fuzzy Hash: e2f5bc052f3e6ce222e9171308432178dec03f3ae54a5ec8775a5b5b457d83a6
Instruction Fuzzy Hash: 6F213772109244DFDF05DF14DEC0B2ABBA5FB84318F20C169ED091B255C33AD816C7A2

Function 04BA08DF Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c764dbaea13c5b4f593a7c7fa3e0c51211b25ec617659b254308b96b8116d60e
Instruction ID: ec2a637172d987e50cd00b6f29ad56342c04c461127417d0506b641ee8390195
Opcode Fuzzy Hash: c764dbaea13c5b4f593a7c7fa3e0c51211b25ec617659b254308b96b8116d60e
Instruction Fuzzy Hash: 0B21AF71A043198FDB10EF69C954AAFBBF1FF88754F008469D906E7350EB31A855CBA1

Function 04BAB9C1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0671ad74e5aeddff1c41e7e9c886de14ff78be4c6ad26da673b0439fa1662482
Instruction ID: af189db20f6b137d8712054497adfc046c4eaba93d76cd94494e35def292de7c
Opcode Fuzzy Hash: 0671ad74e5aeddff1c41e7e9c886de14ff78be4c6ad26da673b0439fa1662482
Instruction Fuzzy Hash: 12211D76A11104DFCB05CF98E988E99BBB2FF49320B1680A9F6099B372D731EC55DB50

Function 00E9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858445096.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e481e432c17de7fe99785345720218726c4e312a5f1716702866fe82f8e72c5
Instruction ID: f9a403e81774ab6edcfe0c1bd1bc13a92a01d41a00704ca367325a59bd69fbd1
Opcode Fuzzy Hash: 9e481e432c17de7fe99785345720218726c4e312a5f1716702866fe82f8e72c5
Instruction Fuzzy Hash: 1A21F271608300DFDF14DF24D984B26BBA6FB84318F20C569D84A5B296C33AD847CA61

Function 04BA72B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d16edfdcd1aef5bdf0cefbdea688bfacb8dd2b011528b174138c9db592c7ea
Instruction ID: 5b37f0085a6b3c3eb59220675551ddb6b3a8d79e0edf010d4e92b0614692b79d
Opcode Fuzzy Hash: 28d16edfdcd1aef5bdf0cefbdea688bfacb8dd2b011528b174138c9db592c7ea
Instruction Fuzzy Hash: B0210631A041098FDB04DF58C644ADDB7F2FB88311F1145A4E805AB3A1CB72AD45CBA0

Function 064777D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d64909d4c6cc217d8b5b778becd610b2d885fd75590c183964b6b9813957cf
Instruction ID: 7116cb49fa00ba9ae70b48967d07151f248e64a866e47583d75c892ef3df2d5e
Opcode Fuzzy Hash: b4d64909d4c6cc217d8b5b778becd610b2d885fd75590c183964b6b9813957cf
Instruction Fuzzy Hash: 3A213970E1420ACFCB44DFA9C5456AEBBF6FB48300F6195AAD414A7344DB389982CF91

Function 06476DBC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0cf55884f4877c61afa22218dfbd1dc3ae75333606eb54f290da04117954fe
Instruction ID: 12d8efe2792a9b319cea894acbf86e2145a8ae3b5c8befe977947e31b0a8ff30
Opcode Fuzzy Hash: 0c0cf55884f4877c61afa22218dfbd1dc3ae75333606eb54f290da04117954fe
Instruction Fuzzy Hash: 7831B474E01618DFEB94CF69E984BD9BBB2BB46305F0280DAD45DA3350DB305985CF51

Function 04BAF17A Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7b652d511850ad58e9899b0f1f7c450028b396d6076b79e67cde51d48be60a
Instruction ID: 73d0de97727e57610568556e0394c470cbb4732553a886b1894299e21ad9d6de
Opcode Fuzzy Hash: 3c7b652d511850ad58e9899b0f1f7c450028b396d6076b79e67cde51d48be60a
Instruction Fuzzy Hash: DC216674B146098FCB00EFB4C5849AEF7B5EF89704B10456AD505A7360EB70AA16CBA1

Function 04BA72A1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7b2d351fee81905b13ae1c4c095e72ff98296fd73ece42d2f44634131b0a0e
Instruction ID: 3eb4925ac7b58304795af8302d58d6379afe7f3a954e7705bed9b162bbd30d2d
Opcode Fuzzy Hash: 7e7b2d351fee81905b13ae1c4c095e72ff98296fd73ece42d2f44634131b0a0e
Instruction Fuzzy Hash: 90211331A042098FDB14DFA4C655ADDB7F2FF48300F2149A4E845AB3A5DB35EE85CBA0

Function 06476D58 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2de472d00cc729677b2b64c717a0ccb2ffa512e18c90e181ab231441a0a4f0
Instruction ID: 56fca7b8e7d15bac14e9e2fc0afe158aa11a5e806aba9637970680d38bf04cd4
Opcode Fuzzy Hash: 4d2de472d00cc729677b2b64c717a0ccb2ffa512e18c90e181ab231441a0a4f0
Instruction Fuzzy Hash: AD319374E01618DFEB68CF6AE884BD9B7F2AB46315F0680E6D01CA3350DB305A85CF51

Function 04BADCD0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23299f5daca3fa97cf58984227287f0632ecaf9dd71aade8673ff83b70b7bd6
Instruction ID: 2ee5472185c5091e71e9a6aa548455338c3298ae90d2f9a6c302fc8ff0a9cbbb
Opcode Fuzzy Hash: d23299f5daca3fa97cf58984227287f0632ecaf9dd71aade8673ff83b70b7bd6
Instruction Fuzzy Hash: 21219D747006048FC714EF28D984AAEB7B6FF88310F1445B9E5069B760DB31ED15DB91

Function 06476B2F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a68ed6cdf82a0b692cd9507350c7841c686e766dd96747c10058c657ed324b
Instruction ID: 424a8c5cf017d93ef181ec601407bd655a192879b9c70e0dd2355ed1e277dc0f
Opcode Fuzzy Hash: 97a68ed6cdf82a0b692cd9507350c7841c686e766dd96747c10058c657ed324b
Instruction Fuzzy Hash: 79319174E02618DFEBA8CF69D884B99B7B2BB46304F0181EAD01CA7350DB305A89CF51

Function 00E9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858445096.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a90b8c8b1b5cf6a8a8399da1f669ef98af64604704b9ea520d58dd33ddfbabb
Instruction ID: cf6d89a51d8693374fc9fac5f9dc6c5503d6726eff3cb62a76de67f4a91f4aae
Opcode Fuzzy Hash: 9a90b8c8b1b5cf6a8a8399da1f669ef98af64604704b9ea520d58dd33ddfbabb
Instruction Fuzzy Hash: BD21537550D3808FDB12CF24D994715BF71EB46318F28C5DAD8498F6A7C33A984ACB62

Function 04BADCE0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15b2b9e8ede4ca9ae95aec0adc9ecedaa27af8d96168ce97af371850f692fd4
Instruction ID: 1f08abba32a88baa6b0ae8135b71f962076b6d8a9a4aacb4c11fb6438ec407b2
Opcode Fuzzy Hash: f15b2b9e8ede4ca9ae95aec0adc9ecedaa27af8d96168ce97af371850f692fd4
Instruction Fuzzy Hash: B9115B74B006048FCB14EF29D884AAEB7F6EF88310F1445A9E5069B360DB70ED15DBA1

Function 04BAC400 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b1b1072e8fd5420f9275c66158d1e5ead1324b340aa8cbe05aafd27da836a3
Instruction ID: 0366b674f713290a6558cec18d8d95ce760ad17287ffa7301c31f287c5c1a5e9
Opcode Fuzzy Hash: b0b1b1072e8fd5420f9275c66158d1e5ead1324b340aa8cbe05aafd27da836a3
Instruction Fuzzy Hash: A31101353056488FC306AB34C45565DBBB2EF89310F0488AAD506C7792CF35EC07CBA1

Function 06476A81 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09f046ec1394a69b1bae849c59c1e03eb9277eb8f814dd87ca0b5a94168db15
Instruction ID: 28554f3cd94c291a724d850d9fd9395ad88bdd2bb80645cf80f00c6ebd3bdf68
Opcode Fuzzy Hash: d09f046ec1394a69b1bae849c59c1e03eb9277eb8f814dd87ca0b5a94168db15
Instruction Fuzzy Hash: 3621B474E02618DFEB54CFA9D884BDDB7B2BB06304F0280AAE05CA7350DB345999CF51

Function 0688FE48 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11899bee64befea893eb55eb06379b10547372292acb33c1a686e7bc4747be6e
Instruction ID: 21741d48c5387806031a7100184120ca9e2f2163a23afb5df77e145fe88f69d8
Opcode Fuzzy Hash: 11899bee64befea893eb55eb06379b10547372292acb33c1a686e7bc4747be6e
Instruction Fuzzy Hash: 0011C235F102089FCB60AF69C855BAE7BF2AB88751F00442AFA05DB380DB71C901CBA1

Function 00E9D0FF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858445096.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 98d02194f46e18255ee1666b8eeef3db1c3971dc37e85616cd31e8bf817d332b
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: DB11AF76509284CFDB05CF10D984B16BF62FB84318F24C1A9DC491B656C33AD91ACBA2

Function 04BA0B20 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7c36639d40792a960d831981f46862cb830ec052e011e062b057de0ed638df
Instruction ID: 6e981f586663a78cf6986c76d036b23aeb3aebf225dbe8a5e58bbb148d92f59f
Opcode Fuzzy Hash: 7b7c36639d40792a960d831981f46862cb830ec052e011e062b057de0ed638df
Instruction Fuzzy Hash: 6701D8336082585FD754DE99D044BDEBFE4EB55360F6484EBE484CB250D631E994C790

Function 06476B9F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5301c130cbc49dc72c065a79db0b5905e6e7b0e367d88c15698c64aebc86d5
Instruction ID: a7f1cad7446d58c3961a79b87cefc32244b84ca36c0b8066d772c29d23cdd8da
Opcode Fuzzy Hash: fa5301c130cbc49dc72c065a79db0b5905e6e7b0e367d88c15698c64aebc86d5
Instruction Fuzzy Hash: 3E219274E01618DFEB94CF69E884BDDBBF1AB06314F02809AE41CA7350DB305989CF51

Function 04BAE4F8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8794160e6105e258727fbf36ba4a3fc955daa7e365b8c4533f441cb7161bc1de
Instruction ID: 94980a532cdaf9299de36809649af4a00e09539dad677fc5b7539aa8cd674f9c
Opcode Fuzzy Hash: 8794160e6105e258727fbf36ba4a3fc955daa7e365b8c4533f441cb7161bc1de
Instruction Fuzzy Hash: 4B01DE307043049FD325AA34D540B3A7BA2EBC9324F088AADD6564B7A0DB75F813DB81

Function 0647DC30 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d9ce40518d6987c79bd32ac35a4008f309c775840297d077ceab577b9aeb86
Instruction ID: 1a76a7a7ae5031a5a376a73e87172af5e988bb8588951b1b8d94196681eca4a9
Opcode Fuzzy Hash: 71d9ce40518d6987c79bd32ac35a4008f309c775840297d077ceab577b9aeb86
Instruction Fuzzy Hash: 0D117C70D15208CFEB44DF65E9857DEBBBAAF89302F1090A6E149A7244CBB01A81CF41

Function 06476929 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e363cf7dbea81b53cd48b3b0f91ed543b9368df8c870f494b0974ea5c6e8078e
Instruction ID: c9bb43f0ad97e16169829565d648fd3d8808ea73acb8462749217f7594462fd3
Opcode Fuzzy Hash: e363cf7dbea81b53cd48b3b0f91ed543b9368df8c870f494b0974ea5c6e8078e
Instruction Fuzzy Hash: FF11B674E05618DFEB54CF6AE884BDDB7B2AB46314F02D0AAE01DA3350DB305989CF55

Function 0688EF30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afddb71d6d86eb611e06754bcf4664dd01aada9897fa75a43c0d50d40fdd2bd3
Instruction ID: 68b4607034fca70c594f25ccb4c7e2a1386ad0937a817570659b3fe1046be36e
Opcode Fuzzy Hash: afddb71d6d86eb611e06754bcf4664dd01aada9897fa75a43c0d50d40fdd2bd3
Instruction Fuzzy Hash: 7311F3B0E0020D9FCB48EFB9C9456AEBBF5BF88300F20856A9418B7354DB349A41CB91

Function 04BA8051 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e1d50ebca21ea99ed4c0d2195765f7c0f716cbbe16b5ea72d85fd3c9c92534
Instruction ID: 60663a0be467c6fceb3ca04238d678f9bd31132f328d24e5c6bf2b82d4eeffc8
Opcode Fuzzy Hash: d7e1d50ebca21ea99ed4c0d2195765f7c0f716cbbe16b5ea72d85fd3c9c92534
Instruction Fuzzy Hash: A7F027B270A1154BD76039389D5BB1ADDF9DB85610F04497DFE44C3301D8009D0693A0

Function 04BAE508 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4da4ae4b4bf5481c00144567328bd794164c38d5b82ab3f71ee7247ea88f676
Instruction ID: 8beee82e99714047d033fc2c529afadbca5a21c1261c08a19433517bcfa1222f
Opcode Fuzzy Hash: f4da4ae4b4bf5481c00144567328bd794164c38d5b82ab3f71ee7247ea88f676
Instruction Fuzzy Hash: C1019A307042048FD725AB24D554A3A7BA2EBC9328F148AADD5564B7A4DB76F812CB81

Function 064777C8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffd161607d3ae546eede672c99a42213a1b5afb7a37d121c311961ac6ec49bf
Instruction ID: d218f9762a7da2236e9154caa45b58e7b3f0247cd18e44926419c6b268adef93
Opcode Fuzzy Hash: 4ffd161607d3ae546eede672c99a42213a1b5afb7a37d121c311961ac6ec49bf
Instruction Fuzzy Hash: 36118C70D0930A8FDB85DFA9C9412AEBFF2EF48300F9494AAD008E3251DB344681CF91

Function 04BA0CF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e396617dd430587b6fb724bc4ecfe82129d82631d504add4bf1599329872f808
Instruction ID: 43459aa765946093f80f935cd20eb789991d1b38ec42f8bc5cf5b795dcf605d8
Opcode Fuzzy Hash: e396617dd430587b6fb724bc4ecfe82129d82631d504add4bf1599329872f808
Instruction Fuzzy Hash: F2F062313011109FC7049E29D894B66F7DAFBC8A54F2480B9EA09CB366DE35EC1197E1

Function 04BAFD0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efdd30f59c911284b4b033504141a5c6ced1b6a0d9ef8172e74161b20474688
Instruction ID: 61f95cf2b667a4922edb2a1423ebc69fd6c634c05b15616c7bd178f395f422e8
Opcode Fuzzy Hash: 0efdd30f59c911284b4b033504141a5c6ced1b6a0d9ef8172e74161b20474688
Instruction Fuzzy Hash: 09F02232B112148BDB14DB24D454BEEBBB6EBC8314F00467AF5029B380CF725C16C790

Function 04BAC410 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f8abbb7b4f6a26eb7c220970a08847d5914c1a70d2305b17def029e4ef7dbd
Instruction ID: 19c8545fbcff6b4ff86fc901a342dca98b89b9a1b351eaf86aae18ae9740fe9f
Opcode Fuzzy Hash: 46f8abbb7b4f6a26eb7c220970a08847d5914c1a70d2305b17def029e4ef7dbd
Instruction Fuzzy Hash: 20018C357006189FC708AB25D45491EBBA2FBCD725B108529E90A8B790CF35EC02CBD5

Function 04BA8DD9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37ad589899134875e6e40d634b755734ff35319a856187a15fd79baff6b4e4a
Instruction ID: 33129669c9083e7a759644929d4157bd1dbcc173c1a7103088340055f4f6ed5e
Opcode Fuzzy Hash: e37ad589899134875e6e40d634b755734ff35319a856187a15fd79baff6b4e4a
Instruction Fuzzy Hash: 6FF096367000096BCB14AA19D88496EB77AEB88360F044465E915D7360DE71AD16C790

Function 04BAC188 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2210ca2cd3be888b187b0ff11bcc50f07ae0cf65db70ba7c0d94380ced686c96
Instruction ID: ca8cdd3513fd236cf04024de68d08bebac4e4003242752569f3cbf14aea4e982
Opcode Fuzzy Hash: 2210ca2cd3be888b187b0ff11bcc50f07ae0cf65db70ba7c0d94380ced686c96
Instruction Fuzzy Hash: 63F062393002049FD3049F25C855E6A7BAAEF88720F044469F905CB360CA31EC42DB90

Function 04BA8232 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0014091650cce501b8be765476628d51d65b5e86ac6d2d190b90d768379838d5
Instruction ID: 4049689dbe0f87db74d094117643fc22a18ca295a30a34b6cae745d2db925698
Opcode Fuzzy Hash: 0014091650cce501b8be765476628d51d65b5e86ac6d2d190b90d768379838d5
Instruction Fuzzy Hash: D7F02E326002045BC7106E19DD85B97FF69EBC4325704CA36E115C7335CE70E94ED7A0

Function 04BA80C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892a6c788f6c8524c26707e897e11c61f0c1add15105ba33a17749d124a32da7
Instruction ID: 9e42bc5642e6636d7a89d8e37e0304d410bdb261edff2262eee59236c940a8df
Opcode Fuzzy Hash: 892a6c788f6c8524c26707e897e11c61f0c1add15105ba33a17749d124a32da7
Instruction Fuzzy Hash: 8EF05C61B0E1114FD7713A38AC6523CEBA1DB85640B4409FDD945C7711E904DC1383B0

Function 06477378 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40a7273a95ee4dd1bed998851f54aaa548588accd880acc489026b666e0c1a1
Instruction ID: c19d6531ffff7d83e60c4733d52bf204ec0ac80e60bcd8c69ca7c0afe0acef0e
Opcode Fuzzy Hash: e40a7273a95ee4dd1bed998851f54aaa548588accd880acc489026b666e0c1a1
Instruction Fuzzy Hash: BEF0C474D1520DDFCB94DFA8D5456AEBBF8AB48304F6045AAA809A3240EB345A51CB91

Function 04BA11B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59a2bc97e0fe5c5eef729fac8aebb8a7e9289993ec87966c93d05eb190b6f35
Instruction ID: c84fbde4cf8164cafe4c6b520ba9a15f0a9807e0872a8307fc1aa482d83527b5
Opcode Fuzzy Hash: b59a2bc97e0fe5c5eef729fac8aebb8a7e9289993ec87966c93d05eb190b6f35
Instruction Fuzzy Hash: C8F08236D04608AFDB09DFA8D54E7DDBFB6EB44321F04C495E40592290DF706A95C794

Function 06472E78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ff18034fafc97a5e0ff188c670d29bd6ef7275d18ef5853245051711ec432d
Instruction ID: 62ab8d37e75e5e8e899272566c2bce73f54f2a9f8730275d7b7dec9aa3fa84cd
Opcode Fuzzy Hash: d9ff18034fafc97a5e0ff188c670d29bd6ef7275d18ef5853245051711ec432d
Instruction Fuzzy Hash: 9CF01D7590424CAFCB80DFA8D8417AEBFF8AB48210F14C0AAA858D7341D6359A12DB90

Function 04BA9C90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185f0719db3f56da32da576f5e0b647dddc97ee9e93f1df8ae49df6607ff3661
Instruction ID: 7966f2c6fa61850722b8cb96037e626b5963dd9a9f797b0777078461541b4fb1
Opcode Fuzzy Hash: 185f0719db3f56da32da576f5e0b647dddc97ee9e93f1df8ae49df6607ff3661
Instruction Fuzzy Hash: 06E0DF72A09A120FDB51562CED0278967F6CF84628F088B21E89AC7385EF14E9074360

Function 04BAE6F1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6419998fa32641413e3eb3349e3177c4513ac0d63a600169b462f1a8393e022c
Instruction ID: 6a149ec55eb804273f1d6403ed0da8bcff4189a0a30b6601f8f12fbb23bccbba
Opcode Fuzzy Hash: 6419998fa32641413e3eb3349e3177c4513ac0d63a600169b462f1a8393e022c
Instruction Fuzzy Hash: C7E0D132F0811827E704F96AD80279FBBE9D7C0750F04C076DA18D7381DC7579014794

Function 04BAC198 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befdca35fb8f7bbfe3944dcfd8d211ae23b84fbc7c72699c513cba30fb0f9cd4
Instruction ID: 126f7e90bef668515cc833a1545f34507287c77218dbac79255195be0d0f9120
Opcode Fuzzy Hash: befdca35fb8f7bbfe3944dcfd8d211ae23b84fbc7c72699c513cba30fb0f9cd4
Instruction Fuzzy Hash: 8DF05E353112049FD704DB29D454D6A77AAEFC9721B1444A9F9468B360CA32EC42CB90

