Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1565512
MD5:	0f325c99b7b2585a266cf50d88f134c8
SHA1:	160551d6e6f35ab8ab7401aec1b8adc0bea94ebc
SHA256:	7851c601871d56b8db41856e6dfb518f35332b5f59153fd960ba0a0e7d1a44d2
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

One or more processes crash

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F325C99B7B2585A266CF50D88F134C8)

AppLaunch.exe (PID: 4080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

WerFault.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: file.exe PID: 2312	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: file.exe PID: 2312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AppLaunch.exe PID: 4080	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.58a0000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 15%
Source: file.exe	Virustotal: Detection: 19%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

.NET source code contains very large array initializations

Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs

Large array initialization: ValidateIntegratedCalculator: array initializer size 361008

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B98F98 NtResumeThread,	0_2_05B98F98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B96E50 NtProtectVirtualMemory,	0_2_05B96E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B98F90 NtResumeThread,	0_2_05B98F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B96E48 NtProtectVirtualMemory,	0_2_05B96E48

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0257CB3C	0_2_0257CB3C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0257F3B8	0_2_0257F3B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0257F3A8	0_2_0257F3A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05A20007	0_2_05A20007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05A20040	0_2_05A20040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B93570	0_2_05B93570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B96BC8	0_2_05B96BC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B93560	0_2_05B93560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B96BB9	0_2_05B96BB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05CAE7F0	0_2_05CAE7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05CADD70	0_2_05CADD70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05C90040	0_2_05C90040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05C90006	0_2_05C90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B61580	1_2_04B61580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B648F0	1_2_04B648F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B61580	1_2_04B61580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B64900	1_2_04B64900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B612F8	1_2_04B612F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B612E8	1_2_04B612E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B63FA8	1_2_04B63FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 1_2_04B63F3F	1_2_04B63F3F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148

Source: file.exe, 00000000.00000002.1659447623.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1660234081.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTniqh.exe" vs file.exe
Source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000000.1650998732.0000000000332000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamez1.exez- vs file.exe
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1660234081.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1679440484.0000000005740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLajlcgecf.dll" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamez1.exez- vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe, Fjbpzvxmnsr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.file.exe.59b0000.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.59b0000.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal96.evad.winEXE@4/0@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\040cfe38-ff78-4976-89f4-70185a321158

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 15%
Source: file.exe	Virustotal: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 1473536 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15ec00

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.file.exe.5960000.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.file.exe.5960000.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs	.Net Code: CalculateInterruptibleCalculator System.AppDomain.Load(byte[])
Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.file.exe.59b0000.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.file.exe.58a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 4080, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0257EE82 pushad ; retf	0_2_0257EE85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0257EE80 pushfd ; retf	0_2_0257EE81
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05C964FF push ebx; iretd	0_2_05C9650A

Source: file.exe

Static PE information: section name: .text entropy: 7.945671182559719

Source: 0.2.file.exe.5740000.2.raw.unpack, asXkdacxwMNyu0Oyerq.cs	High entropy of concatenated method names: 'NTwZu9ZRgC', 'icGyu4GKsds5wJKvHYY', 'cTCRSxGtnAXV86jeErZ', 'I6XQDo3yO8mwH4krEjW', 'uhBHhL3AmI1h0DwFiAR'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	High entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, CYZLnWjtrLQ88n28yrv.cs	High entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, d7OgCi5UloRlxyvSUa.cs	High entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, xJPnJRjl4fjI8X2Ou3h.cs	High entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, ls10XCqKLD6JpYxt1c.cs	High entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs	High entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, CYZLnWjtrLQ88n28yrv.cs	High entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, d7OgCi5UloRlxyvSUa.cs	High entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, xJPnJRjl4fjI8X2Ou3h.cs	High entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, ls10XCqKLD6JpYxt1c.cs	High entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 45A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 4B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 6A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Memory allocated: 67C0000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: file.exe, GRGlInterface.cs	Reference to suspicious API methods: GetProcAddress(libGLESv2, name)
Source: 0.2.file.exe.59b0000.5.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.file.exe.59b0000.5.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 822000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88A000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88C000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 783008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	16%	ReversingLabs
file.exe	19%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565512
Start date and time:	2024-11-30 03:46:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 93% Number of executed functions: 59 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AppLaunch.exe, PID 4080 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.937162817340063
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	1'473'536 bytes
MD5:	0f325c99b7b2585a266cf50d88f134c8
SHA1:	160551d6e6f35ab8ab7401aec1b8adc0bea94ebc
SHA256:	7851c601871d56b8db41856e6dfb518f35332b5f59153fd960ba0a0e7d1a44d2
SHA512:	c5d1f02c49bb98be16c61d91e369de31c8dd8efc19ddff702984b91daa8ffb66e0e15c3bf76ff88d2297e7534238e89fb2f7f28b22f7b21ad90c496b5c51bf12
SSDEEP:	24576:XqgOt5BhqfWXUIue3QgJaCIPwHImKimJgWbqrD4cM9BysZODGcaXBjZrGxjf6sWI:XitThqRI3btvcimJ5bEDDMSsZ4GL3rGZ
TLSH:	376512015FB8E95CC26E2FB0A1721F0597B0EBC56833CB03299A95FC6D67FD4EA01691
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yJg................................. ... ....@.. ....................................`................................