Function 06477369 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314a35daffe409d3f7fa8a0eef105f26029c10bdb38c28f9de33ea467e7a4dc7
Instruction ID: 7238870d59caad587f0ebd0bc0c6ecb1134d5fa94786fb8e714375894867b505
Opcode Fuzzy Hash: 314a35daffe409d3f7fa8a0eef105f26029c10bdb38c28f9de33ea467e7a4dc7
Instruction Fuzzy Hash: 59011970C0120DDFCB44DFA8D5457EEBBF4BB08304F6085AAA818A7251E7304B51CB51

Function 06831028 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2dfc5883e65c470efe19d8a88ce599595dcba6b6d45597caba7a237c6ec8312
Instruction ID: 72b3d244cbf38dfb517201cadd5ea99f27e8ee48cce2cafc93aec571ee9e8455
Opcode Fuzzy Hash: d2dfc5883e65c470efe19d8a88ce599595dcba6b6d45597caba7a237c6ec8312
Instruction Fuzzy Hash: 7CF0653050D299DFCB07CFA4D51055DBFB49B46300F2555EFD488DB292C6314A56D781

Function 06472E88 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86066482bddaddeb9ed4f9c79582b895df50df11fd2ec84c87dbdf0c6bdb2b9
Instruction ID: b22ab7d8b9e2431c972c16c99291df8131121669072882a90bbe51a5468b09d1
Opcode Fuzzy Hash: e86066482bddaddeb9ed4f9c79582b895df50df11fd2ec84c87dbdf0c6bdb2b9
Instruction Fuzzy Hash: AEF0F874D0420CAFCB91DFA8D840AAEBBF8AB48310F14C0AAA858D3341D7359B51DF90

Function 04BAE700 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a947177376abd823af065452291c7d35f9e3b63fe64739e1693651ee0c6facf0
Instruction ID: cf4fffaa321fe472f3020f9b9c6cca797f43d1134e3ad2359f26bc7bc5299ed6
Opcode Fuzzy Hash: a947177376abd823af065452291c7d35f9e3b63fe64739e1693651ee0c6facf0
Instruction Fuzzy Hash: 15E08632F082182BEB14E65A9411B9FB7DACBC4764F0080AAD619D7380DDB5790147D5

Function 04BA11C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663bbce2caab64df816a8d51b4e5d7edbefad4885e1deea066952349ecdea5fb
Instruction ID: 218efd65d17439e4de4196f9672662e4e333a8ffe7f94f758e9c9c98499d99eb
Opcode Fuzzy Hash: 663bbce2caab64df816a8d51b4e5d7edbefad4885e1deea066952349ecdea5fb
Instruction Fuzzy Hash: 5CF06D32E14618AFCB09CFA8D48C6DDBFF6EB84325F14C499E00993280DBB01A91CB94

Function 064739E9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e9c790c9b464cf7b8494a5a8cdaf5fbee69fd55bf3bb35c2cbec4e60367c03
Instruction ID: ccc475701e35b00a332df140c20a0d6b7cf6790e8d4dd38917c092ee095ff94a
Opcode Fuzzy Hash: e0e9c790c9b464cf7b8494a5a8cdaf5fbee69fd55bf3bb35c2cbec4e60367c03
Instruction Fuzzy Hash: 88E0867259110CABCB41EFF4D80279F7FBCDB05210F5484A9A805D3220EE365E45E6D5

Function 04BA8240 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd102dda981391d5aadb2924aeab1669032044fdd8c6bc9493e624b7dc46e37
Instruction ID: 4776c160d983d5e45e30f8e8e7940c0902d474449342ced80991342d69fee3fa
Opcode Fuzzy Hash: edd102dda981391d5aadb2924aeab1669032044fdd8c6bc9493e624b7dc46e37
Instruction Fuzzy Hash: E0E048317002095FC7109A1AED84D5BFF9AEFC4365714DA39E11A87325DEB0ED4987E0

Function 068305BB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3dfd4aa62bdb21c7d80a0cf64ff71ae64994ba7fff85e053f5b68f95df09ed
Instruction ID: b6dd39b271d5c59bccbd199055f8b6060dea7dbc8438c0a4d7cacb09df05c350
Opcode Fuzzy Hash: fa3dfd4aa62bdb21c7d80a0cf64ff71ae64994ba7fff85e053f5b68f95df09ed
Instruction Fuzzy Hash: 73E0DF70909208DFC701CFA4EA019BDBF74AB46300F2482DAE848AB352CB318F16C790

Function 06885CC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction ID: dcedc67d7cf198d77977b0f6b6635ebcb13345d18c63edc7ab0e97594bed1327
Opcode Fuzzy Hash: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction Fuzzy Hash: 2BE0A574E0420CAFCB84EFA8D545A9DBBF5BB48310F10C1A9A80893341D6359A51DF81

Function 0688A410 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction ID: 1dddfba42a802532145683af42fbd91307f5dc908ec1a053203cff050e56c4ae
Opcode Fuzzy Hash: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction Fuzzy Hash: A2E0C974E0420CEFCB94DFA8D445A9DBBF4EB88310F50C1AAA81893340DB359A51DF80

Function 0688BA48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction ID: 1f591d3b38973e9408739d3c60e66e7b016464185fc52c0c39eb8e4339b17038
Opcode Fuzzy Hash: b4e5bcf0b28124ba1c147cab97b3fd7faf8e706534a0088d102ad9cfb890ea58
Instruction Fuzzy Hash: BFE0C9B4E0520CEFCB84DFA8D44169DBBF4EB89310F10C1A9A808A3350D735AB51DF80

Function 04BA2D10 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719fe661ebb03720928fb57aff0c44d4bf3c03793c8a629fa1cc7bc80e0f300a
Instruction ID: f6e97d45fc84eed57d15a05cc360966f95b0227b24d1b2d6b847a2548757273e
Opcode Fuzzy Hash: 719fe661ebb03720928fb57aff0c44d4bf3c03793c8a629fa1cc7bc80e0f300a
Instruction Fuzzy Hash: D9E0C2307483189BDF286A78CC0176272A99F45758F2048E9EA09AF3D1DA73FC61D362

Function 0647EF78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc27154493008bd1142b77de96558340a3b86c640216652066a86fdb4ae9f5a
Instruction ID: 03c2f08dd5410aaf5b6122b45d72d979ae0d338a912c656043e0d3da31e81cbc
Opcode Fuzzy Hash: 3dc27154493008bd1142b77de96558340a3b86c640216652066a86fdb4ae9f5a
Instruction Fuzzy Hash: 91E0C274E05208AFCB84DFA8E4416ADBBF5EB88304F10C5AAA848D3340DA359A42CB81

Function 0688FE00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079a8457f07b304504951eaceaf89ffe923fe63db32560c1179da85c2ae546cc
Instruction ID: a9966acfc72fa5fee9531e3c14d57ce819c51c7427529e7126e01583c3dc350d
Opcode Fuzzy Hash: 079a8457f07b304504951eaceaf89ffe923fe63db32560c1179da85c2ae546cc
Instruction Fuzzy Hash: 3CE0867490820CEFC784DF94E4419BDBFB8AB45311F10C1A9F9489B341CB319B92DB90

Function 0647D7B8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7e935a971906031aafe67eb51b65e5abddf5a8e62bfd4c853abd382022b1d
Instruction ID: 58c13f3e185c6508dc50f3b02debd1ac62eacff1bc7b08abafbb899d72103aef
Opcode Fuzzy Hash: 33d7e935a971906031aafe67eb51b65e5abddf5a8e62bfd4c853abd382022b1d
Instruction Fuzzy Hash: F4E01270E0520CEFCB85EFA8D4002ADBBB8EF48300F1081AAD819A7340DB389A41CF80

Function 06830C1B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6664535d425eeefc152163e99ed70620f9fa436cfd12be0368477903e70eb37
Instruction ID: 23e735b4ffb9edbafe6531aebce0ca0983a90fb1afac5358e832ad0d035fbeb9
Opcode Fuzzy Hash: c6664535d425eeefc152163e99ed70620f9fa436cfd12be0368477903e70eb37
Instruction Fuzzy Hash: 41E0C23550A218CFC746CFD4EA127B9BB74EF43315F2455DAD4098B252CB365E06C791

Function 06888950 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be4f12970577e8c4f963b6f5aafb143f9f539d2ef57efad60820200c687f564
Instruction ID: bf5cd9c817f114d9ae99f5cf4b51bd4d36fc78ba1a179f2a48ef7bdd0c900c27
Opcode Fuzzy Hash: 9be4f12970577e8c4f963b6f5aafb143f9f539d2ef57efad60820200c687f564
Instruction Fuzzy Hash: 44E01A74D0820CEFC744DB98D5416ACBBB8AB48314F1081A99858A7341CA356A42DB81

Function 0647FE60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28c37baea4bd09250416aa3aece423012d55bda8ea80c7352ce3ed0f6c1d648
Instruction ID: a9025d9c433f11278cd50dd0552718b59250b7bf0d233c4fa63172b49dde5f23
Opcode Fuzzy Hash: f28c37baea4bd09250416aa3aece423012d55bda8ea80c7352ce3ed0f6c1d648
Instruction Fuzzy Hash: 30E0863490420CEFC744DF94D4419ADBF78EB55310F10C1A9EC0417351CB315E56DB90

Function 0647E910 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b859a080e93324e38ac4d37a1ad0ae032bfd2bcdb0aa33d7bb8a0fe8dcc53778
Instruction ID: ffc16cb9818d43a8c2fc317d3c6e1f0972d5124bdc444288d7b849fc037ce9e0
Opcode Fuzzy Hash: b859a080e93324e38ac4d37a1ad0ae032bfd2bcdb0aa33d7bb8a0fe8dcc53778
Instruction Fuzzy Hash: 96E0BF74D1520CDFCBC4DFA8D54569DBBF8AB48214F2085E9980897341EB31AA52CB41

Function 068305C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29eeb7708bc26dc4831ec24bbc5eff7e62b320524e5ca7b5b688f404a9c36989
Instruction ID: f44e3f961e9a33768c4d1df70a2a5e570ff43bb5b20fcab0d3f11458398e9047
Opcode Fuzzy Hash: 29eeb7708bc26dc4831ec24bbc5eff7e62b320524e5ca7b5b688f404a9c36989
Instruction Fuzzy Hash: 30E0127490920CDFC744DF94E5425ADBBB8EB45314F2091ADD84967345CB319E42DBC1

Function 06831038 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29eeb7708bc26dc4831ec24bbc5eff7e62b320524e5ca7b5b688f404a9c36989
Instruction ID: 816476eda29c2158d34be8ddf08d397c2aba97eb2a5b5a65f590e008250e976a
Opcode Fuzzy Hash: 29eeb7708bc26dc4831ec24bbc5eff7e62b320524e5ca7b5b688f404a9c36989
Instruction Fuzzy Hash: 71E01234A0920CDFCB44DFD4E5555ADBBB8EB45714F2091ADD84857341CB325E52DBC1

Function 0688DF68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1563279a481e28ba9b1431f085f29dafe388921478858070c6eb4b82ddc79455
Instruction ID: 4748069cab972e9c133bdfa00fd2fe7493cb6dea26369f6b9cd92274368851c6
Opcode Fuzzy Hash: 1563279a481e28ba9b1431f085f29dafe388921478858070c6eb4b82ddc79455
Instruction Fuzzy Hash: 68E0EC3490920CEFC754EF94E5419ADBBB9AB45315F20D1A9E80857381CB716E42DB81

Function 0647D808 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e533769647c2e474566a5cc77af768df07c6299d915ba0ac1d8c86004f738d
Instruction ID: b8622b30a544e4b5876c1384eff1bb12297513d99fc96a519e8c1473f9d44650
Opcode Fuzzy Hash: 05e533769647c2e474566a5cc77af768df07c6299d915ba0ac1d8c86004f738d
Instruction Fuzzy Hash: 14E0EC74D2620CEFC780DFA8D54569DBFF8AF08211F1051A9A80893340EB705A84CB91

Function 064739F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ef98f4874e0a3f7fffbf3243dd6ee46a2f422daea696072294a59d82c2b926
Instruction ID: 9edc4a542bb7cd861c0625acb67fb880e43565729852a7453492b4ddf26d0a74
Opcode Fuzzy Hash: b9ef98f4874e0a3f7fffbf3243dd6ee46a2f422daea696072294a59d82c2b926
Instruction Fuzzy Hash: A3E0127198210CABCB41EFF4D50569E7BB9DB45210F5049A9950997120EE364A40EB95

Function 064783CE Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bd09da095c78bcbbafd6af223713ad686f664f2128dd32c6efbb44933d636c
Instruction ID: 8c09dc2dbc7dec8989b5d3ee0d228a33353f0f6ce6b9791226d2442f4502b104
Opcode Fuzzy Hash: 15bd09da095c78bcbbafd6af223713ad686f664f2128dd32c6efbb44933d636c
Instruction Fuzzy Hash: C4F0FDB49162298FEB64CF25D885B99BBB1AB49305F1081EAD90DB3290DA705EC5CF18

Function 06830C28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357022a5fb6efb49b155fc9f4628fe66902f31c104fc92e933e6d0610c9448e0
Instruction ID: dc74f28b41e735012e50bb45b48bcb44316e5eda172f5a0918feb3a2266ccd35
Opcode Fuzzy Hash: 357022a5fb6efb49b155fc9f4628fe66902f31c104fc92e933e6d0610c9448e0
Instruction Fuzzy Hash: 4DD05E3050910CDFC784CA94E401A6DB7ACEB46314F209098A80C87341CB329E02D6D0

Function 04BAE078 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a8253a009322e587edc653bdb3e7f686beed7e9d0ab927b9478f7e27622f09
Instruction ID: d12c3219df6295ff00b4799afe7d28d27a4d5850ad1fcbdeb9c44d83ec3ff474
Opcode Fuzzy Hash: 73a8253a009322e587edc653bdb3e7f686beed7e9d0ab927b9478f7e27622f09
Instruction Fuzzy Hash: E0D012370401189FE341CE24DA42F85BBB8FB18650F148560FE058B331C732EA19E650

Function 06478729 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bf8fa9dbea20f629b09f1c654be98ca5cb5ca375096847b25ad1aa1791442c
Instruction ID: 6f88d24c33a59eae5e81f624b336ddcb8669372c4f502cd2c8a0a1f1afa33913
Opcode Fuzzy Hash: 82bf8fa9dbea20f629b09f1c654be98ca5cb5ca375096847b25ad1aa1791442c
Instruction Fuzzy Hash: 60E09AB4E42229CFEB608F24C844BDAB7B0AB46315F4440E6D549A2290C3744AC4DF16

Function 064780D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d6003b3b1c3875443108abad3424ae29bf19d8b4593afef740c236f5453e00
Instruction ID: 9ec8f7c98b4286cd2ba5c794afd06ffd7fb5d7531bf9afa4e392837ebcae3997
Opcode Fuzzy Hash: f6d6003b3b1c3875443108abad3424ae29bf19d8b4593afef740c236f5453e00
Instruction Fuzzy Hash: 3FD017B0A222188FEB04EB24CA446997AF6EB81304F1056A6800A67254DA354D868F55

Function 04BAC16A Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b21fa193b911a3735aa8ef031548b462ab7150e3d002168c97f20a8fca2806a
Instruction ID: ad85d84805048b1c734d09e2be846899360e834a5ca3bfb0f6b403e6bfbe05d2
Opcode Fuzzy Hash: 3b21fa193b911a3735aa8ef031548b462ab7150e3d002168c97f20a8fca2806a
Instruction Fuzzy Hash: C0C08C3A000108AFC3008F64D946D41BBB8EB082203408450FA088B332C632FC20EA54

Function 06476A97 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a94988be5e051d5894cc05525af1a7c88f7effa5436b5946077c5dfa37dd0cf
Instruction ID: 623151beba69868cefcd08d3dd4879e3260ed277014e8106ae5334361fd131ff
Opcode Fuzzy Hash: 9a94988be5e051d5894cc05525af1a7c88f7effa5436b5946077c5dfa37dd0cf
Instruction Fuzzy Hash: FCD06C74A22328CFEB90DF18EE85B99BBB5BB49314F014196D80DA3744CB301985DF10

Function 06479AB7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cfe236d90e2c5e37c67dac912c76718b1a88427127eae92a3bd4f7d4d4d661
Instruction ID: 505928b8da1ce43e2f9892e7209aee9cd86965884910bc48af5c8fd52e3a4e3f
Opcode Fuzzy Hash: 35cfe236d90e2c5e37c67dac912c76718b1a88427127eae92a3bd4f7d4d4d661
Instruction Fuzzy Hash: 8BD09270942258CFEB90DB14DD44B9DBBB1EB01209F10D9D6940E636A4CA745EC98F51

Function 04BA2951 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5ac04e1228a3c7453e37f9ea7afd60542af0f7f79c019ba71c4dbcde233381
Instruction ID: ab189d613af5f0c980ae7c0cddb714c92205adf62f3211ccdb477bbd5672d230
Opcode Fuzzy Hash: 4a5ac04e1228a3c7453e37f9ea7afd60542af0f7f79c019ba71c4dbcde233381
Instruction Fuzzy Hash: ADC08CFBC082840FC306AA10CA1B708BE20EBB0200F098429A04082122EA618400E211

Function 06477318 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607ad95b4e91e4bbcc03b1fd4044f12978b99ec35f656f20319181c8e90c2f52
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: 607ad95b4e91e4bbcc03b1fd4044f12978b99ec35f656f20319181c8e90c2f52
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 04BAC170 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Non-executed Functions

Function 04BA24C8 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

(bq, xrefs: 04BA286C
,bq, xrefs: 04BA25BE

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$,bq
API String ID: 0-1616511919
Opcode ID: 7a57d314a68ddcec666c9e31fda222734e2933f12a5e43e802bd79eed1a81eff
Instruction ID: eec638d11a7b4415cd6bd511d949de9b99eace54a9fb3d3028481f25a86cbfbe
Opcode Fuzzy Hash: 7a57d314a68ddcec666c9e31fda222734e2933f12a5e43e802bd79eed1a81eff
Instruction Fuzzy Hash: 79D10834A056048FDB18DF69C584AADBBF2FF88710F2984D9E805AB365DB30EC91CB51

Function 04B94D30 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

dbq, xrefs: 04B94E8E

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 19e7369eb9785b7fe6725a6dffd54be23fc54421ec75b1b6f4c5d879f2105078
Instruction ID: 78afddcdfe7069c05b68edb3c07c32ca74991cd9fcb95c5b2b25fe735ca11c1a
Opcode Fuzzy Hash: 19e7369eb9785b7fe6725a6dffd54be23fc54421ec75b1b6f4c5d879f2105078
Instruction Fuzzy Hash: 66813974A18219CFDB14EFA8D6857ADBBF1FB89304F1091A9E009A3355DB345D86CF40

Function 04B94D20 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

dbq, xrefs: 04B94E8E

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: d6aae98a429e6b0ac29dde766539c501ef3e89a467e2ebe27896ae9d2ccdbeb5
Instruction ID: f8a6a2c1e519d30f1cbd77b5bae88b53301fd44f8cd15102d3699c77f4a0677c
Opcode Fuzzy Hash: d6aae98a429e6b0ac29dde766539c501ef3e89a467e2ebe27896ae9d2ccdbeb5
Instruction Fuzzy Hash: AD813874A14219CFDB14EFA8DA857ADBBF2FB89304F1091AAE009A3355DB345D86CF40

Function 06470006 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

{, xrefs: 0647010F

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: eb64102c43f636a7e31f6d71877d9c2758670c30c7a59d5cd42b6fe0a48de5cc
Instruction ID: 4ea06cc0c27b3fd481dbf6b298fcaee1f13a0055fb59bf237cdfe00656c91c11
Opcode Fuzzy Hash: eb64102c43f636a7e31f6d71877d9c2758670c30c7a59d5cd42b6fe0a48de5cc
Instruction Fuzzy Hash: 6831BBB1D056588FDB5ACF6B8D502DABBF7AFC9200F08C1FA9448AB255DA340B46CF51

Function 06470040 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

{, xrefs: 0647010F

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: e8e559f493173452592a5db1dbba1637d70347f0e54914b838e7c2a5ad3e7510
Instruction ID: a2cc0fb0f65cbb4cea37e63801d1e95e50d797737ca27112b4e49574a85e8519
Opcode Fuzzy Hash: e8e559f493173452592a5db1dbba1637d70347f0e54914b838e7c2a5ad3e7510
Instruction Fuzzy Hash: 36318BB1D156288BEB5DCF6BDD502DAFAFBAFC8600F04D1FA940CA6255DB740B818E40

Function 06476118 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5a9f24244437e491e750ad535cfae8ad6af9750193dfcfaecb78892e0fcf04
Instruction ID: 2f34ad570339eead4f8bca1beb0ee64870be019b12d351f1a19c6ea3ef2c75f4
Opcode Fuzzy Hash: 9e5a9f24244437e491e750ad535cfae8ad6af9750193dfcfaecb78892e0fcf04
Instruction Fuzzy Hash: 6B12B470E006198FDB54CFAAC9806DDFBF2BF88304F25C56AD418AB21AD734A946CF54

Function 00EEF4F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d88849f0bd52dcdd2dc2dd7d8bf5a821e903da6f85f8c282a85ba0c797a8c1
Instruction ID: e59801fc7edb2e6de23523874019c73691181782001aacfa08a00daec317b1e7
Opcode Fuzzy Hash: b9d88849f0bd52dcdd2dc2dd7d8bf5a821e903da6f85f8c282a85ba0c797a8c1
Instruction Fuzzy Hash: F81294F2C917658BE710CF65E94C18A3BB1BB41328BD04A09D2652F6E1DFB8916BCF44

Function 04C04248 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1883176093.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c00000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1342c282eabdd1d59d3870bc1694c43bfdac669d13f8524bdd5b3d4513c4a9f5
Instruction ID: 4fbd95610c896c9b222c96e4abe3ca3870a86adaad678991a9d0b6c815b53f34
Opcode Fuzzy Hash: 1342c282eabdd1d59d3870bc1694c43bfdac669d13f8524bdd5b3d4513c4a9f5
Instruction Fuzzy Hash: C7D13F74E05208CFEB18DFA5D985BAEBBF2FB49304F1490AAD519A7385DB306985CF04

Function 00EECA44 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547e0f813b15713569d1542bf3f330645b03d4cc36ed7720aed1fa72c79969ce
Instruction ID: 0f32e15d64302633a324e912f25ebbd153ad232ceaa8be2585a54404ba619cdd
Opcode Fuzzy Hash: 547e0f813b15713569d1542bf3f330645b03d4cc36ed7720aed1fa72c79969ce
Instruction Fuzzy Hash: E7A18A36E002598FCF05DFA5C84049EBBF2FF84304B25956AE805BB325EB31E956CB50

Function 04B9AE28 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9962bf5ba94fe97fb786bd8501e0c5a74fca0e2f878315d4407b1aa506cf3f2d
Instruction ID: 982a63edf12fee9470f08c52d24a9a2544fefed496dc2565e863360c41d8436e
Opcode Fuzzy Hash: 9962bf5ba94fe97fb786bd8501e0c5a74fca0e2f878315d4407b1aa506cf3f2d
Instruction Fuzzy Hash: D9A1F270E14248CFDB14DF69D985BAEBBF1FB89304F2094AAE419A7255EB306D85CF40

Function 04B9AE18 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed242d8812d622fe9b458898ac4e07992c1ec4fe790b099ce0f9f3c409c2920e
Instruction ID: e5736f91f79950baae2e5a0238a40acdbf0e911beb81c9c10c4b96f5578c8b32
Opcode Fuzzy Hash: ed242d8812d622fe9b458898ac4e07992c1ec4fe790b099ce0f9f3c409c2920e
Instruction Fuzzy Hash: 2EA1F270E14208CFDB14DF69D985BAEBBF1FB49304F2094AAD419A7255EB346D85CF40

Function 00EEF4E8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1858586945.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184cb0bf0caf2f3a65605653633409ca9f37526aa4dfa211726b047620f0bbc8
Instruction ID: d7894b0c26f15a0682045e72fe03a185396f7c629ac7993dff6de28fb301ef9f
Opcode Fuzzy Hash: 184cb0bf0caf2f3a65605653633409ca9f37526aa4dfa211726b047620f0bbc8
Instruction Fuzzy Hash: 58C11AB2C907658BD710CF65E94818A7BB1FB85328FD04A09D1616F2E1DFB8A06BCF44

Function 06830C50 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3b1df2a172dac829dc2c5fcae1a037613354cc8ffb865032c3ce3248f1cca0
Instruction ID: 9938732b40733d8243d2339776cccafbc92be72127a47d82e096319c39375a49
Opcode Fuzzy Hash: 7a3b1df2a172dac829dc2c5fcae1a037613354cc8ffb865032c3ce3248f1cca0
Instruction Fuzzy Hash: D9916D74E14218CFEB54DFA8D585AAEB7F2FB89304F20516AE409A7394CF345941CF90

Function 06830C60 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eae4d12ef8c2c6e3b842927a6d6af9db098b481d4f6b868f4b3fc6c68c68ed0
Instruction ID: 1187a7d324b7fdbd9dcd0423611c794d0ac76348a26c5f51a36a0e19b760c9ac
Opcode Fuzzy Hash: 0eae4d12ef8c2c6e3b842927a6d6af9db098b481d4f6b868f4b3fc6c68c68ed0
Instruction Fuzzy Hash: C0916B74E14218CFEB54EFA8D585AAEB7F2FB89304F20516AE409AB394CF745941CF90

Function 06830608 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32df409c7d3a6c18680c4744ed7ee24fb29c64f6ae06e78b649da65612fb3501
Instruction ID: 255098ef52e5e00aa7f1cb8f667bfd1fa88e835b1253b50fd3b5affe0e5292c3
Opcode Fuzzy Hash: 32df409c7d3a6c18680c4744ed7ee24fb29c64f6ae06e78b649da65612fb3501
Instruction Fuzzy Hash: AC914A30E15218CFEB54EF69D985BAEB7F5FB89308F1090AAD51AA7255DF305881CF80

Function 0688DFA8 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891954330.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6870000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44aa93bd5098b76c900072de616285afd0388f83edb1531c5fae1141a0710c0
Instruction ID: 961099ffeb932c8e3d97f10394ef19ae4063cb9c5b96cad77177d4630c4ba4ce
Opcode Fuzzy Hash: d44aa93bd5098b76c900072de616285afd0388f83edb1531c5fae1141a0710c0
Instruction Fuzzy Hash: 2991F870E0521CCFEBA4EF69C848BADBBB2BF49304F1084A9D509E7295DB745A85CF41

Function 04B9B1E9 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7211790c96a33963968719b3cddb0b2a940200acf2c5f9c147f1d08a716cef6
Instruction ID: db3ef2a7bd1f84a38ca73ff189d6881936fe25a87bfc43448cf6e82ae48f0f3c
Opcode Fuzzy Hash: d7211790c96a33963968719b3cddb0b2a940200acf2c5f9c147f1d08a716cef6
Instruction Fuzzy Hash: 2F91F370E14208CFDB14DF69D985BAEBBF1FB49304F2090AAD419A7659DB30AD85CF40

Function 068305F8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891811113.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6830000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ace239ac988c7a6d3b5a4c77f2bc03939d02d7578821f3d9f4917473f5434e7
Instruction ID: 61e1a60c02c1c5da6ca3d0cd6e724678e5660a00f0f658f8ce9c31e54ad52197
Opcode Fuzzy Hash: 1ace239ac988c7a6d3b5a4c77f2bc03939d02d7578821f3d9f4917473f5434e7
Instruction Fuzzy Hash: AB815B30E15218CFEB54EF68D945BAEB7F2FB89308F1080AAD41AA7255DF305885CF80

Function 04B95470 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be49a6fb85872525007f91d1b914f4b7d2ac43b4e810a96924d6233f7825450
Instruction ID: 6cd8063c26168e2827f681d0e4c05b5fbd8ae484af5726b5429bf306defd6d57
Opcode Fuzzy Hash: 5be49a6fb85872525007f91d1b914f4b7d2ac43b4e810a96924d6233f7825450
Instruction Fuzzy Hash: E2415571A85218EFDF61DFA8D5847EDBBF2EB49305F1050AAD009A7349EB34AC85CB40

Function 04B95461 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882901319.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737a160fc7b608b343e33b82b40d59d795a014f8b8a2125a1b1a538c94ec9725
Instruction ID: 2d4698bc0a37f62e68ab723c2ad5ee1be319cafb7cd7c50a3bda4f66e66a68e8
Opcode Fuzzy Hash: 737a160fc7b608b343e33b82b40d59d795a014f8b8a2125a1b1a538c94ec9725
Instruction Fuzzy Hash: 2C513575A41218EFDF21DFA8D5847EDBBF2EB49305F1050AAD009A7349EB34AD85CB40

Function 064760D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ed006cbd992486560e5ebbbdacb3f0cebec2fc6cbcc626dc001debded37828
Instruction ID: 59a378763327029b7d2623a9860292cfcf98ae596f964547ca9143744367c0b3
Opcode Fuzzy Hash: b6ed006cbd992486560e5ebbbdacb3f0cebec2fc6cbcc626dc001debded37828
Instruction Fuzzy Hash: 6B4156B1E016198BDB48CFABD94069EFBF3AFC8310F14C17AD918AB224DB345942CB54

Function 06476108 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318268520cc96ed39ca9f4706646c619fc1e3ef1a433f9bd152b75379aafe4cf
Instruction ID: 10250d18cbd6c28bf0d8cdd400214d313032f0d0cf25a85a95b0985abbb3857b
Opcode Fuzzy Hash: 318268520cc96ed39ca9f4706646c619fc1e3ef1a433f9bd152b75379aafe4cf
Instruction Fuzzy Hash: E24158B5E016199BDB48CFABD94069EFBF3BFC8310F14C07AD918AB224DB3459468B54

Function 06620040 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891664630.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be00ce7c2f43116701e83aec67a1baed3b1222b9c279e9e9fe7f0a09c7485a5
Instruction ID: ec4798d63c6c959492a324bd3057f2a7d4baeeca343ec1719371c946fa28f354
Opcode Fuzzy Hash: 6be00ce7c2f43116701e83aec67a1baed3b1222b9c279e9e9fe7f0a09c7485a5
Instruction Fuzzy Hash: DC514471D05A298BE76CCF2B8D557DAFAF3AFC9300F44C1FA950C66254DB704A868E41

Function 0662001E Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891664630.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961cb58ff3b3df012112270ccdee80ac6f67be11ec7722d22f763b0f79c92cbb
Instruction ID: ef8ee1b022555e66f14326c2240c6808c3d92866088b0b83bc7e5fd8fcd063a8
Opcode Fuzzy Hash: 961cb58ff3b3df012112270ccdee80ac6f67be11ec7722d22f763b0f79c92cbb
Instruction Fuzzy Hash: F8514071D056588BE72CCF2B8D456CAFAF3AFC9300F44C1FA954CA6265DB340A868E41

Function 064778B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a92db29a068cebd44e953f7e5259f1646539efb82fac189efe3953f0ca49d3e
Instruction ID: 4e613a9b12ef5b1a1dee8e6602adba70c2448e61c451f9650bc0af560ec32ca1
Opcode Fuzzy Hash: 7a92db29a068cebd44e953f7e5259f1646539efb82fac189efe3953f0ca49d3e
Instruction Fuzzy Hash: 6A414171E01A188FEB5CCF6BDD4069EFAF3AFC9301F54D1BA9408AA259DB3006428F41

Function 064778AB Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891473246.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6470000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e8e5872e364b9a6e4926c0420ccc56d8550f27bec5df8d682dbea3447f3ef
Instruction ID: 295ba9d2297ad0a4e3493293de16d656e8da0696bac5edd5606a3af03d9c7e32
Opcode Fuzzy Hash: c64e8e5872e364b9a6e4926c0420ccc56d8550f27bec5df8d682dbea3447f3ef
Instruction Fuzzy Hash: 82312571E01A189BEB5CCF6BDD4069EFAF7AFC9301F54C17A981CAA258EB3405468F41

Function 04BA8820 Relevance: 7.7, Strings: 6, Instructions: 154COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04BA896A
4'^q, xrefs: 04BA88A4
(bq, xrefs: 04BA89EA
4'^q, xrefs: 04BA88D4
pbq, xrefs: 04BA8977
4'^q, xrefs: 04BA88F2

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: 577e6c16432d657815c600022b086bbeaba0fb36fa0659593f702bf99c2a03ae
Instruction ID: 3d5a7e19b2669ace34f15a1a43eaa6891f30a27e902bed5e5e31707d1074c602
Opcode Fuzzy Hash: 577e6c16432d657815c600022b086bbeaba0fb36fa0659593f702bf99c2a03ae
Instruction Fuzzy Hash: 67518530A402098FC744EF79C95076FBAE7BFC8740F148968C44997769DF35E94687A1

Function 04BAF270 Relevance: 5.2, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

(_^q, xrefs: 04BAF913
(_^q, xrefs: 04BAF963
(_^q, xrefs: 04BAF91D
(_^q, xrefs: 04BAF999

Memory Dump Source

Source File: 00000000.00000002.1882981617.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_eBHn6qHPLz.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q
API String ID: 0-2697572114
Opcode ID: 06921e73674e986b4acf729d4200d846b9ef0e252a69ac5b0fcf244e79d78a34
Instruction ID: a428621dcfd4a6429c27f81d014e73e68152e8a0695faee92636c369059fa192
Opcode Fuzzy Hash: 06921e73674e986b4acf729d4200d846b9ef0e252a69ac5b0fcf244e79d78a34
Instruction Fuzzy Hash: 35619175F042089FDB04EF78C4555AEBBB2EF89304F2084A9E5069B365EB35EC46CB91

Analysis Process: defenderupdate.exePID: 7944, Parent PID: 7896COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	99.3%
Signature Coverage:	0%
Total number of Nodes:	273
Total number of Limit Nodes:	11

Executed Functions

Function 06A812BD Relevance: 16.1, Strings: 12, Instructions: 1136COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A817C7
,bq, xrefs: 06A81D7A
$^q, xrefs: 06A81717
$^q, xrefs: 06A81BFA
$^q, xrefs: 06A81553
$^q, xrefs: 06A81B91
$^q, xrefs: 06A81BEA
4, xrefs: 06A81C95
$^q, xrefs: 06A81543
$^q, xrefs: 06A817B7
$^q, xrefs: 06A81BA1
$^q, xrefs: 06A81707

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: 84b20c765be5a2334c676ad5240014f76c4605ccd2b891f27f2057dfab93df2a
Instruction ID: 9878b80e7b3629da055cc612b068ce386822911d3d9db604c5d7ba973c775980
Opcode Fuzzy Hash: 84b20c765be5a2334c676ad5240014f76c4605ccd2b891f27f2057dfab93df2a
Instruction Fuzzy Hash: CAB21770A002198FDB54EFA8C894BADB7B6FF48700F148599E505AB3A5DB70ED86CF50

Function 06A815E7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

,bq, xrefs: 06A81D7A
$^q, xrefs: 06A81B91
$^q, xrefs: 06A81BEA
4, xrefs: 06A81C95
$^q, xrefs: 06A817B7
$^q, xrefs: 06A81707

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 691c64ee401a955cae576c6b319ea8b67fc247f5c69b54157b84c253b0baf983
Instruction ID: b369f03848fbd04b697347d2f6704840d0287ed2ba24288274f19a328a8ee74a
Opcode Fuzzy Hash: 691c64ee401a955cae576c6b319ea8b67fc247f5c69b54157b84c253b0baf983
Instruction Fuzzy Hash: A9220D74A00219CFEB64EF64C994BADB7B2FF48304F148199D509AB3A5DB31AD86CF50

Function 06A9F098 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06A9F402

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2ba152bfaaf8b1bb72dd4e85ee910c048b2d8ee1dc57f712af032fc1e25dd0b7
Instruction ID: 14e0aede3172c50c172f410ada96a8e1e3d292cb82b14ac39e1bd98fc287e2a1
Opcode Fuzzy Hash: 2ba152bfaaf8b1bb72dd4e85ee910c048b2d8ee1dc57f712af032fc1e25dd0b7
Instruction Fuzzy Hash: 5212D474E05218CFEB64DF69D984BAAB7F2FB89300F2081AAD509E7254DB345D81CF61

Function 06B7B6B1 Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06B7B741

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e36a79139f217a80a8476e410d691f30ba03a4d8b13603dcccf03827a3b539d2
Instruction ID: d585b714a3b39393c6522232e9e71f7d70632e015f823f30a5f44ede0f64d016
Opcode Fuzzy Hash: e36a79139f217a80a8476e410d691f30ba03a4d8b13603dcccf03827a3b539d2
Instruction Fuzzy Hash: 4821F3B1D012499FCB10DFAAD984ADEFBF5FB48310F20842AE559A7250C775AA40CFA5

Function 06B7B6B8 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06B7B741

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8a8b6ea1e8ba65f9bc0f92eb0be8416b2590d580ab7527f44afe208670e9d388
Instruction ID: 8d50c1b94e1c179ec9f640f1cb27ec8fcf74e50559f7bcd961f61666880ad8ee
Opcode Fuzzy Hash: 8a8b6ea1e8ba65f9bc0f92eb0be8416b2590d580ab7527f44afe208670e9d388
Instruction Fuzzy Hash: ED21FFB1D002499FCB10DFAAD984ADEFBF5FF48310F20842AE519A7210C775A940CBA4

Function 06B7D800 Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06B7D876

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 44051c8731fd34eb4dad9df6e4d691734cf39ae4cb24b93e34f9e3cc3943e4a3
Instruction ID: e7ede650bef880222e1732454e0cc5c0a9fb45427c18b2a0aad354c855aa23b9
Opcode Fuzzy Hash: 44051c8731fd34eb4dad9df6e4d691734cf39ae4cb24b93e34f9e3cc3943e4a3
Instruction Fuzzy Hash: 071106B1D002089BDB20DFAAC845BDFFBF8EF48364F10842AD459A7250CB74A945CFA5

Function 06B7D808 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06B7D876

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f99161bed50a5bb394cd4c3682a667fc8180bf5307668d82e62726807e899da2
Instruction ID: 11b982be54f3c7d4f5e3912d71d7252b9a429afdfab39229d4eba55764af0706
Opcode Fuzzy Hash: f99161bed50a5bb394cd4c3682a667fc8180bf5307668d82e62726807e899da2
Instruction Fuzzy Hash: 3B11E4B1D002498FDB10DFAAC484B9EFBF4EF88364F50842AD459A7250CB79A945CFA5

Function 06A97369 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06A975B1

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: bb2d6d2e0e132fea41d22d433e26644be796b8a1d2ff67ba64a13aef4cb945fd
Instruction ID: 378f9047bf3b8bb0a74180b00cdf9c5bdc9444eb49ccf490d4cb73d4cf495271
Opcode Fuzzy Hash: bb2d6d2e0e132fea41d22d433e26644be796b8a1d2ff67ba64a13aef4cb945fd
Instruction Fuzzy Hash: 5FC10774E15218CFDB94DFA9D984B9EBBF2FF89300F2080A9D409AB255DB349945CF60

Function 06A973D8 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06A975B1

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 03d7781fb937ae45fa629238ab2ca8b99e0c693d2bdb52dd8b4e3aa502d3d75a
Instruction ID: cd16296a46b290179cfe850d2e6a322cb305c41b1ff7e275198d7130a4a82502
Opcode Fuzzy Hash: 03d7781fb937ae45fa629238ab2ca8b99e0c693d2bdb52dd8b4e3aa502d3d75a
Instruction Fuzzy Hash: 4AB1C574E15218CFEB94DFA9D984B9DBBF2FF89300F2080A9D409AB255DB349945CF60

Function 06A973E8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06A975B1

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 206049061d62882378ee4b249dc51975e3b408cdbbcb8e3c347fc18aa22bb8ab
Instruction ID: 28cdd60a7740b987962f8cb501cf8b4a10ec685c64289010b1310f1b37589b71
Opcode Fuzzy Hash: 206049061d62882378ee4b249dc51975e3b408cdbbcb8e3c347fc18aa22bb8ab
Instruction Fuzzy Hash: CAB1F674E15218CFEB94DFA9D984B9DBBF2FF89300F2080A9D409AB255DB349945CF60

Function 018ACB08 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018ACB96
GetCurrentThread.KERNEL32 ref: 018ACBD3
GetCurrentProcess.KERNEL32 ref: 018ACC10
GetCurrentThreadId.KERNEL32 ref: 018ACC69

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 335c9fa44c7c13087ca14a3d62223238bb4907930100502d4fbbf1f214cff71e
Instruction ID: 77da530c6cd57a8679f5b6c35d11e00a55f891d8be82353ae06c0e7e4a7f32f2
Opcode Fuzzy Hash: 335c9fa44c7c13087ca14a3d62223238bb4907930100502d4fbbf1f214cff71e
Instruction Fuzzy Hash: 835144B0A003498FDB14DFAAD548BDEBFF1EF48304F208469E409AB260D7749A84CF65

Function 018ACB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018ACB96
GetCurrentThread.KERNEL32 ref: 018ACBD3
GetCurrentProcess.KERNEL32 ref: 018ACC10
GetCurrentThreadId.KERNEL32 ref: 018ACC69