File Icon


Icon Hash:	b269cccccecc2986

Static PE Info

General

Entrypoint:	0x560bbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674A79D2 [Sat Nov 30 02:34:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x160b64	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0x8afe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15ebc4	0x15ec00	4b2501a5da695c9feaa4fe1832d0d226	False	0.945622243629722	data	7.945671182559719	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x162000	0x8afe	0x8c00	eef4694180751e61da5874fcaf5b3357	False	0.35396205357142857	data	6.121827357310031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16c000	0xc	0x200	aa9077dba72d83e036df715fbc530b9a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x162250	0x428	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7265037593984962
RT_ICON	0x162678	0x928	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.5456484641638225
RT_ICON	0x162fa0	0x1028	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.46349129593810445
RT_ICON	0x163fc8	0x2428	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.36614088159031977
RT_ICON	0x1663f0	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.3004140282513395
RT_ICON	0x16a418	0x28	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.625
RT_ICON	0x16a440	0x28	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	0.575
RT_GROUP_ICON	0x16a468	0x68	data	0.6346153846153846
RT_VERSION	0x16a4d0	0x444	data	0.3727106227106227
RT_MANIFEST	0x16a914	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	21:46:54
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1d0000
File size:	1'473'536 bytes
MD5 hash:	0F325C99B7B2585A266CF50D88F134C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:46:55
Start date:	29/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xac0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	21:46:55
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
Imagebase:	0xd90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	6.2%
Total number of Nodes:	145
Total number of Limit Nodes:	5

Executed Functions

Function 05B93570 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 05B9367A
fcq, xrefs: 05B9368D

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID:
String ID: fcq$8
API String ID: 0-89531850
Opcode ID: 93c46265b01b3cd0c646cf8000f0043c297f3c84c0bb16bf2b001789785c5a5f
Instruction ID: 03696ddac66bd59070a89c67b04536a6ef46a8cfcdf155ea219ca1d8260f1d37
Opcode Fuzzy Hash: 93c46265b01b3cd0c646cf8000f0043c297f3c84c0bb16bf2b001789785c5a5f
Instruction Fuzzy Hash: 0152F675E00629CFDB64DF68C890AD9B7B2FB89300F1081EAD809A7355DB30AE85DF50

Function 05B93560 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 05B9366E
fcq, xrefs: 05B9368D

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID:
String ID: fcq$h
API String ID: 0-1849521214
Opcode ID: 0d2fb76a06d8ac6526a52f8888729f54505eaa3490b65201fe87ea8fd1f2983f
Instruction ID: b66e1d545f886f085c094280391f09b8529159b9d3a6a9f93bb8571ea12cfaa5
Opcode Fuzzy Hash: 0d2fb76a06d8ac6526a52f8888729f54505eaa3490b65201fe87ea8fd1f2983f
Instruction Fuzzy Hash: DA71F775E006198FEB24DF69C850BD9BBB2FF89300F5082AAD559A7354DB306E85CF90