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8431d01e973dcbe2b160ac0755966b5b7a4e96fd80518bf450e4969a709ab194
Instruction ID: af745c4ebd80168df61c7c79633f797881296c11fc41d147fedbfdfdc742ec17
Opcode Fuzzy Hash: 8431d01e973dcbe2b160ac0755966b5b7a4e96fd80518bf450e4969a709ab194
Instruction Fuzzy Hash: 825135B09007098FDB14DFAAD548B9EBBF1EF48304F20C459E419A7360D775AA84CF65

Function 06A873E0 Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06A87934
Hbq, xrefs: 06A878E4
Hbq, xrefs: 06A878B5

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: 2a42e3cdc306d415a445c12d1d25bb29f19aec987d44f0da8dc58614bbe0d449
Instruction ID: 0bf5eaa655beee08708731a9d412cfb6564a5b35f79eec873b9ec982887d4170
Opcode Fuzzy Hash: 2a42e3cdc306d415a445c12d1d25bb29f19aec987d44f0da8dc58614bbe0d449
Instruction Fuzzy Hash: 85126E70A002058FDB65FFA9D494A6EBBF2FF88300B24852DD5469B3A4DB35EC46CB51

Function 06A89218 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06A89591
4'^q, xrefs: 06A89432
4'^q, xrefs: 06A89511

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 339cf4bc15776ef68bf985c316aead4ab87f13658f6c6b893e798148b2df4fc4
Instruction ID: 78369b92cdec408866a43b9a228f3f5a58e34ac1f905d804da2351c076955e1c
Opcode Fuzzy Hash: 339cf4bc15776ef68bf985c316aead4ab87f13658f6c6b893e798148b2df4fc4
Instruction Fuzzy Hash: 4AF1F134B10218DFDB54EFA4D998AAEB7B2FF88301F118154E506AB3A5DB75EC46CB40

Function 06A8D7FB Relevance: 4.1, Strings: 3, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 06A8D955
Hbq, xrefs: 06A8D981
(bq, xrefs: 06A8D929

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq$(bq$Hbq
API String ID: 0-2835675688
Opcode ID: edc552319711ec67a817e73c049502174b907b86261cbb530a31eefd86a8e1f0
Instruction ID: b87cc76acceb11ac137905a0183217c589a16f8d4e0c7157c1dde3513703bf35
Opcode Fuzzy Hash: edc552319711ec67a817e73c049502174b907b86261cbb530a31eefd86a8e1f0
Instruction Fuzzy Hash: FDE15034A00209DFCB55FF64D5949AEBBB2FF89300F118569E416AB3A5DB30EC46CB91

Function 06A83539 Relevance: 3.0, Strings: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A83853
$^q, xrefs: 06A83863

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5ef894682c92429771b6e4fc70ba29c3686a676ee0072462fb53e5fe65c42782
Instruction ID: 4ee584e641d88d7408098e9ab80edd9cb0a1b6e508946b37b47c620f93425304
Opcode Fuzzy Hash: 5ef894682c92429771b6e4fc70ba29c3686a676ee0072462fb53e5fe65c42782
Instruction Fuzzy Hash: 17124A70E002198FDF55EFA9D894AADBBB2FF48B00F148115E811AB295DB399D46CB50

Function 06A86E98 Relevance: 2.8, Strings: 2, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 06A870F9
(bq, xrefs: 06A86EAC

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: 88245e205bab3c1762b2bd1dcc2b7481c7777413ed7ebbb9fc8f473c577127bd
Instruction ID: e36e3dc8e1294f5ac1f23d7e61759226fa20c208b0df3ed36be6a431873c0b9f
Opcode Fuzzy Hash: 88245e205bab3c1762b2bd1dcc2b7481c7777413ed7ebbb9fc8f473c577127bd
Instruction Fuzzy Hash: D3D149306006068FCB54EF29C59496AB7F2FF88310B25C969E45A9B765DB31FC46CB90

Function 06A87C21 Relevance: 2.8, Strings: 2, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06A87ECC
Hbq, xrefs: 06A87F34

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 85138e2132983c034a430ed987603af5cee2908206155604481901ac00a72a00
Instruction ID: 42cb90af1d60ff17cab5b751135f52c67d880efcdd94cb7cde6ea6bb90419e26
Opcode Fuzzy Hash: 85138e2132983c034a430ed987603af5cee2908206155604481901ac00a72a00
Instruction Fuzzy Hash: 2EC1AE306005159FCB55EF29C480AAEBBF6FF88314F258569E8099F3A5CB34ED46CB91

Function 06A82B10 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 06A82C16
Hbq, xrefs: 06A82CA5

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 747e6187e785d14b3524773566bec48e9175418d50a89d2a6c4c787a5cd22cd5
Instruction ID: 43e71d263c571bff16950dca7bf25cc6ac905c6594a65c564e77d50e290157ed
Opcode Fuzzy Hash: 747e6187e785d14b3524773566bec48e9175418d50a89d2a6c4c787a5cd22cd5
Instruction Fuzzy Hash: 82518B707002108FD7AABF39C86462E7BA6BF99300B24846DD5068B3A5CF35ED06CB95

Function 06A850D3 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 06A85243
(bq, xrefs: 06A851EC

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 55b51389bf8736a358282281640c8694c943894a6de121ed59d4f69fe248310d
Instruction ID: 1827ca8a728f90b92b78d42833f1e50581eb2ca38a6d9fab3a93735679e11fa9
Opcode Fuzzy Hash: 55b51389bf8736a358282281640c8694c943894a6de121ed59d4f69fe248310d
Instruction Fuzzy Hash: 4051AF31B002458FDB55EF28D8506AE7BA2FF84345F2481A9E8058F3A6CF35ED56CB91

Function 06A90681 Relevance: 2.5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

Strings

Q, xrefs: 06A9149C
<, xrefs: 06A9068E

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: <$Q
API String ID: 0-1068778786
Opcode ID: 7dcfdc32b948eb0c6e478db4b10d184d27a90311196dd1f39a4aeca3f9b54c66
Instruction ID: f0e2252d8a266b13f28cd6a990dcc3c97f802fd784e7210ae658f1169acb093b
Opcode Fuzzy Hash: 7dcfdc32b948eb0c6e478db4b10d184d27a90311196dd1f39a4aeca3f9b54c66
Instruction Fuzzy Hash: E901B370D21328DFDF94EFA4D888B9CB6F1BB49318F2040A9D408A7240C7341A85CF20

Function 06A8A0F8 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,bq, xrefs: 06A8A473

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 2d65921a812024e6db021d3105f288cbafbccb448571cd94f4b6d092208baaf8
Instruction ID: c9a2503012de8a2a941907d918e65228cf65a7660c82ee8fc839c3075330a840
Opcode Fuzzy Hash: 2d65921a812024e6db021d3105f288cbafbccb448571cd94f4b6d092208baaf8
Instruction Fuzzy Hash: 04521B75A002288FDB65EF69C954BDDBBF2BF88300F1540DAD609AB361DA309D85CF61

Function 06A840C0 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06A84350

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: ee863b939354957e85eefcac42139f495d594d03600cb580012a63f025c8f0fe
Instruction ID: 1273ffebb3d8951c422da5312b9a41eb7230014d42915f25c5c464e836ce9c33
Opcode Fuzzy Hash: ee863b939354957e85eefcac42139f495d594d03600cb580012a63f025c8f0fe
Instruction Fuzzy Hash: F8228C75A002159FEB44EFA9D494A6DBBF2FF88300F148069E905AF3A5DB71EC45CB90

Function 06B7C10C Relevance: 1.7, APIs: 1, Instructions: 204processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B7C2F2

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 50655b5056b5cce4c4292ec0eb7e923314f2fcc137194ea168d71bdb41fa72fb
Instruction ID: cfc2f521f08402a709be985f067913257b341c463f32c8368f2991fea0585829
Opcode Fuzzy Hash: 50655b5056b5cce4c4292ec0eb7e923314f2fcc137194ea168d71bdb41fa72fb
Instruction Fuzzy Hash: EF8135B1D002598FDB60CFA9C8817ADBFF1FF48314F249569E869A7280D7759981CF81

Function 06B7C118 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B7C2F2

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cef3275d94fcf1235d03cd576f183804af195ba3fd60f6432710e3eacfc3571b
Instruction ID: 78ad2d74ecf043ae26cad6216b30b870d1f2ec7750fd64a847fbc154239799a9
Opcode Fuzzy Hash: cef3275d94fcf1235d03cd576f183804af195ba3fd60f6432710e3eacfc3571b
Instruction Fuzzy Hash: 8E8124B1D002598FDBA0CFA9C8817ADBFF1EF48314F249569E869A7280D7759881CF81

Function 018AA488 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018AA6DE

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e9253debff1e02d073b4fc6b12f67b76f41b67b642e3dcd4a1e762044a5e31b
Instruction ID: fce69dee4850676401cd182a2e1bbb171067b0998039917d4c395c290a28f333
Opcode Fuzzy Hash: 4e9253debff1e02d073b4fc6b12f67b76f41b67b642e3dcd4a1e762044a5e31b
Instruction Fuzzy Hash: 6C812370A00B058FEB28DF69D44475ABBF1BB88304F008A2DE58AD7A50D775EA45CB95

Function 06B7D180 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B7D218

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a68b8d5d57cef3852fcb8c09e04c015a00fa3b104cf23afa79bc09fe191ae296
Instruction ID: 9fb4e0ccba327e2778a6ab94d6ab51515b087c4cc5406d05a3b52727b07ff22e
Opcode Fuzzy Hash: a68b8d5d57cef3852fcb8c09e04c015a00fa3b104cf23afa79bc09fe191ae296
Instruction Fuzzy Hash: C22157B19003199FCB10CFA9C885BDEBBF5FF48320F10842AE959A7250C778A955CFA4

Function 06B7D188 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B7D218

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ef48ea62fbfafd811bf233dd16dd5a0f6362547a858bbf33fa367b9a209118b
Instruction ID: d33b516af40c904d10fd836477f6122f870fb5b9846079f038af37e1467f1588
Opcode Fuzzy Hash: 2ef48ea62fbfafd811bf233dd16dd5a0f6362547a858bbf33fa367b9a209118b
Instruction Fuzzy Hash: 142136B29003599FCB10CFA9C985BDEBBF5FF48310F10842AE959A7250C778A955CBA4

Function 06B7C8E0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B7C966

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3b4099454921bdc29dfdbac20188d24c261136f57f0b482638d58ae3ee741c5b
Instruction ID: a3b691b8f24e9f64cb9133fa4c175baac90c1b78ff28a92802a07103c10b3723
Opcode Fuzzy Hash: 3b4099454921bdc29dfdbac20188d24c261136f57f0b482638d58ae3ee741c5b
Instruction Fuzzy Hash: EC2136B19002098FDB50DFAAC4447EEBBF4EB48324F108429D459A7241C778A545CBA5

Function 018ACD58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018ACDE7

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b6c2683f5c042e0e80a4eb04549958c765e5961c842c2c2f5a89df411c720d0e
Instruction ID: d30f422abc386280ce9a3dd0d47c10f68a6d14daa73d6c4c51f467914af6cba2
Opcode Fuzzy Hash: b6c2683f5c042e0e80a4eb04549958c765e5961c842c2c2f5a89df411c720d0e
Instruction Fuzzy Hash: 8A21E5B5900219DFDB10CFAAD984ADEBFF4FB48324F14841AE954A7310D375A954CFA4

Function 06B7C8E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B7C966

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e6a2f6c5d03823a1aaa0a3020d03bcf429d8e3e06c944335cdcddf353720d35e
Instruction ID: 4ddc3e9bb8a259be3508e6f77fefb6ab852ca15c050369e6b35dda8a897ee118
Opcode Fuzzy Hash: e6a2f6c5d03823a1aaa0a3020d03bcf429d8e3e06c944335cdcddf353720d35e
Instruction Fuzzy Hash: 802137B1D002098FDB50DFAAC4857EEBBF4EB48324F50842AD459A7241CB78A945CFA4

Function 018ACD60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018ACDE7

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 547f4c6fd39c1286dba40e1176005fcef83fb01aea50b00b6e350b9636c64db3
Instruction ID: 3b1e6a6097ec3d39871fcb2567343360aa425f616f5d4526ff9af9980bacc669
Opcode Fuzzy Hash: 547f4c6fd39c1286dba40e1176005fcef83fb01aea50b00b6e350b9636c64db3
Instruction Fuzzy Hash: 7E21E4B59002089FDB10CF9AD984ADEBFF4FB48310F14801AE914A7310D374A944CFA4

Function 06A79A30 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 06A79AA7

Memory Dump Source

Source File: 00000008.00000002.2221930880.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a70000_defenderupdate.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4ec2dcc091d4c7dfd7cf965d9db35e24bf9fb44b53bfec6f35c139d0f8b5b9db
Instruction ID: 30654163449a91400048900dd57df565be5c023a8057cbf56e2bb97bdb9e809c
Opcode Fuzzy Hash: 4ec2dcc091d4c7dfd7cf965d9db35e24bf9fb44b53bfec6f35c139d0f8b5b9db
Instruction Fuzzy Hash: 491137B1D002598EDB10DFAAC844BEFBFF5AF88324F14842AD455A7250CB399945CFA4

Function 06C4DC40 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06C4DCB4

Memory Dump Source

Source File: 00000008.00000002.2222847887.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c40000_defenderupdate.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e9984b0de1e09dd9bcdfc908037039b3424c20e53ce64323ce8310d2a1387668
Instruction ID: 44142c89aaa1d3b578f11b198c37f29bfabb029006c1df2a7cdb6f399e5da4bf
Opcode Fuzzy Hash: e9984b0de1e09dd9bcdfc908037039b3424c20e53ce64323ce8310d2a1387668
Instruction Fuzzy Hash: 381106B1D002499FCB10EFAAC844ADEFBF4FF48324F10842AD559A7250CB75A945CFA5

Function 06A79A38 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 06A79AA7

Memory Dump Source

Source File: 00000008.00000002.2221930880.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a70000_defenderupdate.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3b5d32a0c87f7cccd57aedf6e2be4cb721c9f1f0c6b9c6cd8667d10c2badd18a
Instruction ID: ae13f810960fdc6437fce538dc438f564391995c275394331c1f35adc0a9ee69
Opcode Fuzzy Hash: 3b5d32a0c87f7cccd57aedf6e2be4cb721c9f1f0c6b9c6cd8667d10c2badd18a
Instruction Fuzzy Hash: 83111CB1D002598FDB10DFAAC845BEFFFF4EB88324F14841AD455A7250CB75A945CBA4

Function 06B7CEE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B7CF56

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 73c2da1db942a4841792d5c5cb12b0c96f7a2dc65caf29d92eea42a1ebc12aa1
Instruction ID: 23824ebf3f5167c4c41d44871aac6ee64ce796156f36c86a41a1493cafb3d2af
Opcode Fuzzy Hash: 73c2da1db942a4841792d5c5cb12b0c96f7a2dc65caf29d92eea42a1ebc12aa1
Instruction Fuzzy Hash: 751137B29002499FCB10DFAAC844BDEBFF5EF88324F108419E559A7250C775A954CFA4

Function 06B7CEE1 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B7CF56

Memory Dump Source

Source File: 00000008.00000002.2222652595.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_defenderupdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1122e25b11400712555f5b561199187fef7d5d230b28588a3e6368797c78aca8
Instruction ID: 2cb37fcca873d9101f0b0f2facf7f360eabdcfc7f6811fb82a89fc8d629e60f0
Opcode Fuzzy Hash: 1122e25b11400712555f5b561199187fef7d5d230b28588a3e6368797c78aca8
Instruction Fuzzy Hash: 3F1147B29002498FCB10DFA9C945ADEBFF5EB48310F10841AE569A7250C7359554CF94

Function 018A8F89 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 018A8FFD

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4367fd0d16f7aee63fd7c1d51a792dab319a6d921b2ffa2d5ef09e1184f86f8b
Instruction ID: 3ad9ec3b772b1341acd239da0accabd0a234aacfc69ac875413abd83db0a1923
Opcode Fuzzy Hash: 4367fd0d16f7aee63fd7c1d51a792dab319a6d921b2ffa2d5ef09e1184f86f8b
Instruction Fuzzy Hash: 2511AFB1908385CFDB21DF9AC0047EEBFF4AB05354F54809DD599A7242C3796644CFA5

Function 018A8F98 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 018A8FFD

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2df27db0002a434fafd9463d480156e1b2aa21a6c5ddd2fe744c7153fe229703
Instruction ID: 520076e7faafeebcb978cb0a1990b633c77a6cefde352175c52a5dedbec8a4d4
Opcode Fuzzy Hash: 2df27db0002a434fafd9463d480156e1b2aa21a6c5ddd2fe744c7153fe229703
Instruction Fuzzy Hash: 24118BB1904389CFDB21DF9AC0047EABFF4AB05314F508099D589A3242C339A644CFA5

Function 018AA678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018AA6DE

Memory Dump Source

Source File: 00000008.00000002.2168095387.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_defenderupdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 615093edc69dd741a1c8d166146ca5b481bb6dee03358f8fd3f6a26bed379036
Instruction ID: 81ba2960719391bef0ea03c10f6c90bcf6b9b6b9347a381aa665c87b8e79414c
Opcode Fuzzy Hash: 615093edc69dd741a1c8d166146ca5b481bb6dee03358f8fd3f6a26bed379036
Instruction Fuzzy Hash: 5911E0B6C002498FDB24CF9AC444ADEFBF4EB88324F11842AD569A7610D379A645CFA5

Function 06A84848 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Pl^q, xrefs: 06A84A30

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: Pl^q
API String ID: 0-2831078282
Opcode ID: 66dea8a3cfbae8d082bb5f118a4f093ea4632696dcf1818729416e5e15890b61
Instruction ID: 1b02dfdc44e5832d19417d6ecf2bb0eb7e4fb15af93ede4073adfe303c8e1d71
Opcode Fuzzy Hash: 66dea8a3cfbae8d082bb5f118a4f093ea4632696dcf1818729416e5e15890b61
Instruction Fuzzy Hash: 80911430B002198FDB54EF69C484A6ABBE6FF89710B1540A9E505DF3B5DB71EC42CB91

Function 06A89208 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06A89432

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9ea155ac29a4d0de703bd5d9cac2f9b5261586de30a6bdcfce7b5ce83a42f031
Instruction ID: ff9d5120037eca1534ea1cdde9c02c0e23c3652b2ec7c4c2824f5840a8ad1e54
Opcode Fuzzy Hash: 9ea155ac29a4d0de703bd5d9cac2f9b5261586de30a6bdcfce7b5ce83a42f031
Instruction Fuzzy Hash: 8BA10F34A10218DFCB54FFA8D998AAEB7B2FF88300F558159E4066B365DB74EC46CB50

Function 06A8FD18 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

(bq, xrefs: 06A8FF39

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 560018dc4fee73f34da654f1a4d7253e1c8258f444552c5af27247da3a64ffb4
Instruction ID: 15b783f3389aa96427ec9666dda4c5dec479102a98bf292643abe91c23c4449b
Opcode Fuzzy Hash: 560018dc4fee73f34da654f1a4d7253e1c8258f444552c5af27247da3a64ffb4
Instruction Fuzzy Hash: 71719B30B006148FCB94FF68D594AAEB3B2EF89700F518169E0129B3A4CF74AD46CB91

Function 06A80BB0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

,bq, xrefs: 06A80C13

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 7c619bf21d1d4e572287b6a87d3efd2f513be96044e699d194f6e52f64cb4dba
Instruction ID: 7b7705c46bc68cee7dfbe26a3c0f360c4bc542d385eca92bcc284b9d9d21932a
Opcode Fuzzy Hash: 7c619bf21d1d4e572287b6a87d3efd2f513be96044e699d194f6e52f64cb4dba
Instruction Fuzzy Hash: 39519D357001158FCB05EF69D8549AEBBE6FF89310B25806AE905DF362CB31EC06CBA1

Function 06A8DF18 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

(bq, xrefs: 06A8E044

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 92e4777a0531f922992fc44ca8c6d5ef81606426872f0776e6217161776ad818
Instruction ID: 1affd6d2166c2d9589f7dd66e556084d50e21c0c288dc2208d11a7507979f530
Opcode Fuzzy Hash: 92e4777a0531f922992fc44ca8c6d5ef81606426872f0776e6217161776ad818
Instruction Fuzzy Hash: B9519D76704244AFCB56AF69D814D5A7FB6FF8931071680EAE205CF2B2CA32DC11DB51

Function 06A8CEC3 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06A8CF02

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4f6868118f1825ac49c60b3686d61c766d15391e2e8b3c158c7b6b1cc73f3009
Instruction ID: 55ab5498c5af7dd88cfec601dd82c69a7b6005a8db613b3839a943a983aca610
Opcode Fuzzy Hash: 4f6868118f1825ac49c60b3686d61c766d15391e2e8b3c158c7b6b1cc73f3009
Instruction Fuzzy Hash: DE416034B106148FCB95BB68D894AAEB7B7EFC9710F518429E413AB394CF749C06CB91