Function 05B96E50 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05B96ED9

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 710fb0707308534524fe8242a9eb919c6e4113610a81578af38c2f2203e1a727
Instruction ID: b40247af8a254a4058da6312ecd7183f830255ce95ce5b189b3a6c117c77464d
Opcode Fuzzy Hash: 710fb0707308534524fe8242a9eb919c6e4113610a81578af38c2f2203e1a727
Instruction Fuzzy Hash: 3C2100B1D003499FCB10DFAAD980ADEFBF5FF48310F20842AE419A7210C775A944CBA4

Function 05B96E48 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05B96ED9

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 02d3eb8dbfba96b43c5077a8f3f0cca6f26030b17f50512e87058572cbb1efeb
Instruction ID: ac6e7d8ddd50772f9dc7f2b96ac53a60c31b0401368fe98dc58b50b8983553f2
Opcode Fuzzy Hash: 02d3eb8dbfba96b43c5077a8f3f0cca6f26030b17f50512e87058572cbb1efeb
Instruction Fuzzy Hash: 40212EB5D002499FCB10DFAAD980AEEFBF5FF48310F20842AE459A7210C735A941CBA4

Function 05B98F90 Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05B99006

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0c55312160e62a542da1b5bf822800bcb501fbe16786b702806302516447cdf4
Instruction ID: 09bfac17e69f8b164fc48c2e7e4dc4073be46301a17e3a28d88cb403a4a19233
Opcode Fuzzy Hash: 0c55312160e62a542da1b5bf822800bcb501fbe16786b702806302516447cdf4
Instruction Fuzzy Hash: 9C1106B1D002098BDB20DFAAC485ADEFBF4FB48324F54842ED459A7250CB75A944CFA5

Function 05B98F98 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05B99006

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9e97ccc0c5adc9072f4ef33ba00a91aa8afe5fb4627ae5fa21e985b9b4f1b406
Instruction ID: 93956b23c8cc5755a64250ef60f16753244e3af81dbd2f339aab4644b0522b2c
Opcode Fuzzy Hash: 9e97ccc0c5adc9072f4ef33ba00a91aa8afe5fb4627ae5fa21e985b9b4f1b406
Instruction Fuzzy Hash: 851103B1D002098BDB20DFAAC484A9EFBF4FB88320F10842ED459A7250CB75A944CFA5

Function 05CAE7F0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Deq, xrefs: 05CAE8F5

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: dd47aeb1f39c1b5d040d1b212512f00a6f034546a1cf948a86ccb2893cc91143
Instruction ID: f54799354c41741ef08f71c84d5abd48ab73970c8bae63a428db5474a4e531eb
Opcode Fuzzy Hash: dd47aeb1f39c1b5d040d1b212512f00a6f034546a1cf948a86ccb2893cc91143
Instruction Fuzzy Hash: 88D1C074A00219CFDB54DFA9D884A9DBBF2FF88304F1084A9D409AB365DB30AD86DF51

Function 05B96BB9 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31031ef4015d2995a7d9a1bd66d3c4de51b6c77c9da756d36dfd237791a835d
Instruction ID: 618459f1101483e6ca9faefefde8980eb373a2412ab7f51915deb5c3724ce457
Opcode Fuzzy Hash: a31031ef4015d2995a7d9a1bd66d3c4de51b6c77c9da756d36dfd237791a835d
Instruction Fuzzy Hash: B3711D74E01208DFCB08DFA9D550AAEBBF6FF88300F108469E509AB354DB34A946DF94

Function 05B96BC8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce31297909057f4da51282ce3e11a4800dbc2e5b932ffa7603d706d91ad39e8
Instruction ID: 3085e0eaf2ac410fd80a6a090982e846429c225374aa07a72eccbdc5bae55e80
Opcode Fuzzy Hash: 8ce31297909057f4da51282ce3e11a4800dbc2e5b932ffa7603d706d91ad39e8
Instruction Fuzzy Hash: 0A71EC74E01608DFCB08DFA9D550AAEBBF6FF88300F108469E509AB354DB34A946DF94

Function 0257C5B0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0257C63E
GetCurrentThread.KERNEL32 ref: 0257C67B
GetCurrentProcess.KERNEL32 ref: 0257C6B8
GetCurrentThreadId.KERNEL32 ref: 0257C711