Function 06A88678 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06A886D1

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: cd4c5ab6b93f5699986953f851ed2e06ac64f990a7560ed3a02c585b6fecf540
Instruction ID: 5b4f9fdc01498f3a0a8b9041bbd71fc6c5540294da29cc2f07c15fe915fb5282
Opcode Fuzzy Hash: cd4c5ab6b93f5699986953f851ed2e06ac64f990a7560ed3a02c585b6fecf540
Instruction Fuzzy Hash: 4C31A1357001049FDB15AF64D954A9ABFB7EF88310B0540A9E5069B376CA32EC56CB90

Function 06A8340F Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

p<^q, xrefs: 06A8345A

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: b25ad7ccf98bafe210d9f44e39595e4ce5b83939cc60cd5477a2f7764c228f90
Instruction ID: 98153fbb268d21f9066f246441c49d85ae40ce7ec76fb9c729e916b4430f0984
Opcode Fuzzy Hash: b25ad7ccf98bafe210d9f44e39595e4ce5b83939cc60cd5477a2f7764c228f90
Instruction Fuzzy Hash: 1F21CF317001449FDF52EF6AC844AAA3BEAFF89701F154095F819CB2B1CA72DC51CB60

Function 06A83420 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 06A8345A

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c7e0c8a830fdd127694daa4c28f27c8d2fe8ac8937857896bc2fc7914fde2564
Instruction ID: 6643ea591965dae52011ecc6b485aa2a37be1b490cd1466e84fe8dd5f38bcfcd
Opcode Fuzzy Hash: c7e0c8a830fdd127694daa4c28f27c8d2fe8ac8937857896bc2fc7914fde2564
Instruction Fuzzy Hash: B4219D317001549FDF42EF6AC840AAA7BEABF89701F0580A5FC19CB3A1CA72DC51CB60

Function 06A80BA1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

,bq, xrefs: 06A80C13

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: e843a605626d7fd8d6e271fd86a0dc544e16ab7bad50ac5f9fea38509b319a08
Instruction ID: 96ab59b06b126710d8225fd677e8be4dbb0bce00363d83cb4eb4e9ac02942fd0
Opcode Fuzzy Hash: e843a605626d7fd8d6e271fd86a0dc544e16ab7bad50ac5f9fea38509b319a08
Instruction Fuzzy Hash: 1D11BB34B001158FDB04EFA9C9549AEBBB6AF89300F2580A6E901DF362C730ED01CBA1

Function 06C4F028 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 06C4F093

Memory Dump Source

Source File: 00000008.00000002.2222847887.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c40000_defenderupdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2210d862169d7357c90fbe540a4a45c03021340a5670f20b2c62510a4e8b473a
Instruction ID: a656a17e56246edaad34238e8a4d9ed3ded28cb0706eb02b6671770456c67277
Opcode Fuzzy Hash: 2210d862169d7357c90fbe540a4a45c03021340a5670f20b2c62510a4e8b473a
Instruction Fuzzy Hash: C21137B19002498FCB20DFAAC844BDEFFF5EB88324F10841AD459A7250CB75A544CFA4

Function 06A91472 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

Q, xrefs: 06A9149C

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: 460302219425ac58f0acfd2daa609b33d16314dacb66508eb1c47828d8feb775
Instruction ID: 3a539e420577e8be7fe7d677e9310a8bcd800ba574e49d3992b83aa7a8063443
Opcode Fuzzy Hash: 460302219425ac58f0acfd2daa609b33d16314dacb66508eb1c47828d8feb775
Instruction Fuzzy Hash: A5F0B270D21318CFDB85EFA8D888B9DB7F1BF05309F2014AAE409AB250D7706A41CF50

Function 06A90290 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

C, xrefs: 06A9029E

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 18d4bd21d85b7a3914599c7015298d1cf9c7ec06a8a11da7a3c72aca11b75e67
Instruction ID: 29a151cd16ddce9047376281b96453b7c5bbaaee48887ff19d2e2a2f531446e3
Opcode Fuzzy Hash: 18d4bd21d85b7a3914599c7015298d1cf9c7ec06a8a11da7a3c72aca11b75e67
Instruction Fuzzy Hash: 71E09274811228DFDF9ADF64C894B9DBBB5FB45308F601199D40872241C7745B85CE65

Function 06A8D108 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d3a96e8e8fa0df672e4ef9a77d5704beddfadd4d13552b581e66f3d1b614c6
Instruction ID: 25fd3de978afe4e186d92a6cdc916492cc39bc7a311dde15e807b766b9958efa
Opcode Fuzzy Hash: c6d3a96e8e8fa0df672e4ef9a77d5704beddfadd4d13552b581e66f3d1b614c6
Instruction Fuzzy Hash: B612FB34A002188FDB54FF64C994AADB7B2BF89300F5185A8D54AAB395DF34ED86CF50

Function 06A80040 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5b3dd301e6935827ebe05e2738ff453c90bb0c06dfabadc9b6299e56c1cc62
Instruction ID: e70d42e20f9767b74db1c4d71eccf4cc6642bae53568c22256e930527ee6851a
Opcode Fuzzy Hash: ea5b3dd301e6935827ebe05e2738ff453c90bb0c06dfabadc9b6299e56c1cc62
Instruction Fuzzy Hash: F891AE35B012049FDB45EFA4E958AADBBF2FF88311F148069E6019B391DB35DD4ACB90

Function 06A8D0F9 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c7d76bc2de2db3f306bb09350c60e2e7788f21ad2e11124652ca756b0479dc
Instruction ID: 945d84e57a1c0f7b29c98dcb0198f37f1b870ff4f812085d8696f1d3aa5345e5
Opcode Fuzzy Hash: a6c7d76bc2de2db3f306bb09350c60e2e7788f21ad2e11124652ca756b0479dc
Instruction Fuzzy Hash: 3DA10B34A002188FDB54FF24C994BA9B7B2BF89310F5185A8E54AAB395DF74ED85CF40

Function 06A83543 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844579a5e860ba74ba92a9897a12aa6f8eb506574a9bee5f03eeae5fd763d220
Instruction ID: 4619cecb36971e2c483c5f4994b4676b436a1d2e7f3be3978d4e72ce154a331d
Opcode Fuzzy Hash: 844579a5e860ba74ba92a9897a12aa6f8eb506574a9bee5f03eeae5fd763d220
Instruction Fuzzy Hash: F5A14A70E002298FEF51EFA5D894AEDBBB1FF48B04F148115E811AB295DB399D46CF90

Function 06A8E0B0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e577b4c950776c4b85540926fd1d104dd085cacea034f672ceec79e3b2e94cd
Instruction ID: c86b862301e33be5c240aa08629f885755d997a515544b425df0bc6037cc2b2e
Opcode Fuzzy Hash: 9e577b4c950776c4b85540926fd1d104dd085cacea034f672ceec79e3b2e94cd
Instruction Fuzzy Hash: 49814B34B10215DFDB54FF68D894AAEBBB6BF89710F1540A9E5069B3A1DB34DC02CB90

Function 06A859A8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e41f5471362182056d1f13fd07eebd10cb44b531949098dc03e59a0057723f
Instruction ID: e47ff5eb389032a4f3e41d694286f0b306f2234818f2db07c168c788cc206988
Opcode Fuzzy Hash: a8e41f5471362182056d1f13fd07eebd10cb44b531949098dc03e59a0057723f
Instruction Fuzzy Hash: 31811575E406188FCB54EF69C58899EB7F5FF88314B1580A9E8169B361DB30EC42CF90

Function 06A8E0A0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa7b5193f1ac25b399ceb38fbba699dc3ef67df6782070ebbf59ffd96b1eecf
Instruction ID: 6cbbf9cfc1d2e7b93902a94d6b59cc84368919bb5e2d3e786c11375e1e3e1dcb
Opcode Fuzzy Hash: dfa7b5193f1ac25b399ceb38fbba699dc3ef67df6782070ebbf59ffd96b1eecf
Instruction Fuzzy Hash: 9D612C34B10214DFDB54EF68D894AAEBBB6FF89710F1541A9E5069B361DB30EC42CB90

Function 06A88DE8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacaab86fae74decd7cbb8a1d1649e70b7b2f254ae8c8b0c2b68ef7fab3aa4a5
Instruction ID: 7a3a68789a663b9f9e22581dddbc5f45738328ffc6d9d40556c10ec82046fe4a
Opcode Fuzzy Hash: bacaab86fae74decd7cbb8a1d1649e70b7b2f254ae8c8b0c2b68ef7fab3aa4a5
Instruction Fuzzy Hash: 6C513C34B006099FDB14AF64E498AAEBBB6FFC8711F008119E5069B364DF749D4BCB91

Function 06A8DD90 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbcabdc6329dad3ac21b3a3d4e1a2ed7b219930031a8fea058ca4bfcbf4ed1d
Instruction ID: 557b036fb9bd7eeeeede2605390dcb86778a7f0da80daa736cca5dc882fda6fb
Opcode Fuzzy Hash: 2fbcabdc6329dad3ac21b3a3d4e1a2ed7b219930031a8fea058ca4bfcbf4ed1d
Instruction Fuzzy Hash: 15419F307002059FD769BB25D994B2ABBA3EF85304F14856CD5464F6E1CB76EC86CB90

Function 06A97128 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd3a5d4f82b6071de9b04e9f76f08a924357397daa0a7b32153060bcdcedfab
Instruction ID: d40cc858597cd0dcbff9a287deb8e8ad8c782043cfb7c71fc2875e6e61390d1c
Opcode Fuzzy Hash: 9cd3a5d4f82b6071de9b04e9f76f08a924357397daa0a7b32153060bcdcedfab
Instruction Fuzzy Hash: 5551D270E11209DFDB58DFB9D594A9DBBF2BF89304F24806AE409AB360DB319945CF60

Function 06A97119 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13f3d5aff4820693475e1ace0174c85942e27214ee1a31d43bb62c97d1e84df
Instruction ID: 28aff8f0b6ffc78d6c812e562dff5ca79503129ec2289f3f03d75e0eeb9e380e
Opcode Fuzzy Hash: f13f3d5aff4820693475e1ace0174c85942e27214ee1a31d43bb62c97d1e84df
Instruction Fuzzy Hash: 2F41D574E11208DFDB58DFB9D954ADDBBF2BF89304F248069E409AB260DB309941CF60

Function 06A808DF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216fca425f0380d76358fa837df1a15518afda5fade47850d951f0594c6d1439
Instruction ID: 24d72939227aebb4fe771dac66f55cb7100a3f6f8466bb5fccb1dbd2598cf79e
Opcode Fuzzy Hash: 216fca425f0380d76358fa837df1a15518afda5fade47850d951f0594c6d1439
Instruction Fuzzy Hash: 2D41BE71F00215CFEB50EFA9D845AAEBBB1FF88344F00806AD556EB2A0D7359949CB91

Function 06A8B9D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1994e40f01cc6fc0629c487b8299bdbbad5079c13f1cc1335cf3e063b6760c5b
Instruction ID: 9eeac147f4f09634e15cd65de98f7d8673b0eda85990d3df6d0f13fb9c978ca5
Opcode Fuzzy Hash: 1994e40f01cc6fc0629c487b8299bdbbad5079c13f1cc1335cf3e063b6760c5b
Instruction Fuzzy Hash: 03310836A101059FCB45EF58D888EA9BBB2FF48720F0680A8E5099F372D731EC55DB50

Function 06A8E3B8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3818bce4ba370bf27312311a83c8711698b538449c02fc42f8fc46a80fcdda89
Instruction ID: 21c8795f5d219da9dc811cfa489ebfa4eabb772e3d32b22a70ec1d5fbbae9294
Opcode Fuzzy Hash: 3818bce4ba370bf27312311a83c8711698b538449c02fc42f8fc46a80fcdda89
Instruction Fuzzy Hash: C5311935B00119DFDB54EF64D894AEEB7B6FF88310F108069E815BB294CB759D45CBA0

Function 06A9EA20 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8c00947841ab62da701c695c9b04304b865c27d28cc2d7df98db25e4a48343
Instruction ID: 234ccc8490643b5a4013e0c4b730ecaa2b0191198cbf2a08c6a7c4ec1cd80478
Opcode Fuzzy Hash: 5d8c00947841ab62da701c695c9b04304b865c27d28cc2d7df98db25e4a48343
Instruction Fuzzy Hash: 64410274E04208DFEF44DFA9D8846AEBBF6FB89300F208065D415A7355DB386A45CFA1

Function 06A89B88 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032e41b60fe25cfbc82df4be9c1fa6d20d1b4c540a19bd1e2568ca51b1424694
Instruction ID: 3126b11c1d687df155ee25bf03958a9bf70e455b9e44a50fd41acc4de5f3110b
Opcode Fuzzy Hash: 032e41b60fe25cfbc82df4be9c1fa6d20d1b4c540a19bd1e2568ca51b1424694
Instruction Fuzzy Hash: F621B0317052004FDB65AB6DE884A67BBE5EBC5321B1985BAE149CB256CB31E842C7A0

Function 06A82B01 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dd92198630d49a02093009814aaee2c778257a776116b288d5d3277f41ccd5
Instruction ID: 8dffda93aaa45ade7d3f2f6de04af442250f67dc4c60890f6868a3cd08e9ce01
Opcode Fuzzy Hash: 99dd92198630d49a02093009814aaee2c778257a776116b288d5d3277f41ccd5
Instruction Fuzzy Hash: 57316B70A00701CFD725BF25D85862AB7B6FF85305B14882DD9168B3A5DB32ED57CBA0

Function 06A96841 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a27748427b0189ff845103287160a87ff90af16b49146d7dac549cf8abf85d
Instruction ID: f26968124eb9d5e3de1b6fd335ebf949f7f161560f3a9066ce147774e8304a5a
Opcode Fuzzy Hash: 26a27748427b0189ff845103287160a87ff90af16b49146d7dac549cf8abf85d
Instruction Fuzzy Hash: 2B31F975E00218DFFB58DF6AE884B99BBF5AF86310F14D0AAE419A7350DB301985CF61

Function 06A8F180 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5098c20ea415e89f12b3d95b6a964592eac6326b96ee04168c031f539b29f957
Instruction ID: f29e7c214b05d2aaa2847bc69ced71687c66a7a065e3f77e7be667ae1b6f3ebf
Opcode Fuzzy Hash: 5098c20ea415e89f12b3d95b6a964592eac6326b96ee04168c031f539b29f957
Instruction Fuzzy Hash: B6217674B1060A8FCB40FFA8C5444AEF7F5FF89700B104169D516A7354EF74AA46CBA1

Function 06A96850 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d281432795c78306f83b3beb4efeb17099ef54a4c4979846702e23391565113
Instruction ID: 8bdb36a1fbdd1dcb902a63f393d7db7c0d85194c0d74439edf18f213022ddcdc
Opcode Fuzzy Hash: 7d281432795c78306f83b3beb4efeb17099ef54a4c4979846702e23391565113
Instruction Fuzzy Hash: 6731C474E04218DFFB58DF6AE844B99BBF5AF8A300F14D0AAE41CA7250DB345984CF61

Function 06A82980 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccddf1c12bd613b543cf4f68e8ed7735559a1d8ab8e572a18bf1fdef6e859fd3
Instruction ID: a0ff57279e18cf3d44ac8a9a00a2e503f31e5075dc89449995d107f65b46c13b
Opcode Fuzzy Hash: ccddf1c12bd613b543cf4f68e8ed7735559a1d8ab8e572a18bf1fdef6e859fd3
Instruction Fuzzy Hash: 8E211671E00219AFEB90EBB8C904BBEBBF4AF44350F108066D559DB290E634CA51CBD1

Function 014DD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167575224.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab98da8769a48c5b2c9bf93da0622fea691a9f209882c7c8d1cfe202a2154ca
Instruction ID: 075a7458301d46dbe4e1a54318e30f01a9aec0f9ad4ab11ecd874c57c09e2026
Opcode Fuzzy Hash: dab98da8769a48c5b2c9bf93da0622fea691a9f209882c7c8d1cfe202a2154ca
Instruction Fuzzy Hash: 43210671944200DFDF05DF98D9D4B27BF65FB84318F60C16AD9090A2A6C336D456C7A1

Function 017DD104 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167805076.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc858709cf0514819ea7f3a9e326319b8205435c7639e5807a37592282cb5205
Instruction ID: 466d53eb7fa58e5c13a12309308381bebbc057aae64de259aaf0b80e3f5e6e5e
Opcode Fuzzy Hash: fc858709cf0514819ea7f3a9e326319b8205435c7639e5807a37592282cb5205
Instruction Fuzzy Hash: 63212571104248DFDB15DFA8DA80B26FFB5FB84314F25C1A9E9090B286C337D40AC7A2

Function 06A8B9C1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc8d6693ed12e5fb67be73420694a35f8cf1b9954c0ba9eda759f73db5aa8e4
Instruction ID: 7e7638b301fb3e3f8116bdee98b157fd68db4d84c6b67516271b3c76cf2900d8
Opcode Fuzzy Hash: 4cc8d6693ed12e5fb67be73420694a35f8cf1b9954c0ba9eda759f73db5aa8e4
Instruction Fuzzy Hash: BA210B36A101049FDB05DF99E988D99BBB2FF89320B1640A9F6099F372D731DC15DB50

Function 017DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167805076.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a368d99cdb3cccb5c96b66f0c5165b6823bb7de3387c4daaacd0c106e7eab0b1
Instruction ID: 0e26e978656a30e313466510b519915b44a6eed55660d81e0ad0adb5fc47fa1e
Opcode Fuzzy Hash: a368d99cdb3cccb5c96b66f0c5165b6823bb7de3387c4daaacd0c106e7eab0b1
Instruction Fuzzy Hash: F4210071604208DFCB25DF68D984B26FFB5EB88314F24C5A9D80A4B296C33AD446CA61

Function 06A8F170 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315d6cfcba119f718d58637e052822bd1ae01c714fc8666d0950191d20cb0fbb
Instruction ID: e84af6340d4435ed99bf07ffdfd483eeb10a4766f18d4524d77946406c182a7c
Opcode Fuzzy Hash: 315d6cfcba119f718d58637e052822bd1ae01c714fc8666d0950191d20cb0fbb
Instruction Fuzzy Hash: 43219834A0060A8FCB51FF68C5409AEFBF5EF89700B10415AD51697360EB74AA46CBA2

Function 06A872B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9915a9b47dfe79e18543636f78f3059e348794f9a669eab47a516ee8f6b6a6
Instruction ID: f54b6442c2e15176858aae8b2dc96545770ee158285024307c6c79d729d791e4
Opcode Fuzzy Hash: 9a9915a9b47dfe79e18543636f78f3059e348794f9a669eab47a516ee8f6b6a6
Instruction Fuzzy Hash: 4121E631A001098FDB44EF54CA44ADDB7F2FF88301F2141A5D505AB361C776EE45CBA1

Function 06A977D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbea66e986dfab475322de3a29523d479aff295ef5ecdb63b88e6edc5a6d153
Instruction ID: 64a878152b25ee218c2f311eafc248f650b6b0512b62393f60dc31d4fbfb1e73
Opcode Fuzzy Hash: 3dbea66e986dfab475322de3a29523d479aff295ef5ecdb63b88e6edc5a6d153
Instruction Fuzzy Hash: A9212A70E1420ADFCF48EFA9D4456AEBBF5FB88300F20D5A9D415AB240DB349981CFA1

Function 06A96DBC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75299cb704f850f7eb3de8eba31862b163e48c5cd8a37ba802c911f81e0296f2
Instruction ID: 6717464b84141ca8991285659a2954343025958f1bc705ae487e4c6371bbd6a5
Opcode Fuzzy Hash: 75299cb704f850f7eb3de8eba31862b163e48c5cd8a37ba802c911f81e0296f2
Instruction Fuzzy Hash: DF319F74E01218DFFBA8DF69E884B99BBF1BF4A304F10D0A9E459A3250DB345984CF51

Function 06A8DCD0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559135d379222586fc45ba49c1241fe7fc71435a67092e70f14032db562fe992
Instruction ID: 33533756abe873e7d1c9c1040b0f6cafe6e3b4f3111272e1a4a4766c89e45166
Opcode Fuzzy Hash: 559135d379222586fc45ba49c1241fe7fc71435a67092e70f14032db562fe992
Instruction Fuzzy Hash: A421C0347006048FCB51FF28D984AAEB7F6EF89300B144569E5169B3A1DB30AD05CBA1