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9b01fdc33362b1db2060444f347843bc8ef0a8926d517e92d68432167e37cd32
Instruction ID: 7822d3936de71009af1e5ba214bbf5466cca1d83ec5ef1857a76a3d457eb2fa9
Opcode Fuzzy Hash: 9b01fdc33362b1db2060444f347843bc8ef0a8926d517e92d68432167e37cd32
Instruction Fuzzy Hash: 8E5167B09013498FDB14DFA9D548BDEBBF1FB48304F20809AD419A7360DB34A984CF69

Function 0257C5C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0257C63E
GetCurrentThread.KERNEL32 ref: 0257C67B
GetCurrentProcess.KERNEL32 ref: 0257C6B8
GetCurrentThreadId.KERNEL32 ref: 0257C711

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fa3cf39c19cf3ac4faa8abb71d2ba14b6b70607aa74da950abbf61462104eec6
Instruction ID: 397c9518ae244b391b06d6b9a8b576fb3628b4fec2895c3abec06d593e4610a6
Opcode Fuzzy Hash: fa3cf39c19cf3ac4faa8abb71d2ba14b6b70607aa74da950abbf61462104eec6
Instruction Fuzzy Hash: 925135B09007498FDB14DFA9D548B9EBBF5FB48314F20805AD419A7260DB34A984CF69

Function 05B9789C Relevance: 1.7, APIs: 1, Instructions: 204processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B97A82

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3120a4c5ce4bab215ebc6d9e6a79fe559118fef40e244bfc3bb89a15b615c23c
Instruction ID: f0797cb758ac5865e010206dd090198037cc56ccfd4c02323cc8dc7923234e33
Opcode Fuzzy Hash: 3120a4c5ce4bab215ebc6d9e6a79fe559118fef40e244bfc3bb89a15b615c23c
Instruction Fuzzy Hash: 1B815471D1020A9FDF14CFA9C8857AEBBF2FF49314F148569E859A7244DB34A881CF82

Function 05B978A8 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B97A82

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7e6055c5b33fdfebc2e1c2664659bed13bc91519e9c17311473cf346a1475586
Instruction ID: 18afd88459ea720ff095bb3e6cacdeaae9aeeae983ec821e033b9b195805b370
Opcode Fuzzy Hash: 7e6055c5b33fdfebc2e1c2664659bed13bc91519e9c17311473cf346a1475586
Instruction Fuzzy Hash: BB816471D1020A9FDF14CFA9C8857AEBBF2FF49314F148569E859A7240DB34A881CF82

Function 0257A328 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0257A57E

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f7bd2a2503fb59c4ca3d078dbb74b27bae7f68aedf126eebbce6932b52ea4fd6
Instruction ID: 0cd9d53c172b479136faa288e98d186108300326e28cc2d08cd8fa26b2daf082
Opcode Fuzzy Hash: f7bd2a2503fb59c4ca3d078dbb74b27bae7f68aedf126eebbce6932b52ea4fd6
Instruction Fuzzy Hash: 6B8125B0A00B458FDB24DF29E14575ABBF6FF88304F008A2ED48AD7A50D775E949CB94

Function 0257CCCF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0257CC97

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 754c46521131298cde1f3300d806cf58e94e7ab6436e75e315f4e79282eb1370
Instruction ID: 0e6a588c7a5f6b859ed8993342827ccef4f9d166c570866797d6cc2e89fcdf5e
Opcode Fuzzy Hash: 754c46521131298cde1f3300d806cf58e94e7ab6436e75e315f4e79282eb1370
Instruction Fuzzy Hash: B1319A78A407808FE3149F64F44ABA97BA2F785304F10842BED958B3D4CA798D06EF30

Function 05B98920 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05B989B8

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f83747d1ea1c842bc35dcca64033ae0c1506e73597ecc3c51814818fb7cf836e
Instruction ID: 3a6906d8e35b8b5beb237b85f08a2af1a60c9411a837e748cfe17e1c1c5b6513
Opcode Fuzzy Hash: f83747d1ea1c842bc35dcca64033ae0c1506e73597ecc3c51814818fb7cf836e
Instruction Fuzzy Hash: 0B2157B5900209CFCF10CFA9C984BDEBBF1FF48310F10842AE559A7250C778A944CBA5

Function 05B98928 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05B989B8

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 271c5819f07f4e6d6b4ef5730cc318450f435aa08561b1883974f36040c443a2
Instruction ID: 874c10e02fc33ac73d276c6a22d37a2dd69026097c5ec436091fb7ae9057789c
Opcode Fuzzy Hash: 271c5819f07f4e6d6b4ef5730cc318450f435aa08561b1883974f36040c443a2
Instruction Fuzzy Hash: 242144B19003099FCB10CFA9C884BDEBBF5FF48310F10842AE959A7250C778A944CBA5

Function 0257CC08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0257CC97

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fe68f819da6dcd371873d11bebb61f14de58e2339dcb6929e9ff4e3cfa4bbef4
Instruction ID: 565f9c5f4e80046e629a8d3157aed481649951378834a14476ad3496c892784b
Opcode Fuzzy Hash: fe68f819da6dcd371873d11bebb61f14de58e2339dcb6929e9ff4e3cfa4bbef4
Instruction Fuzzy Hash: F721E3B59002089FDB10CF9AD584ADEBFF8FB48320F14846AE958A7310D374A954CFA5

Function 05B98070 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05B980F6

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 73fa2df0d8722b9ebdc113c7a994e81682ec04380dfe86bb08def1f9a8f3de74
Instruction ID: ef0d85e78ba2ca391cf31bf9eee96d9d91bd0e0cae8755e5a6ad1e4dd50c9fcf
Opcode Fuzzy Hash: 73fa2df0d8722b9ebdc113c7a994e81682ec04380dfe86bb08def1f9a8f3de74
Instruction Fuzzy Hash: 742165B1D003098FDB14DFA9C585BEEBBF4EF49324F14842AD459A7241CB78A984CFA4

Function 05B98078 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05B980F6

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 12d4ff9106e187a509647369c638b35ef9d137dcc43229ce82486578f96210e4
Instruction ID: 038be4f3054f6dd6b3e62757a32bd90074f4d14babb9aac0669be18710c56834
Opcode Fuzzy Hash: 12d4ff9106e187a509647369c638b35ef9d137dcc43229ce82486578f96210e4
Instruction Fuzzy Hash: F92138B19003098FDB14DFAAC485BEEFBF4EF49324F108429D459A7240D778A984CFA4

Function 0257CC10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0257CC97

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 85cbb3597bf89977c5f6703d8a2e6d051cb722e8865e80c75d55ab26ff1411b2
Instruction ID: 47dbea012f3d7310ed55ccc4040a3d170e3873fade0ae3f4083acff241a027a8
Opcode Fuzzy Hash: 85cbb3597bf89977c5f6703d8a2e6d051cb722e8865e80c75d55ab26ff1411b2
Instruction Fuzzy Hash: 0521E2B59002089FDB10CFAAD984ADEFFF8FB48320F14841AE958A7310D374A944CFA4

Function 05A2DEB8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05A2DF2C

Memory Dump Source

Source File: 00000000.00000002.1680944477.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4b2f53253e0c31da57a4a5e2463cae66e7599f922596d8225cec52ba4929b19e
Instruction ID: efff0174bcd07405e766fcff2d58513a9e1e5f049a2042f0249a6258c6773282
Opcode Fuzzy Hash: 4b2f53253e0c31da57a4a5e2463cae66e7599f922596d8225cec52ba4929b19e
Instruction Fuzzy Hash: 041136B1D042098FCB10DFAAC444ADEFBF4FF88320F10842AD459A7210C774A945CFA4

Function 05B98678 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B986EE

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2d8d42e8e910bd4a429bd038566617387a79ee1e30e528e08f00173858d50151
Instruction ID: ef9823cdf617263d4117a05666bbae0d467598972d57c401cc1ed480a5717b0e
Opcode Fuzzy Hash: 2d8d42e8e910bd4a429bd038566617387a79ee1e30e528e08f00173858d50151
Instruction Fuzzy Hash: 041156B69002499FDF10DFAAC844BDFBFF5EB88324F208429E569A7250C775A544CFA4

Function 05B98680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B986EE

Memory Dump Source

Source File: 00000000.00000002.1681035588.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 14ea9c720a7b41e76d146224bd80227cc257385d1596fc56307653eba66116ab
Instruction ID: 0369e706c74dfffd0afad6832f627240c0db2a2cadc3977b1f15348584156a74
Opcode Fuzzy Hash: 14ea9c720a7b41e76d146224bd80227cc257385d1596fc56307653eba66116ab
Instruction Fuzzy Hash: 361126729002499FCB10DFAAC844ADEBBF5EB88324F208429E559A7250C775A554CFA5