Function 06A808F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12488e37f98b8c099dd42d8be752513f297cb5e9e84936b18ece27c41eccaedd
Instruction ID: 287cf02250ca7f66fffe7caab46fbcc5ea59007ddf184981c809adbdca1c13b8
Opcode Fuzzy Hash: 12488e37f98b8c099dd42d8be752513f297cb5e9e84936b18ece27c41eccaedd
Instruction Fuzzy Hash: F8215E71E00219CFEB50EF69D844AAEBBB1FF88754F008529D906A7350EB35A849CB90

Function 06A872A1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005f43a668ac680bcbac3e8ee13d2c05fd3c4ee1ff057926914e8147a0ed820e
Instruction ID: 7c1d2da8a4dfe5985f62dcab9de7233f9b68e4bca2f31019551515ca4983b2aa
Opcode Fuzzy Hash: 005f43a668ac680bcbac3e8ee13d2c05fd3c4ee1ff057926914e8147a0ed820e
Instruction Fuzzy Hash: 6B211531A00109CFDB44EF64CA54A9EB7F2FF48304F2141A4D541AB2A5C7769E45CBA0

Function 06A96D58 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3da485eb59547612f6666f8aad51942367cca38ede980107a65246be67ad92
Instruction ID: 148ce79561f84b39663c9b1e6c8ae4028bbd51a3df4f7dfd1add014683ae5aa2
Opcode Fuzzy Hash: 3c3da485eb59547612f6666f8aad51942367cca38ede980107a65246be67ad92
Instruction Fuzzy Hash: 44317F74E00218DFFF58DF6AE884B99B7F1AF86315F1490A6D01CA7250DB345A85CF61

Function 06A96B2F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cd0c3971f7651c136c25a3e7f77d66d784e15a265cb30f9e92519a4365a40b
Instruction ID: e5988a2a7ea582a8fcdf82db32f5e9396fbd8f66a09dcca8eb6bc9ab3cda6bd5
Opcode Fuzzy Hash: 37cd0c3971f7651c136c25a3e7f77d66d784e15a265cb30f9e92519a4365a40b
Instruction Fuzzy Hash: C1318D74E01218DFEBA8DF69E884B99B7F1BB46304F1091EAD01CA7350DB345A84CF61

Function 017DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167805076.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1531ed956dc30cddba1108c96adcdb9f274a0729f87710500d8fc54c9583f3
Instruction ID: 3ce8c442d6dfe639433e2f4969b4c85a4b94743d12dbe0d28412db39a3b5948b
Opcode Fuzzy Hash: cf1531ed956dc30cddba1108c96adcdb9f274a0729f87710500d8fc54c9583f3
Instruction Fuzzy Hash: 4E2192755083849FCB13CF64D994711BF71EB86214F28C5EAD8498F2A7C33AD80ACB62

Function 06A96A81 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92be5eafa8d8cf82aee7c38f6c8313e6ebe13e43c9c182d5c4bf7a8211783be7
Instruction ID: 6f1839aae76cab1b91e5cdc6c4f0c65f7b9beb6ea22cd1854e0de142a5308611
Opcode Fuzzy Hash: 92be5eafa8d8cf82aee7c38f6c8313e6ebe13e43c9c182d5c4bf7a8211783be7
Instruction Fuzzy Hash: 50219F74E01218DFFB58DFA9E884B9DBBF1BF46304F1090AAE058A7250DB345999CF61

Function 014DD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167575224.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 69e81f62d3b02fbf13a95b693cb2bbd9dfe0fb1533411fc961c95d6e0fac5cd1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0011AF76904240DFDF16CF58D9D4B16BF61FB84324F24C5AAD9090B266C336D45ACBA2

Function 017DD0FF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2167805076.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17dd000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 426eeb397885fd015fef2a15ad9a64f78361560cbebf795c62e701c619cffbf3
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: FF11AC76504284CFDB16CF54DA84B16FF72FB84214F29C2A9DC090B696C33AD51ACBA2

Function 06EAFE48 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6040cff57f446266bbb8668160f0ce528cf0325f53ec0cb7b2b3c3a682a0545
Instruction ID: 01f4cc72a6a87e32b9fe93d4001f92b7987edc8e0da5cfd101cb728d4a1381d1
Opcode Fuzzy Hash: b6040cff57f446266bbb8668160f0ce528cf0325f53ec0cb7b2b3c3a682a0545
Instruction Fuzzy Hash: 0C11C631B003059FDB94AF6898447AE7BF6AF8C751F109029F515DB380DB31D902CBA1

Function 06A80B20 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee8cf27cf05db8875d6df13f293379cd483e6e5528a62b263654dd739fad8ea
Instruction ID: 0e0cb9b64ec9f57d14a446fbf3dd46663b14b1cb939dc89ac73af354a6aad28b
Opcode Fuzzy Hash: 6ee8cf27cf05db8875d6df13f293379cd483e6e5528a62b263654dd739fad8ea
Instruction Fuzzy Hash: B2012833A042585FD794EF98D044BDEBFE4EF44270F2480ABE484CB251E631E994C750

Function 06A96B9F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdacfcd57f086369262a1e893e83f56ba2e240d69ddb28b9a6de2942f7499a5
Instruction ID: 4e86435c91b356e927544cbbf4dfd735724a91b8dd0cfc7fee65a926b64756b9
Opcode Fuzzy Hash: ffdacfcd57f086369262a1e893e83f56ba2e240d69ddb28b9a6de2942f7499a5
Instruction Fuzzy Hash: A2217E74E01218DFFB98DF69E884B99BBF0AB46314F1090AAE418A7350DB345984CF51

Function 06A8E4F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bc6390f56830cea174e9dd4247d34a9c1ad9e5a1d4376084ab0bd77843ac04
Instruction ID: 6cd74aae2345955bad6c49572bce8dc95258de57145fbe2748178df84fad8c52
Opcode Fuzzy Hash: b4bc6390f56830cea174e9dd4247d34a9c1ad9e5a1d4376084ab0bd77843ac04
Instruction Fuzzy Hash: EF01E1307003049FD769BB34C954A7A7BA2AF86324F08469DE4564B6A1CB75DC42CB90

Function 06A88071 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb839645bd7e8275145f8ecfb6fe7c8fa0c8e6998eeb99b75c01f4bff9f8759
Instruction ID: 175fa73b1d78340355932c429f230a0b43319a010a09fb214d2609d190ae8ace
Opcode Fuzzy Hash: 0bb839645bd7e8275145f8ecfb6fe7c8fa0c8e6998eeb99b75c01f4bff9f8759
Instruction Fuzzy Hash: 9401F475B0A2258FEFA27A286C102ADEBB5EB84214F50053EE955CB246CB798C46C3D5

Function 06A8C400 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4773faef3b81607f456f37b3925165ab97489017ca02379c5e6817098508f14c
Instruction ID: 0d9ef1fe3acb8b8fc3c98c74e29d387d839b6a3e2b34c0751a2761070ed5e60b
Opcode Fuzzy Hash: 4773faef3b81607f456f37b3925165ab97489017ca02379c5e6817098508f14c
Instruction Fuzzy Hash: 2001FC393006049FC319AB24E41485BBBB2EFCD711B1081A9E9068B3A1CF31EC47CBE2

Function 06A977C8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9bade45fd1100deb56a1a5083f68e8247a205bb45cfbb6f0f8c8fcccd4dfd0
Instruction ID: 2bb85aba1e9672ee8b34c23ff8d0f015c3c2c13db4e607a9501352cc7eb5bbd5
Opcode Fuzzy Hash: 1b9bade45fd1100deb56a1a5083f68e8247a205bb45cfbb6f0f8c8fcccd4dfd0
Instruction Fuzzy Hash: 43118E70D183498FCF88DFB9D4412AEBFF5AF85300F24D5A9D014A2251EB308681CBA1

Function 06A9DC30 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c3ae4f098833470912dbcad1da37219e7cacd1f09b82a9b3991901372cd250
Instruction ID: 9215cff67c51ea8f746dbc1d48ae5db13aa46531b7fe0d0c57fb353faf4c3049
Opcode Fuzzy Hash: 38c3ae4f098833470912dbcad1da37219e7cacd1f09b82a9b3991901372cd250
Instruction Fuzzy Hash: 99115E70905508CFDB44EF66E88579EBBF6AF99300F109469E549A7240CFB029C0DE51

Function 06A96929 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de90e8ca7ed273e804a199bfdde06fcc6124512b8e49b031f9b33bdc794dfadf
Instruction ID: f2f7263b6161e9cf17cbdccd0514344d54b47a734b4aadc65c923d0c5e1a0cf4
Opcode Fuzzy Hash: de90e8ca7ed273e804a199bfdde06fcc6124512b8e49b031f9b33bdc794dfadf
Instruction Fuzzy Hash: AC118074E04218DFFF58DF6AE884B99BBF1AF46304F10D0AAE019A3250DB3459858F61

Function 06EAEF30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06999359f5fa081f1c1b8ce607e8f442fbbeb1a7be7386a712660eece03f9113
Instruction ID: 4b74ebcbe6e5061dac0561f1167bf4553b84ae370a7eb7f682515434d7f59eb0
Opcode Fuzzy Hash: 06999359f5fa081f1c1b8ce607e8f442fbbeb1a7be7386a712660eece03f9113
Instruction Fuzzy Hash: 4E11F7B0E0020E9FCB44DFA9C9456AFBBF5FF88300F20846A9418A7354DB309A419B91

Function 06A8E508 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec22eaac0a960635ca0fc4545041484137314b878eb384e85a9b1529a7e5bc1
Instruction ID: cdede3f357f93d561988889e94e4250c032ca7ee06d5ee21b378c988f977ef6c
Opcode Fuzzy Hash: cec22eaac0a960635ca0fc4545041484137314b878eb384e85a9b1529a7e5bc1
Instruction Fuzzy Hash: 1F019A307003049FD369BB34D958A2A77A2FBC9320F148668E5664B6A0DB76EC42CB90

Function 06A80CF8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c211a9687a1037f15e88f44a1ac371769de8784b68fd4b649b4d75910ee1af1
Instruction ID: f8312d4388a2a74e5374841724d063aa6939e7e3b7953f45d2b5c2a93bd7121f
Opcode Fuzzy Hash: 5c211a9687a1037f15e88f44a1ac371769de8784b68fd4b649b4d75910ee1af1
Instruction Fuzzy Hash: BBF062317000119FC704AB2AD894A6AF7EAFBC8654B2480B9E609CB365DE31EC01C7E1

Function 06A8FD11 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7738856e158e0d5ba0c34a7ff44b9d7e0a71aa6006449c3f81d24cdc8a91a3
Instruction ID: d7b897979a26366eb7ca7beea2cc147fe0647e0cb07f8fc777aae8bce19c2bea
Opcode Fuzzy Hash: 1a7738856e158e0d5ba0c34a7ff44b9d7e0a71aa6006449c3f81d24cdc8a91a3
Instruction Fuzzy Hash: D7F0C232B102149FDB14FB24D858BDEBBA6EBC8311F10417AE612A7380CB758C07C790

Function 06A8C188 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9fffd1b7b753bed238dd21e273c4e7a87b78bdb7894fc5ee3aedc2a27b963a
Instruction ID: 6beb0ae3ca80f8a2f99a9f5635ae8f7b14ac1def1f6323f98c36cad92d0e59a4
Opcode Fuzzy Hash: fc9fffd1b7b753bed238dd21e273c4e7a87b78bdb7894fc5ee3aedc2a27b963a
Instruction Fuzzy Hash: ECF03C393113109FD715EB24D854DAA7BAAEF89711B0540AAF556CB762CA31DC42CB90

Function 06A8C410 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e42290f3255c64c64917a9e445877de961dccece652610891d2dc3662e5ebc3
Instruction ID: 0594816a659dcc3c7e468cb68c6ae3cc2ee8378913481b310606b68cc494ef23
Opcode Fuzzy Hash: 7e42290f3255c64c64917a9e445877de961dccece652610891d2dc3662e5ebc3
Instruction Fuzzy Hash: C6016D393006149FC705AB25E05491ABBA7EBCD711B108169E9068B391CF75EC03CBD5

Function 06A88DD9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc58b8df4821682127e8dd4537046847551021967b13ac4318aafdfc023ba88
Instruction ID: 007d2d5b264903ac87fc0ddd4f4318fbdba8ec84ddb1fb8c7f89b527c72198f5
Opcode Fuzzy Hash: cbc58b8df4821682127e8dd4537046847551021967b13ac4318aafdfc023ba88
Instruction Fuzzy Hash: B1F0F63A7100085FCB14EB18D454DAABBABEFC8224B044026F914DB320DF709C16C791

Function 06A88233 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c02d26bd20f5be816ca39a07a75302ab44e2eff248975033b317736308f4a9
Instruction ID: 67369d7e8cef2dd6a50d510dedc0f46ed9047c484e392f5b8971911819eb46f9
Opcode Fuzzy Hash: 94c02d26bd20f5be816ca39a07a75302ab44e2eff248975033b317736308f4a9
Instruction Fuzzy Hash: DAF024312062015FD711AB19E884997FF66EED1315304827BE06A8B227CE24DD4FC7A0

Function 06A92E78 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41505f417bb0134aff62dfcd36b2027eb6df5b930f3dd2d760a067767283916
Instruction ID: 99c9942f35f98d2dc71ce18242c3c60015bccefcb752894a2f55c696f27173c6
Opcode Fuzzy Hash: b41505f417bb0134aff62dfcd36b2027eb6df5b930f3dd2d760a067767283916
Instruction Fuzzy Hash: 57F04F70909288EFCB81CFA8C950AEEBFF5AB0A210F14809AE854D7242C6354A11DB60

Function 06A811B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e2f982c006ffa0e2cc459427b774ee8479b2e3bffc3b1f25b48a5bf99ccade
Instruction ID: 1f47ada42d0b399030ee22acaec06edddaaa4aa83d764aa92fe7cbe73a095494
Opcode Fuzzy Hash: b6e2f982c006ffa0e2cc459427b774ee8479b2e3bffc3b1f25b48a5bf99ccade
Instruction Fuzzy Hash: 89F09030908258AFEB15EB6498486DD7FB7AB45215F04809AE00586551C7300A86C791

Function 06A8E6F1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a4906019ea4d4ed6bfd374df173aa77c34edd4677a3e45704b281360e693a1
Instruction ID: 181b588f45846ae3f6bf5d7bc875665f89c3897e3104d5896c9ace2ad56fa281
Opcode Fuzzy Hash: 78a4906019ea4d4ed6bfd374df173aa77c34edd4677a3e45704b281360e693a1
Instruction Fuzzy Hash: C4E02B35B042482FD755F6695D11BDF6FA7CFC5210F0A80ABE118CB292D975090287B4

Function 06A880C0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4d228f8d4a903881c543ac85ebbffb72021c6fc34452f77d92a9dc167cb181
Instruction ID: 049f5d4b62bd87b5fdd007a3672d7cf7d867ffdcff9badd546f765efc9ed5de3
Opcode Fuzzy Hash: bc4d228f8d4a903881c543ac85ebbffb72021c6fc34452f77d92a9dc167cb181
Instruction Fuzzy Hash: 43F0276570F1614FEBE2362C6C6012997B1DB8560078401BED982CB356DD49CC03C395

Function 06A8C198 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecfc155039ee79b31419de87e9e1b877f0e706c7c6fc91ef7b6caa90d11132f
Instruction ID: 289ae2035aab42be8dfca995bffcacebe715ad0bd322be86a7085ab06949e569
Opcode Fuzzy Hash: 2ecfc155039ee79b31419de87e9e1b877f0e706c7c6fc91ef7b6caa90d11132f
Instruction Fuzzy Hash: D4F05E353002009FC714EB29D854D6A77AAEFC9721F118069FA068B361CA31EC42CB90

Function 06A82951 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3418d3cbf7c5e2f8419a53bb12001201ef55eabd54a60f25fd45eba36d67c2
Instruction ID: 0639430da82d49b7c6add1e15fe47589fc69a27afa6aa0d047b6800491f1ecee
Opcode Fuzzy Hash: 9c3418d3cbf7c5e2f8419a53bb12001201ef55eabd54a60f25fd45eba36d67c2
Instruction Fuzzy Hash: E7F017B2C053998FDB55EBA499157FEBBB0AB11200F0880ABD154EA192E2388755CBA0

Function 06A939E9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d4f1a32096bacc912e9bb9e1cf9ccf76723331e638d36018bd995eb1082b60
Instruction ID: 81395d34006cb187a74261e61719b1ea04c3fbd4d9739a5736c3773d90dc559b
Opcode Fuzzy Hash: 48d4f1a32096bacc912e9bb9e1cf9ccf76723331e638d36018bd995eb1082b60
Instruction Fuzzy Hash: 15E0D83094618C9FCB41EBF86D007DB3FB5DB0A200F1559D6A544D7161DA360A41EBB1

Function 06A92E88 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd8349ba260c9e8229bd9351310ac3e33f9c1a1372cdcbd1f1a5e2dfb78e282
Instruction ID: aa8a053d3484a107aacbc0cb048ba20d908211a95f902f5963189738fb2a6326
Opcode Fuzzy Hash: abd8349ba260c9e8229bd9351310ac3e33f9c1a1372cdcbd1f1a5e2dfb78e282
Instruction Fuzzy Hash: 71F0F874D04208EFCB80DFA8D840AAEBFF8AB49310F24C49AA858D3341D6359B11DF60

Function 06A89CB0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f60b1ce5bedde3ead11f78443af89386ecfab7612e252a2f74a672aa10f9f32
Instruction ID: 83e18b20a63ceb47835d61e40a8358eaac4dc74c0388f08a69c87fe373af0308
Opcode Fuzzy Hash: 2f60b1ce5bedde3ead11f78443af89386ecfab7612e252a2f74a672aa10f9f32
Instruction Fuzzy Hash: 89E0DF343083440F9B62BA28A8106A33FE38B4520430452B5E485CB70BD610EC17CBA0

Function 06A811C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4f57a5fbd6fc4ff0405fc329336fdeeeb6fb75dc27c1dd33bfa9815ff5374e
Instruction ID: bce4031ea85fe8e267df9e1bd8ee900a522edf5eca42a97489c25a61bb158d4d
Opcode Fuzzy Hash: ac4f57a5fbd6fc4ff0405fc329336fdeeeb6fb75dc27c1dd33bfa9815ff5374e
Instruction Fuzzy Hash: 78F03931E04218AFEB09EFA8D4887DDBFB7AB85321F14C099D00996280DB701E86CB94

Function 06A88240 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee523dd268c8c2bd1f2f9ea60f346951c4f89f79f7ede6f2e7539644dc9b03
Instruction ID: 0854a48adfa56b0c19e2b5e0e1b2356455f545840e21c811780b0c30048002d7
Opcode Fuzzy Hash: c6ee523dd268c8c2bd1f2f9ea60f346951c4f89f79f7ede6f2e7539644dc9b03
Instruction Fuzzy Hash: E3E012312002055FC710AA1AE88494BFB9AEEC0365714D539E11A87225DA71ED4E8690

Function 06A9871E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51928b1447390a536852057e90ed0dc37675d66c0aecc076fd060f1a50cade55
Instruction ID: bbdd3ed05f790ea48142cf075c6fe490f2b1c03155710ae1ac60687bbfe9c71c
Opcode Fuzzy Hash: 51928b1447390a536852057e90ed0dc37675d66c0aecc076fd060f1a50cade55
Instruction Fuzzy Hash: 93F0A0B1E05315CFEB919F20C80979ABBF0FF02305F1504D6D48992141C3748A84CF26

Function 06EA5CC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction ID: b5ce07efdbbdb3da11f5471fa5b7c6383af6d4b68e9bb8f719418498e829cee4
Opcode Fuzzy Hash: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction Fuzzy Hash: CDE0C974E04208EFCB84DFA8D545A9DBBF4FB48310F20D5A9AC0897340DB31AA51DF80

Function 06EABA48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction ID: 05a20d1a02a130f7107c396449ac4ea4a2275a958af57b2bbf9f09cda5c68e83
Opcode Fuzzy Hash: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction Fuzzy Hash: AEE0C974E04208EFCB84DFA8D44169DBBF9EB48310F10D5A9AC0897351DB31AA51DF80

Function 06EAA410 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction ID: 14019836848f9c9a5ba68c916a2e9727d6f35eebf7a48382c408142d4beea62a
Opcode Fuzzy Hash: a265ce1c348fca7e6ff094049c85adf4241592313bf2e62c68ce1211dbed6caa
Instruction Fuzzy Hash: FEE0C974E0430CEFCB84DFA8D44569DBBF5EB48310F50D5A9A81897340DB31AA52DF90

Function 06A9EF78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afaf449d4a6217ccaf8303adfed03a407c3069e0769197b6f315787230a0c553
Instruction ID: 3310d755ceb14d3d829e2f4d0f23c27cdfc58ba54019ecba0d65ad299ba297b3
Opcode Fuzzy Hash: afaf449d4a6217ccaf8303adfed03a407c3069e0769197b6f315787230a0c553
Instruction Fuzzy Hash: DDE0C974E04208EFCB84DFA8D44169DBBF4EF48304F20C5AA980993341DA315A01DB51