Function 0257A518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0257A57E

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 18fa3f8eafb263457ba4307512d95d0d2df2cdfe2b580b449a81b5309b21b496
Instruction ID: 3656750f8fa280e20ab7a1bd1fc209d69527284bd9522af371f319524957ef16
Opcode Fuzzy Hash: 18fa3f8eafb263457ba4307512d95d0d2df2cdfe2b580b449a81b5309b21b496
Instruction Fuzzy Hash: F8111DB6D003498FCB10CF9AD444ADEFBF4FB88324F10842AD868A7210D379A945CFA5

Function 05A2EEA0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05A2EF0B

Memory Dump Source

Source File: 00000000.00000002.1680944477.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e428c49fe3b60f53c5278324c62122e3b17f01cf9e0d8662a4f443cf46c02a1
Instruction ID: bfa792c873b2152313c05282e32c1eae8f83a7ceda1e317d13310912898f1d52
Opcode Fuzzy Hash: 4e428c49fe3b60f53c5278324c62122e3b17f01cf9e0d8662a4f443cf46c02a1
Instruction Fuzzy Hash: 311149719042498FCB10DFAAC845BEEFFF5EF88320F108419D469A7250C775A584CFA4

Function 05C93C59 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

w, xrefs: 05C93CA9

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 4a9cbf249e1cdfd179497ad94fc10c80423a200fbc14193db8fa713e06bddee1
Instruction ID: 035887eb65e132e5cc762e17e6b5cb133d984080e5cbfe3b4b43da18d682152c
Opcode Fuzzy Hash: 4a9cbf249e1cdfd179497ad94fc10c80423a200fbc14193db8fa713e06bddee1
Instruction Fuzzy Hash: D4010875904119CFDB28EF24D848BA87BB5FB05304F1084E4D059A3240DB385E85DF41

Function 00C1D104 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659827690.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227cb43a455ec5d6cca263b112387c98f3c7845a090748e5c77c404326e0ad17
Instruction ID: 9f14d910b3cf35bfae4592560fa923defa44b499adb18f59047ba7cfa53edae0
Opcode Fuzzy Hash: 227cb43a455ec5d6cca263b112387c98f3c7845a090748e5c77c404326e0ad17
Instruction Fuzzy Hash: 33213771104244EFDF05DF14D9C4B6ABBA5FB85324F30C169EC0A0B255C336D996E7A2

Function 00C1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659827690.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50744cbaa60d21bc0b81ab08690f7b3fbb742049c2d3140b2d5a335cf9ebb24b
Instruction ID: e0e1e88d68316104a345e9aaee504b2ff9d835d518bb1bb3f2d6cdb8d53423ed
Opcode Fuzzy Hash: 50744cbaa60d21bc0b81ab08690f7b3fbb742049c2d3140b2d5a335cf9ebb24b
Instruction Fuzzy Hash: 5721F275604200DFCB14DF14D9C4B66BBA5EB89314F20C5ADE80A4B296C33AD887DA62

Function 00C1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659827690.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89494a57bf80a5def29b94e79a1ba7f45e6f68904937de0ea3599a49da7976d0
Instruction ID: ee0384d73741a724f9f6e090447713e8be621737e637568feb140cbb6bcef8da
Opcode Fuzzy Hash: 89494a57bf80a5def29b94e79a1ba7f45e6f68904937de0ea3599a49da7976d0
Instruction Fuzzy Hash: ED2180755093808FCB02CF24D994755BF71EB46314F28C5EAD8498F2A7C33A984ADB62

Function 00C1D0FF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659827690.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: b256ce42574181d8ca8a1268eca2ec3597461502a39cb664daf9399080ff9e18
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: 4B110376504280DFCB05CF00D9C4B5ABF72FB84324F24C1A9DC0A0B656C336D95ADBA2

Function 05CAEC78 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0426eeb70c946e545fd4c37d4adf553840ce1b93e6aae03432710d1782e8295f
Instruction ID: 1ab49c68b9f8e156bf2f22d750761555bbb756e51e243c1e3d1c1d4cdc786cb0
Opcode Fuzzy Hash: 0426eeb70c946e545fd4c37d4adf553840ce1b93e6aae03432710d1782e8295f
Instruction Fuzzy Hash: 6A11B7B0E002099FCB44DFA9C9456AFBBF5FF88300F10846A9418A7354DB359A419F91

Function 05CA5BE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afba21269f7639f858086d184f18746e46d732e5f035979e58992f8cee6cc5de
Instruction ID: 8765314f23f14bd7c45cb3a70348e6e75bea70688f6fae29af153fd3e581cdc4
Opcode Fuzzy Hash: afba21269f7639f858086d184f18746e46d732e5f035979e58992f8cee6cc5de
Instruction Fuzzy Hash: D2E0ED74E05208EFCB84DFA9D541A9DFBF5EB48314F10C4AAE81993340D6359E51DF50

Function 05CAA2B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afba21269f7639f858086d184f18746e46d732e5f035979e58992f8cee6cc5de
Instruction ID: 7d70ffd3e0a52ca65eff28261bb4e3fa232c684f3d0e4ea36377eff570e53b30
Opcode Fuzzy Hash: afba21269f7639f858086d184f18746e46d732e5f035979e58992f8cee6cc5de
Instruction Fuzzy Hash: CAE0ED74E04208EFCB84DFA9D84069DFBF5EB48314F10C5AAD81893341E6369E51DF50

Function 05CAD210 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a6007b8e05aa778c0bd3ad13c0056f5409e8eed6d6cd2a58dc5f3a89fa0b8b
Instruction ID: 778d8cd5f3f11207ab00ab592781c073bd74ceea657ce8e2fd1e5dbf91e9febe
Opcode Fuzzy Hash: 41a6007b8e05aa778c0bd3ad13c0056f5409e8eed6d6cd2a58dc5f3a89fa0b8b
Instruction Fuzzy Hash: AAE0E574E08208EFCB84DFE9D4406ACBBF4FB48304F10C5AA981993340E6359E02CF40

Function 05CAFB70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e3e23b65087d925e363c85a3b59d3113ca2df181fc0c3b353916d42bbd7511
Instruction ID: 92e9ab4329d29382a66d64fa5f26810e69fbc970cdb47dda9e86ec3932eeaf0d
Opcode Fuzzy Hash: 93e3e23b65087d925e363c85a3b59d3113ca2df181fc0c3b353916d42bbd7511
Instruction Fuzzy Hash: CCE04F7990810CEBC744DFE4E4549ADBFB8AB89314F10C49AE84457341C6719A41DBA0

Function 05CA88A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5394de64c1282442534100ed0b9329a0c68435a381dac2491d0b34a3d633d29
Instruction ID: 3a2567a420dee9e170624ff7c65b4ec0e925bb95ed066c45e7efccd208c2fbff
Opcode Fuzzy Hash: a5394de64c1282442534100ed0b9329a0c68435a381dac2491d0b34a3d633d29
Instruction Fuzzy Hash: F4E01A74D08108EFCB44DFA9D4405ACBBB4EB48204F10C4AAD80853341CA355A01DF50

Function 05CADD30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d51f5b1abf434b3336cbd27a4f86c986c5a6b580103888278584d78d8f086c4
Instruction ID: f3a7bce58b164fcb9772fd80808cfd03c8a6ca0df2ff180af596b9aa4587e733
Opcode Fuzzy Hash: 8d51f5b1abf434b3336cbd27a4f86c986c5a6b580103888278584d78d8f086c4
Instruction Fuzzy Hash: D3E0C2B4D08108DBC704DFE4E4415ACBFB4EB85309F10D499D8091B340CA315F42CBA0

Function 05CA96E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9519d40e75b6a3eed97d1f3b16413a7fb1f70bf429116732c2376d7ed899e02c
Instruction ID: 5e5379c7348f33d7f0e89499b1b8ad4fcdbc10e7255b2f1f9aed6a70b174c03a
Opcode Fuzzy Hash: 9519d40e75b6a3eed97d1f3b16413a7fb1f70bf429116732c2376d7ed899e02c
Instruction Fuzzy Hash: 67E01771A4520CEBC740FBF8D909A9E7BF9EF49300F0088AAD40597210EE364E509BA2