Function 06EAFE00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b836543278369b8ce9eb1535075864d858ed291bbb4cd4035021818ebf296a3b
Instruction ID: 606249eaf68a4375670c71aad162c584dcd339f5761581e9d1f006430481d6bf
Opcode Fuzzy Hash: b836543278369b8ce9eb1535075864d858ed291bbb4cd4035021818ebf296a3b
Instruction Fuzzy Hash: DEE0867490830CEFC744DF94E4419BDBFB8AB55310F14D5A9EC4457341CB31AA51DB95

Function 06A82D10 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7b8513e9ed6c0599b35fdaf3361ace5baaf4b02e9d8eaa55361027e53fb695
Instruction ID: 7e5f38ca8f7d8a4e9d7c540765b2389167929404f4598f8cd97bcb92fdf3324c
Opcode Fuzzy Hash: 8f7b8513e9ed6c0599b35fdaf3361ace5baaf4b02e9d8eaa55361027e53fb695
Instruction Fuzzy Hash: 0BD02B306403049FDBF436608C0077233E86F04754F104465DA049F1C0D676E901C6D2

Function 06A9FE60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2b6a8e54dd26c1de4759bb2207bfe9c539110544a77f1a516bf83e1016b50d
Instruction ID: 13a8e9da404843f52757ed10a8d33b1a29279ce27cdfcc7f7a82ae62d917edd8
Opcode Fuzzy Hash: dc2b6a8e54dd26c1de4759bb2207bfe9c539110544a77f1a516bf83e1016b50d
Instruction Fuzzy Hash: 25E0863490410CEFCB44DF94D4419ADBFB4EB45310F20D599EC0457351CB315E51DB90

Function 06A9E910 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ba48d5e01f26c4fe395ad0fb071decd33652e7a7c8907fa341568942c317ae
Instruction ID: 692e253bb6bf9d2ee50bafaa0d8b589d5fa0340a9714b811575e9c50dcf7e825
Opcode Fuzzy Hash: 58ba48d5e01f26c4fe395ad0fb071decd33652e7a7c8907fa341568942c317ae
Instruction Fuzzy Hash: B4E04634E04208EFCBC0EFA8D4416ACFBF8BB08200F2084A9980893341EB31AA41CB90

Function 06EA8950 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a9559fd4daf1350b7c390b68e0cf168e27935adfce95df83472d14b93eaf10
Instruction ID: e0c81c0c3b8ff6bf5a1341fae2ea56ca85da154ff4ec090a232a4b4f8974ffa1
Opcode Fuzzy Hash: e4a9559fd4daf1350b7c390b68e0cf168e27935adfce95df83472d14b93eaf10
Instruction Fuzzy Hash: 67E01A34D04208EFC744DB98D5416ADBBF4AB48304F14D1E9985867341CA316A01DB81

Function 06A9D808 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b693d04f2b58a28cda482a6d5b74b30cdc74e656f995b1d147caf9858f46d22
Instruction ID: 56a03200360d4e886a4f2312f050581c3bab459df399607aeaa52b9d610a7bf1
Opcode Fuzzy Hash: 2b693d04f2b58a28cda482a6d5b74b30cdc74e656f995b1d147caf9858f46d22
Instruction Fuzzy Hash: D2E01274D1520CDFCB84FFB8D54569EBFF8AB08311F20A5A9A90893341EF705A94DBA1

Function 06A939F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f1966a56d093d2eecf91c7ceb8e92c753ede58fe7a5c12b6db58dc7f9cf48a
Instruction ID: 41cd6a8c77ef28f46ecbe3bc98ae7e4ded04431c63cf52d67431a2a70c5da53c
Opcode Fuzzy Hash: 43f1966a56d093d2eecf91c7ceb8e92c753ede58fe7a5c12b6db58dc7f9cf48a
Instruction Fuzzy Hash: 18E0127198114CEFCF40FFF4950469E7BF9DB49310F1459A5950497150EE725A00EBA1

Function 06EADF68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4d378123f5bb99197fe9910c00b8b071cb6dbd70433c9b47fd7af99bf41c63
Instruction ID: c40f7ab37c6e3f2ecbb31e5d1bfddd31b3351f77d3c74c12260c9cdad9f3277d
Opcode Fuzzy Hash: 6f4d378123f5bb99197fe9910c00b8b071cb6dbd70433c9b47fd7af99bf41c63
Instruction Fuzzy Hash: 11E0EC38909208EBC744DF94E9415AEBBB9AB45315F24A59DE80817341CB316E52DB91

Function 06EAB910 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2223693666.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f8f8ba14c58e04f788cb1fdc54633dca4e694bb74527d44d0964b99e99ac3a
Instruction ID: bc1b6c2fc3e90dec84e1917555eee228ad7116e2902362b0ab8bdb2b4754bdde
Opcode Fuzzy Hash: 29f8f8ba14c58e04f788cb1fdc54633dca4e694bb74527d44d0964b99e99ac3a
Instruction Fuzzy Hash: CFE0C27094120CEFCB40EFF4950079E7BFCDB04300F0058A59904A3110EE325A00E791

Function 06A8E078 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b698bc0bd6af56c2b7eec52214fbc2b00e6d4c6782479f3aa6a086a964d03571
Instruction ID: 5cd07af2ee8ff742864b0fc1bb373783c655f432073607df31c209ec77cb7006
Opcode Fuzzy Hash: b698bc0bd6af56c2b7eec52214fbc2b00e6d4c6782479f3aa6a086a964d03571
Instruction Fuzzy Hash: BCD05E30009398AFEB22CB35D805CC2BF68EF0621431904DEF0818B623D321D854C7A2

Function 06A9872E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8761a0248e9bb314b5678d1168f223f8f9a1110fe3adf7496748819372763236
Instruction ID: 71afcc7abc1f8f6fe1d69ed6d75bc824090b05edfab14f95727522333b1d5805
Opcode Fuzzy Hash: 8761a0248e9bb314b5678d1168f223f8f9a1110fe3adf7496748819372763236
Instruction Fuzzy Hash: A8E01270A15225CFEBA19B24C848B99B7B0EF42315F2804E2C18AA6251C3348E80CF3A

Function 06A980D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cce79f941ae7e92146ee6257b41be357b00c08a9e183ccda8074c203c735bb
Instruction ID: 82c19adf2f46b80665d193ca796f9a16696cdbb1e7320dbae503739ec4199398
Opcode Fuzzy Hash: 93cce79f941ae7e92146ee6257b41be357b00c08a9e183ccda8074c203c735bb
Instruction Fuzzy Hash: C0D05EB0F103288FDF44EF28D948659BBF5EBC2300F1059F5900A67311DA355D458FA1

Function 06A8C16B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebc917898972192301d9e495c3d26deb3488bd50832d928601018db1ab57bb2
Instruction ID: 24e3aaadb71fb06289a12821b542807b8e6a2024b58a2766023afa38b026a2ab
Opcode Fuzzy Hash: 1ebc917898972192301d9e495c3d26deb3488bd50832d928601018db1ab57bb2
Instruction Fuzzy Hash: F6C08C39000208EFC300CB25EC09CC6BFACEF092243048198F5894B332C732E860CBE1

Function 06A99AB7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f21b2854d7706142323471e8a4e011662f94dd56e64b655fd4c3404888a618
Instruction ID: 498b0833c0d552af5b7a86281918c2d98f0b1de5648e3f52071905f1b6e62ae8
Opcode Fuzzy Hash: 84f21b2854d7706142323471e8a4e011662f94dd56e64b655fd4c3404888a618
Instruction Fuzzy Hash: 13D09230A402588FDB94DF24EC44B99BBB0EB41205F20D9E5940E63260CA746E888F61

Function 06A96A97 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76237070646bc73e0466b967b20b9039f2dfbe417efb646233f572687176b0e
Instruction ID: b6f1082c3e2c803ab5cfd2990bb921465bbe4bbc28de0fe88c40b4c1b0891e22
Opcode Fuzzy Hash: e76237070646bc73e0466b967b20b9039f2dfbe417efb646233f572687176b0e
Instruction Fuzzy Hash: EFD04874A11328CFEB90EF1AE888B99BBB1FB89210F108194E809A3244D7342D84CF00

Function 06A97318 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222199984.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a90000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b15831a37c085a674441d57a1e47f5e857dc599f2e6c91f2fc9cfe3c07cc06
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: 89b15831a37c085a674441d57a1e47f5e857dc599f2e6c91f2fc9cfe3c07cc06
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 06A8C170 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 06A89C9F Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23e976ae5e7b012dd3b601e95069de51814825f6dd13a21e02839b841e23b7c
Instruction ID: e19360cf4c733fc6c9c5def2274ff063c8ea8dfa4a7ce6282351fbb0359db8cb
Opcode Fuzzy Hash: f23e976ae5e7b012dd3b601e95069de51814825f6dd13a21e02839b841e23b7c
Instruction Fuzzy Hash:

Non-executed Functions

Function 06A88820 Relevance: 7.9, Strings: 6, Instructions: 411COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06A888F2
pbq, xrefs: 06A88977
4'^q, xrefs: 06A8896A
4'^q, xrefs: 06A888A4
(bq, xrefs: 06A889EA
4'^q, xrefs: 06A888D4

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: a98955a7cc8d3651ee5ff8360e8f96c44af9a44eb505fd527735e3bfbe54ee00
Instruction ID: 221a666373f9d2b4ed7ab8b214ceb5601e37a30e352d54d62286cd1df8949c60
Opcode Fuzzy Hash: a98955a7cc8d3651ee5ff8360e8f96c44af9a44eb505fd527735e3bfbe54ee00
Instruction Fuzzy Hash: 6DD18F72A00114DFDB45DFA8C944D9ABBB2FF88310F058498E509AB276CB36ED56DF90

Function 06A8F263 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06A8F91D
(_^q, xrefs: 06A8F999
(_^q, xrefs: 06A8F913
(_^q, xrefs: 06A8F963

Memory Dump Source

Source File: 00000008.00000002.2222056213.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_defenderupdate.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q
API String ID: 0-2697572114
Opcode ID: b93d262f1fea8efdbd15102cf99cd27905fb8b11c6e139fd371d2bf32e4d6d69
Instruction ID: 7636fd8fd19da71ac1906c1eeba63e2a547ed5dc6267af11fae9f302f814ce43
Opcode Fuzzy Hash: b93d262f1fea8efdbd15102cf99cd27905fb8b11c6e139fd371d2bf32e4d6d69
Instruction Fuzzy Hash: 9C71F174B002058FCB48BF78C4545AABBB2FF8A344B1445AAD842AF362DB31DC46CB91

Analysis Process: defenderupdate.exePID: 8040, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	418
Total number of Limit Nodes:	20

Executed Functions

Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
GetProcAddress.KERNEL32(00000000), ref: 0041BD01
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
GetProcAddress.KERNEL32(00000000), ref: 0041BD30
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
GetProcAddress.KERNEL32(00000000), ref: 0041BD44
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
GetProcAddress.KERNEL32(00000000), ref: 0041BD58
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
GetProcAddress.KERNEL32(00000000), ref: 0041BD68
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
GetProcAddress.KERNEL32(00000000), ref: 0041BD78
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
GetProcAddress.KERNEL32(00000000), ref: 0041BD88
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
GetProcAddress.KERNEL32(00000000), ref: 0041BE09
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
GetProcAddress.KERNEL32(00000000), ref: 0041BE19
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
GetProcAddress.KERNEL32(00000000), ref: 0041BE53
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
GetProcAddress.KERNEL32(00000000), ref: 0041BE63

Strings

Psapi, xrefs: 0041BCF3
SetProcessDpiAwareness, xrefs: 0041BD22, 0041BD27, 0041BD3B
shcore, xrefs: 0041BD28
EnumDisplayDevicesW, xrefs: 0041BDAE
IsWow64Process, xrefs: 0041BD6A
GlobalMemoryStatusEx, xrefs: 0041BD5A
IsUserAnAdmin, xrefs: 0041BD8A
NtSuspendProcess, xrefs: 0041BE1B
GetComputerNameExW, xrefs: 0041BD7A
SetProcessDEPPolicy, xrefs: 0041BD9E
Kernel32, xrefs: 0041BD13
GetSystemTimes, xrefs: 0041BDEA
ntdll, xrefs: 0041BD50, 0041BE20, 0041BE2A, 0041BE3A
GetMonitorInfoW, xrefs: 0041BDD6
Shlwapi, xrefs: 0041BDFC
Shell32, xrefs: 0041BD8F
GetConsoleWindow, xrefs: 0041BE0B
user32, xrefs: 0041BD3C, 0041BDB3, 0041BDC7, 0041BDDB
GetExtendedTcpTable, xrefs: 0041BE40
NtUnmapViewOfSection, xrefs: 0041BD4B
GetExtendedUdpTable, xrefs: 0041BE55
NtResumeProcess, xrefs: 0041BE30
GetProcessImageFileNameW, xrefs: 0041BCED, 0041BCF2, 0041BD12
Iphlpapi, xrefs: 0041BE45, 0041BE4F, 0041BE5A
kernel32, xrefs: 0041BD5F, 0041BD64, 0041BD6F, 0041BD7F, 0041BDA3, 0041BDEF, 0041BE10
EnumDisplayMonitors, xrefs: 0041BDC2

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
ExitProcess.KERNEL32 ref: 0044258E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811
closesocket.WS2_32(?), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

(CG, xrefs: 0040BED7

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: (CG
API String ID: 1925916568-4210230975
Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

Function 00447174 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 004471D4
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471E1

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
Instruction ID: 6f7a2b722a2a1d8c8194c8cb68bd8fc2eac5a8381c6f9e3e6965fab01942ac9c
Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
Instruction Fuzzy Hash: 8A110233A041629BFB329F68EC4099B7395AB803747164672FD19AB344DB34EC4386E9

Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7

Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37

__CxxThrowException@8.LIBVCRUNTIME ref: 00433E04

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D

Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

Non-executed Functions

Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7

Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

P\G, xrefs: 00405202
P\G, xrefs: 00405332
P\G, xrefs: 004052FE
P\G, xrefs: 004053D7
SystemDrive, xrefs: 00405109
P\G, xrefs: 00405078
cmd.exe, xrefs: 004050F5

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
API String ID: 3815868655-81343324
Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

UserProfile, xrefs: 0040B365
[Firefox StoredLogins Cleared!], xrefs: 0040B504
[Firefox StoredLogins not found], xrefs: 0040B3D9
\key3.db, xrefs: 0040B47B
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\logins.json, xrefs: 0040B439

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

UserProfile, xrefs: 0040B563
[Firefox cookies found, cleared!], xrefs: 0040B6E0
\cookies.sqlite, xrefs: 0040B62F
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E

Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371

Strings

Inj, xrefs: 0040E515
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E3BF
ieinstal.exe, xrefs: 0040E3D6
BG, xrefs: 0040E380
ielowutil.exe, xrefs: 0040E417

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
API String ID: 726551946-3025026198
Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A

Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004159C7
EmptyClipboard.USER32 ref: 004159D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
GlobalLock.KERNEL32(00000000), ref: 004159FE
GlobalUnlock.KERNEL32(00000000), ref: 00415A34
SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A

Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

7, xrefs: 0041894C
0, xrefs: 0041877D
2, xrefs: 00418816
1, xrefs: 004187B6
6, xrefs: 00418935
4, xrefs: 004188DA
3, xrefs: 00418876
5, xrefs: 0041892B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

8[G, xrefs: 00409BFD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: 8[G
API String ID: 1888522110-1691237782
Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

Strings

[+] CoGetObject SUCCESS, xrefs: 004067F8
$, xrefs: 004067A2
[+] CoGetObject, xrefs: 004067C8
[+] ucmAllocateElevatedObject, xrefs: 0040676F
Elevation:Administrator!new:, xrefs: 004067A9
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D

Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
GetLastError.KERNEL32 ref: 00419935
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A

Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536

Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69

Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB

Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500

Sleep.KERNEL32(00000BB8), ref: 0040E603
ExitProcess.KERNEL32 ref: 0040E672

Strings

pth_unenc, xrefs: 0040E565, 0040E5AC, 0040E619
5.3.0 Pro, xrefs: 0040E5DE, 0040E64B
BG, xrefs: 0040E560
override, xrefs: 0040E574

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc$BG
API String ID: 2281282204-3981147832
Opcode ID: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
Opcode Fuzzy Hash: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040B287
UserProfile, xrefs: 0040B227
[Chrome StoredLogins not found], xrefs: 0040B27B
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE

Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
GetLastError.KERNEL32 ref: 00416B02

Strings

SeShutdownPrivilege, xrefs: 00416AD7

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98

Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9

Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
GetProcAddress.KERNEL32(00000000), ref: 00415977

Strings

SetSuspendState, xrefs: 00415966
PowrProf.dll, xrefs: 0041596B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: dbe2315887bba6ce4f894fc1155da3ca588fd34dbc6ce905beef225a72b0054e
Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
Opcode Fuzzy Hash: dbe2315887bba6ce4f894fc1155da3ca588fd34dbc6ce905beef225a72b0054e
Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E

Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045127C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512A5
GetACP.KERNEL32 ref: 004512BA

Strings

ACP, xrefs: 00451201
OCP, xrefs: 00451237

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799

Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A

Strings

SETTINGS, xrefs: 0041A643

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59

Function 004513B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B

GetUserDefaultLCID.KERNEL32 ref: 004514C3
IsValidCodePage.KERNEL32(00000000), ref: 0045151E
IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00451594

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 0040627F, 004063A7
open, xrefs: 0040622E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\AppData\Roaming\defenderupdate.exe$open
API String ID: 2825088817-4223157313
Opcode ID: 6e9ed81df7592736f00ea2213c3013647c852b2a2a077cd37a63e9025159bc8b
Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
Opcode Fuzzy Hash: 6e9ed81df7592736f00ea2213c3013647c852b2a2a077cd37a63e9025159bc8b
Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

x@G, xrefs: 00406BC0
x@G, xrefs: 00406AFD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B

Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714

Strings

Control Panel\Desktop, xrefs: 0041BBB2, 0041BBE5, 0041BC35
WallpaperStyle, xrefs: 0041BBB7, 0041BBEA, 0041BC3A
TileWallpaper, xrefs: 0041BC56

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF

Function 0041BB71 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714

Strings

Control Panel\Desktop, xrefs: 0041BBB2
WallpaperStyle, xrefs: 0041BBB7
TileWallpaper, xrefs: 0041BC56

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 71d1e5c445f68871914c285a29d0046b246b6ade461d972b8fac6679235b0182
Instruction ID: f2617a255fd7246e173cf48333a5ec3092ca3a632a8680fa2b2f8bd5747a896b
Opcode Fuzzy Hash: 71d1e5c445f68871914c285a29d0046b246b6ade461d972b8fac6679235b0182
Instruction Fuzzy Hash: 9EF0623278011422D529357A8E2FBEE1801D796B20F65402FF202A57D6FB8E46D142DE

Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

IsValidCodePage.KERNEL32(00000000), ref: 00450B61
_wcschr.LIBVCRUNTIME ref: 00450BF1
_wcschr.LIBVCRUNTIME ref: 00450BFF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CA2

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768

Function 00448057 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448067

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

GetTimeZoneInformation.KERNEL32 ref: 00448079
WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 004480F1
WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044811E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
Instruction ID: ab6739d36243922ba69d1bbe12a1b6ae93f84769bc63f42ae41568d8b76a7737
Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
Instruction Fuzzy Hash: 8731DA70904205DFEB149F68CC8186EBBF8FF05760B2442AFE054AB2A1DB349A42DB18

Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49

Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C

Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA

Strings

GetLocaleInfoEx, xrefs: 004475A8, 004475B2

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
Opcode Fuzzy Hash: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E

Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99

Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4

Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB

EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,0046DC48,0000000C), ref: 004470E6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49

Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426101

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044E92E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615

Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
GetProcAddress.KERNEL32(00000000), ref: 0041728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
GetProcAddress.KERNEL32(00000000), ref: 004172A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
GetProcAddress.KERNEL32(00000000), ref: 004172B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
GetProcAddress.KERNEL32(00000000), ref: 004172CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
TerminateProcess.KERNEL32(?,00000000), ref: 00417454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
SetThreadContext.KERNEL32(?,00000000), ref: 00417575
ResumeThread.KERNEL32(?), ref: 00417582
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
GetCurrentProcess.KERNEL32(?), ref: 004175A5
TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
GetLastError.KERNEL32 ref: 004175C7

Strings

ZwMapViewOfSection, xrefs: 00417291
ntdll, xrefs: 00417277, 00417296, 004172AA, 004172BE
ZwCreateSection, xrefs: 00417272
ZwClose, xrefs: 004172B9
ZwUnmapViewOfSection, xrefs: 004172A5