Non-executed Functions

Function 0257F3B8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e7a66358c9be43c571589416a2fadd2128da00546bb6bbfed728784891d66d
Instruction ID: 6e7c39f38442ccf3ed1d64c4d5d7f6b823c91a6e3f6f947f4e6c4c1a75f4075d
Opcode Fuzzy Hash: 40e7a66358c9be43c571589416a2fadd2128da00546bb6bbfed728784891d66d
Instruction Fuzzy Hash: CD12B7F0401745AAD330CF65EA4C9993BB1F744368F90470BD1612B2E5EBBE198AEF64

Function 0257CB3C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa000a5ccfb09e101135b05fd259ec5f6fa1cf494fce843849e3c723517321cf
Instruction ID: cc2c47d08f08b2b1674bef1187e89b618566afeba36abe82c723a17bbf22c3e9
Opcode Fuzzy Hash: fa000a5ccfb09e101135b05fd259ec5f6fa1cf494fce843849e3c723517321cf
Instruction Fuzzy Hash: A4A19D36E003168FCF05DFB4D94159EBBB2FF85304B1585AAE906AB261EB35E906CF50

Function 0257F3A8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660188007.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b5450fdcc042894146f92de889cacec42e95ae469ac0e3ae91b3cf5aa6ef08
Instruction ID: f4073b8ff628b2c54a30d2832b6cfcfe9228a52a9a8e55c650fa3987fd1378af
Opcode Fuzzy Hash: 56b5450fdcc042894146f92de889cacec42e95ae469ac0e3ae91b3cf5aa6ef08
Instruction Fuzzy Hash: D2C13BB0801746ABD330CF64EA4C5997BB1FB85364F50470BD1616B2E4EBBE188ADF64

Function 05CADD70 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a219d294b3869d75b213a7507b4021d0fba6b7085dd612864356199d8c88288
Instruction ID: 9984e221e1e7d285be5c6da76cbb11a47681484eea0dec984d4fb4862a30901a
Opcode Fuzzy Hash: 6a219d294b3869d75b213a7507b4021d0fba6b7085dd612864356199d8c88288
Instruction Fuzzy Hash: 1E811B71E04219CFDB24DF6AC844BEDBFB6BF49308F1488A9D00AA7651DB745986CF50

Function 05A20040 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680944477.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f747bc455a28e632cd8ed0d66cfecf46873f34ed47d7e1b48672c86502b07b6c
Instruction ID: 5799c10974fca8b4630e7e84617d49d2344ab1425b1172087d953ae958e25c78
Opcode Fuzzy Hash: f747bc455a28e632cd8ed0d66cfecf46873f34ed47d7e1b48672c86502b07b6c
Instruction Fuzzy Hash: 90512C75D016698BEB68CF6B8D456D9FAF3AFC8300F14C0FA954CA6254DA700AC58F51

Function 05A20007 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680944477.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ceac0fbefe5564c07c569abe4de62781c5a8524b8e827bddfdcece52bddf8cd
Instruction ID: 5249908716ee87f0fb5538c659eeda764c2cf7ec23195f4392837be8d39d8689
Opcode Fuzzy Hash: 2ceac0fbefe5564c07c569abe4de62781c5a8524b8e827bddfdcece52bddf8cd
Instruction Fuzzy Hash: 1E519FB1D056548BE76DCF6B8C456C9FAF3AFC9300F18C0FA854CA6225EA744A868F51

Function 05C90040 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736fbdfacba559fa7a4cc7ae88823d7716f612b9c06000a4943e7dc88c20a478
Instruction ID: 8b9152fe863605c7f44e91ef47d744258b3e65ae5fcf28824d3c21e44ee8fe04
Opcode Fuzzy Hash: 736fbdfacba559fa7a4cc7ae88823d7716f612b9c06000a4943e7dc88c20a478
Instruction Fuzzy Hash: AA41D771E056288FDB68CF6AC8487DABBF6BF89300F04C4EAD40DA7654DB745A859F01

Function 05C90006 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681068003.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2e7cba0850e8ac0620896698a1175c737ec00dd3e97d9c2de74fc35b0c6a3d
Instruction ID: 37f46bcad6f25938205c1bd4375e775171d6748e40b84d3c5015521d0e55d0e7
Opcode Fuzzy Hash: cb2e7cba0850e8ac0620896698a1175c737ec00dd3e97d9c2de74fc35b0c6a3d
Instruction Fuzzy Hash: F0312071D057948