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A

Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
ExitProcess.KERNEL32 ref: 0041151D

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B

Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1

Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE

Strings

temp_, xrefs: 0041141D
.exe, xrefs: 0041142F
T@, xrefs: 00411361
0DG, xrefs: 004112C3
@CG, xrefs: 004112E2
open, xrefs: 0041147D
WDH, xrefs: 00411389, 004114F8
exepath, xrefs: 00411308

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
API String ID: 4250697656-2665858469
Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D

Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
SetEvent.KERNEL32 ref: 0041A38A
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
CloseHandle.KERNEL32 ref: 0041A3AB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7

Strings

close audio, xrefs: 0041A3D2
resume audio, xrefs: 0041A353
>G, xrefs: 0041A27F, 0041A1FF
stopped, xrefs: 0041A373
open ", xrefs: 0041A246
status audio mode, xrefs: 0041A368
alias audio, xrefs: 0041A22E
play audio, xrefs: 0041A2C1
pause audio, xrefs: 0041A33B
stop audio, xrefs: 0041A3C8
" type , xrefs: 0041A24B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
API String ID: 738084811-1408154895
Opcode ID: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
Opcode Fuzzy Hash: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

fmt , xrefs: 00401CA8
WAVE, xrefs: 00401C98
RIFF, xrefs: 00401C78
data, xrefs: 00401D2C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\defenderupdate.exe,00000001,004068B2,C:\Users\user\AppData\Roaming\defenderupdate.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

NtFreeVirtualMemory, xrefs: 0040651C
RtlInitUnicodeString, xrefs: 004064EE
NtAllocateVirtualMemory, xrefs: 00406508
C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 004064E1
RtlAcquirePebLock, xrefs: 00406530
RtlReleasePebLock, xrefs: 00406544
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
LdrEnumerateLoadedModules, xrefs: 00406558

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\AppData\Roaming\defenderupdate.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3488278662
Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D

Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\defenderupdate.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\defenderupdate.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

BG, xrefs: 0040BCE1
C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
6, xrefs: 0040BD48
open, xrefs: 0040BEB2
BG, xrefs: 0040BCB6
del, xrefs: 0040BE63

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\AppData\Roaming\defenderupdate.exe$del$open$BG$BG
API String ID: 1579085052-3599359158
Opcode ID: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
Opcode Fuzzy Hash: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE

Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B1D6
_memcmp.LIBVCRUNTIME ref: 0041B1EE
lstrlenW.KERNEL32(?), ref: 0041B207
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
_wcslen.LIBCMT ref: 0041B2DB
FindVolumeClose.KERNEL32(?), ref: 0041B2FB
GetLastError.KERNEL32 ref: 0041B313
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
lstrcatW.KERNEL32(?,?), ref: 0041B359
lstrcpyW.KERNEL32(?,?), ref: 0041B368
GetLastError.KERNEL32 ref: 0041B370

Strings

?, xrefs: 0041B26D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6

Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2A0
_free.LIBCMT ref: 0044E2C6
_free.LIBCMT ref: 0044E2EF
_free.LIBCMT ref: 0044E327
_free.LIBCMT ref: 0044E358
_free.LIBCMT ref: 0044E399
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E41A
_free.LIBCMT ref: 0044E433
_wcschr.LIBVCRUNTIME ref: 0044E470
_free.LIBCMT ref: 0044E4DC
_free.LIBCMT ref: 0044E502
_free.LIBCMT ref: 0044E52B
_free.LIBCMT ref: 0044E560
_free.LIBCMT ref: 0044E591
_free.LIBCMT ref: 0044E5D2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E657
_free.LIBCMT ref: 0044E670

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
Opcode Fuzzy Hash: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D

Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
GetCursorPos.USER32(?), ref: 0041CAF8
SetForegroundWindow.USER32(?), ref: 0041CB01
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
ExitProcess.KERNEL32 ref: 0041CB74
CreatePopupMenu.USER32 ref: 0041CB7A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F

Strings

Close, xrefs: 0041CB80

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18

Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004500B1

Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8

_free.LIBCMT ref: 004500A6

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 004500C8
_free.LIBCMT ref: 004500DD
_free.LIBCMT ref: 004500E8
_free.LIBCMT ref: 0045010A
_free.LIBCMT ref: 0045011D
_free.LIBCMT ref: 0045012B
_free.LIBCMT ref: 00450136
_free.LIBCMT ref: 0045016E
_free.LIBCMT ref: 00450175
_free.LIBCMT ref: 00450192
_free.LIBCMT ref: 004501AA

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A

Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041912D
GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
Sleep.KERNEL32(000003E8), ref: 0041926D
GetLocalTime.KERNEL32(?), ref: 0041927C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365

Strings

XCG, xrefs: 0041931E
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419213
XCG, xrefs: 0041923C
XCG, xrefs: 0041918A
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041920E, 00419229, 004192A0

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-65789007
Opcode ID: a8f8b58d2128b4f531cd6f97798560ad721fb8e33840202611e7dd41891fb402
Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
Opcode Fuzzy Hash: a8f8b58d2128b4f531cd6f97798560ad721fb8e33840202611e7dd41891fb402
Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

TLS Error 1, xrefs: 004042FC
Connection Failed: , xrefs: 0040440C
TLS Handshake... | , xrefs: 004042C9
TLS Authentication Failed, xrefs: 0040435E
TLS Error 3, xrefs: 0040439D
TLS Error 2, xrefs: 0040431A
Connection Refused, xrefs: 0040443E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
@CG, xrefs: 0040C67D
.vbs, xrefs: 0040C6CD
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
Temp, xrefs: 0040C708
open, xrefs: 0040C820
exepath, xrefs: 0040C69F
""", 0, xrefs: 0040C74F

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-390638927
Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99

Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F429
_free.LIBCMT ref: 0044F44D
_free.LIBCMT ref: 0044F45A
_free.LIBCMT ref: 0044F47F
_free.LIBCMT ref: 0044F48C
_free.LIBCMT ref: 0044F495
_free.LIBCMT ref: 0044F773
_free.LIBCMT ref: 0044F77B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58

Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D

GetLastError.KERNEL32 ref: 00454A96
__dosmaperr.LIBCMT ref: 00454A9D
GetFileType.KERNEL32(00000000), ref: 00454AA9
GetLastError.KERNEL32 ref: 00454AB3
__dosmaperr.LIBCMT ref: 00454ABC
CloseHandle.KERNEL32(00000000), ref: 00454ADC
CloseHandle.KERNEL32(?), ref: 00454C26
GetLastError.KERNEL32 ref: 00454C58
__dosmaperr.LIBCMT ref: 00454C5F

Strings

H, xrefs: 00454BE4

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A

Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

{ User has been idle for , xrefs: 0040A5AB
], xrefs: 0040A508
minutes }, xrefs: 0040A59F
[, xrefs: 0040A50E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F

Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

65535, xrefs: 00413C6A
udp, xrefs: 00413D17, 00413D1F, 00413D23

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

Temp, xrefs: 0040C8D0
ProgramFiles, xrefs: 0040C9D8
WinDir, xrefs: 0040C905, 0040C927, 0040C979
AppData, xrefs: 0040C9BB
UserProfile, xrefs: 0040C9C2
ProgramData, xrefs: 0040C9C9
\system32, xrefs: 0040C918
SystemDrive, xrefs: 0040C8FB
\SysWOW64, xrefs: 0040C96A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
__dosmaperr.LIBCMT ref: 004393CD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
__dosmaperr.LIBCMT ref: 0043940A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
__dosmaperr.LIBCMT ref: 0043945E
_free.LIBCMT ref: 0043946A
_free.LIBCMT ref: 00439471

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9

Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\AppData\Roaming\defenderupdate.exe), ref: 00406705

Strings

explorer.exe, xrefs: 004066BD, 004066E2
PEB: %x, xrefs: 00406716
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA
windir, xrefs: 00406654
BG3i@, xrefs: 0040662C, 00406637
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
\explorer.exe, xrefs: 0040666A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
API String ID: 2050909247-4145329354
Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D

Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00410333
inet_ntoa.WS2_32(?), ref: 004103CE

Strings

StopReverse, xrefs: 004104C0
>G, xrefs: 00410359
StopForward, xrefs: 004104AF
GetDirectListeningPort, xrefs: 004104D1
StartForward, xrefs: 00410492
StartReverse, xrefs: 0041049E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: a0049f2f09a357c7da3f2da1302c44ceee5b7892c88a4f25036bd0ddf1a9f3a7
Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
Opcode Fuzzy Hash: a0049f2f09a357c7da3f2da1302c44ceee5b7892c88a4f25036bd0ddf1a9f3a7
Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F

Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C

Strings

sqrt, xrefs: 004552E0
asin, xrefs: 004552C8
pow, xrefs: 00455240, 004552EC, 004552FF
acos, xrefs: 004552D4
exp, xrefs: 00455221, 00455283
log10, xrefs: 004551A6, 004551F6
log, xrefs: 00455202, 0045520E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D

Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633

Sleep.KERNEL32(00000064), ref: 00416688
DeleteFileW.KERNEL32(00000000), ref: 004166BC

Strings

temp, xrefs: 0041660C
\sysinfo.txt, xrefs: 00416607
dxdiag, xrefs: 00416651
open, xrefs: 00416656
/t , xrefs: 0041663B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2

Strings

`=G, xrefs: 00401B04
%Y-%m-%d %H.%M, xrefs: 00401AC4
.wav, xrefs: 00401AEC
x=G, xrefs: 00401B8B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 3809562944-3643129801
Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A

Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

`=G, xrefs: 0040196F
XCG, xrefs: 004019A9
x=G, xrefs: 00401A1E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: 4fec801bf293db6df151fde61eeb5f786b1727cfb1468d64e42c9e242be372bd
Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
Opcode Fuzzy Hash: 4fec801bf293db6df151fde61eeb5f786b1727cfb1468d64e42c9e242be372bd
Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C

Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988

Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
TranslateMessage.USER32(?), ref: 0041C9FB
DispatchMessageA.USER32(?), ref: 0041CA05
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12

Strings

Remcos, xrefs: 0041C9CA

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D

Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9

Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00452BD6
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C59
__alloca_probe_16.LIBCMT ref: 00452C91
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CEC
__alloca_probe_16.LIBCMT ref: 00452D3B
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D03

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D7F
__freea.LIBCMT ref: 00452DAA
__freea.LIBCMT ref: 00452DB6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
Opcode Fuzzy Hash: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68

Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

_memcmp.LIBVCRUNTIME ref: 004446A3
_free.LIBCMT ref: 00444714
_free.LIBCMT ref: 0044472D
_free.LIBCMT ref: 0044475F
_free.LIBCMT ref: 00444768
_free.LIBCMT ref: 00444774

Strings

C, xrefs: 00444561

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
Opcode Fuzzy Hash: 4045a2e03b7b0fda526f0a9e820ad73f36c10bcbe96ad2bd9ebfcc8c6ddf23ea
Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44

Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 00413B2B
udp, xrefs: 00413B01

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A

Function 004559CA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455AF9

Strings

HE, xrefs: 00455A1D, 00455B0E
HE, xrefs: 00455AC0
gKE, xrefs: 004559D2

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free
String ID: gKE$HE$HE
API String ID: 269201875-2777690135
Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA

Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004017F4

Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561

waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C

Strings

p[G, xrefs: 00401786
>G, xrefs: 0040188E
>G, xrefs: 0040180B
T=G, xrefs: 00401800

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: T=G$p[G$>G$>G
API String ID: 1596592924-2461731529
Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A

Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C

_wcslen.LIBCMT ref: 0041A8F6

Strings

program files\, xrefs: 0041A8DC, 0041A8E3, 0041A8F5
program files (x86)\, xrefs: 0041A8F0
.exe, xrefs: 0041A848
XCG, xrefs: 0041A89C, 0041A8A1
:@, xrefs: 0041A8C3
http\shell\open\command, xrefs: 0041A82D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-703403762
Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9

Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
__alloca_probe_16.LIBCMT ref: 004499E2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
__alloca_probe_16.LIBCMT ref: 00449AC7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
__freea.LIBCMT ref: 00449B37

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

__freea.LIBCMT ref: 00449B40
__freea.LIBCMT ref: 00449B65

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668

Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418B08
SendInput.USER32(00000001,?,0000001C), ref: 00418B30
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
SendInput.USER32(00000001,?,0000001C), ref: 00418BFF

Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB

Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415A46
EmptyClipboard.USER32 ref: 00415A54
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A

Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F875
_free.LIBCMT ref: 0044F883
_free.LIBCMT ref: 0044F9B1
_free.LIBCMT ref: 0044F9BC

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59

Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
__fassign.LIBCMT ref: 0044A180
__fassign.LIBCMT ref: 0044A19B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A

Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437AAB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
_ValidateLocalCookies.LIBCMT ref: 00437B41
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
_ValidateLocalCookies.LIBCMT ref: 00437BC1

Strings

csm, xrefs: 00437B56

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
Cookies, xrefs: 0040B6FE
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies not found], xrefs: 0040B741

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
Opcode Fuzzy Hash: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE

Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

P[G, xrefs: 0040FC94

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: P[G
API String ID: 2536120697-571123470
Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D

Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
InternetCloseHandle.WININET(00000000), ref: 0041A5B3
InternetCloseHandle.WININET(00000000), ref: 0041A5B6

Strings

http://geoplugin.net/json.gp, xrefs: 0041A54E

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6

Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C

Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9

Strings

ProductName, xrefs: 0041A472
CurrentBuildNumber, xrefs: 0041A4BA
(32 bit), xrefs: 0041A501
(64 bit), xrefs: 0041A506, 0041A510
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A477, 0041A481, 0041A4BF

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
Opcode Fuzzy Hash: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\defenderupdate.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 00406815, 00406818, 0040686A
[+] before ShellExec, xrefs: 00406856
[+] ShellExec success, xrefs: 00406873

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\AppData\Roaming\defenderupdate.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-3821058442
Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

UserProfile, xrefs: 0040B2B4
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
[Chrome Cookies found, cleared!], xrefs: 0040B314
[Chrome Cookies not found], xrefs: 0040B308

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE

Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 00406927
BG, xrefs: 00406909
(CG, xrefs: 0040693F

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID: (CG$C:\Users\user\AppData\Roaming\defenderupdate.exe$BG
API String ID: 0-223189810
Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C

Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439789
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
__allrem.LIBCMT ref: 004397BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
__allrem.LIBCMT ref: 004397F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
Opcode Fuzzy Hash: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58

Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B69
__cftoe.LIBCMT ref: 00444B9B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D

Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446261
__freea.LIBCMT ref: 0044630B
__freea.LIBCMT ref: 00446329

Strings

am/pm, xrefs: 0044638C
a/p, xrefs: 004463F0

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B

Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED

Strings

DG, xrefs: 00412B2F
[regsplt], xrefs: 00412B85

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$DG
API String ID: 3554306468-1089238109
Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D
], xrefs: 0040A892
Offline Keylogger Started, xrefs: 0040A87D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9

Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CA6C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
GetLastError.KERNEL32 ref: 0041CA91

Strings

0, xrefs: 0041CA2D
MsgWindowClass, xrefs: 0041CA28

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 004069FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9

Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F

Strings

mscoree.dll, xrefs: 004425F2
CorExitProcess, xrefs: 00442604

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B

Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9

Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99

Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
CloseHandle.KERNEL32(00000000), ref: 0040E8AB

Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A

Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044310A
_free.LIBCMT ref: 0044312A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84

Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E144
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
_free.LIBCMT ref: 0044E1A0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9

Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7B5

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 0044F7C7
_free.LIBCMT ref: 0044F7D9
_free.LIBCMT ref: 0044F7EB
_free.LIBCMT ref: 0044F7FD

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C

Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443305

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

_free.LIBCMT ref: 00443317
_free.LIBCMT ref: 0044332A
_free.LIBCMT ref: 0044333B
_free.LIBCMT ref: 0044334C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E

Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 00416768
GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
IsWindowVisible.USER32(?), ref: 004167A1

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Strings

(FG, xrefs: 0041692A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A

Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

`AG, xrefs: 00409676
XCG, xrefs: 0040962C
>G, xrefs: 00409657

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A

Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\defenderupdate.exe,00000104), ref: 00442714
_free.LIBCMT ref: 004427DF
_free.LIBCMT ref: 004427E9

Strings

C:\Users\user\AppData\Roaming\defenderupdate.exe, xrefs: 0044270B, 00442712, 00442741, 00442779

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\defenderupdate.exe
API String ID: 2506810119-650212251
Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633

Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC

Strings

/sort "Visit Time" /stext ", xrefs: 00403A76
8>G, xrefs: 00403A5B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$8>G
API String ID: 368326130-2663660666
Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99

Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE

ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

open, xrefs: 0040C62C
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateExecuteExitFileProcessShell
String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 2309964880-3562070623
Opcode ID: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
Instruction ID: 568fed376c07edf90cd2df9b8610832c68d616ac56d6d0e00b2c9eff25916ff3
Opcode Fuzzy Hash: 2f0c58e4ececc8c02d5b25f260c6243bbcd4e4e86e0679598fae02edbeb9a997
Instruction Fuzzy Hash: 692145315042405AC324FB25E8969BF77E4AFD1319F50493FF482620F2EF38AA49C69A

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB

Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
__dosmaperr.LIBCMT ref: 0044AAFE

Strings

`@, xrefs: 0044AA78

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: `@
API String ID: 2583163307-951712118
Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A

Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,74DF37E0,?), ref: 004127AD
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,74DF37E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4

Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714

Strings

Control Panel\Desktop, xrefs: 004126DB, 004126EB

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

Strings

TUF, xrefs: 004127D9, 004127FB, 004127DC

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4

Strings

open, xrefs: 004151EE
/C , xrefs: 004151D2
cmd.exe, xrefs: 004151E9

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E

Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

User32.dll, xrefs: 004014DA
GetLastInputInfo, xrefs: 004014D5

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F

Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

Cleared browsers logins and cookies., xrefs: 0040B8EF
[Cleared browsers logins and cookies.], xrefs: 0040B8DE

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF

Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D

Sleep.KERNEL32(00000BB8), ref: 004115C3

Strings

BG, xrefs: 00411539
@CG, xrefs: 00411547
exepath, xrefs: 0041154C, 0041158C, 0041160D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

[ , xrefs: 00409CB1
], xrefs: 00409C9D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF

Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE

Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043810F

Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6

_UnwindNestedFrames.LIBCMT ref: 00438124
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
CallCatchBlock.LIBVCRUNTIME ref: 0043815D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8

Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179

Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 00418519
GetSystemMetrics.USER32(0000004D), ref: 0041851F
GetSystemMetrics.USER32(0000004E), ref: 00418525
GetSystemMetrics.USER32(0000004F), ref: 0041852B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9

Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE

Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414BC0
GetTickCount.KERNEL32 ref: 00414C3C

Strings

>G, xrefs: 00414BEF

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: >G
API String ID: 180926312-1296849874
Opcode ID: b0b89bb9bd8beed4b151c2787d9a90afc158e6c87396da72b4235c54ae8532de
Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
Opcode Fuzzy Hash: b0b89bb9bd8beed4b151c2787d9a90afc158e6c87396da72b4235c54ae8532de
Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A

Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59

Strings

, xrefs: 0044DB9E
fD, xrefs: 0044DB4B

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: Info
String ID: $fD
API String ID: 1807457897-3092946448
Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65

Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509B9

Strings

ACP, xrefs: 004508FC
OCP, xrefs: 00450932

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F

Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

%02i:%02i:%02i:%03i , xrefs: 0041A6B5
| , xrefs: 0041A6D3

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D

Strings

T=G, xrefs: 004016F6

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: T=G
API String ID: 2315374483-379896819
Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98

Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC

Strings

j=D, xrefs: 004477D3, 004477C0
IsValidLocaleName, xrefs: 004477A1, 004477AB

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$j=D
API String ID: 1901932003-3128777819
Opcode ID: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
Opcode Fuzzy Hash: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC

Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448825

Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED

Strings

`@, xrefs: 00448808
`@, xrefs: 00448809

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: `@$`@
API String ID: 1353095263-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40

Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,J@4fF,00412951,00000000,00000000,J@4fF,?,00000000), ref: 00412988
RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00412998

Strings

J@4fF, xrefs: 0041297A

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: J@4fF
API String ID: 2654517830-1060276034
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658

Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
GetLastError.KERNEL32 ref: 0043FB02
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D

Memory Dump Source

Source File: 00000009.00000002.2164473924.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_defenderupdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eBHn6qHPLz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-24 #001.txt

C:\Users\user\AppData\Local\Temp\is-252SN.tmp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).tmp

C:\Users\user\AppData\Local\Temp\is-MG2J6.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\setup_s.t.a.l.k.e.r._2_heart_of_chornobyl_436_(77912).exe

Windows Analysis Report
eBHn6qHPLz.exe

Function 04C0A368 Relevance: 3.1, Strings: 2, Instructions: 617
COMMON

Function 04B99D2F Relevance: 2.8, Strings: 2, Instructions: 333
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre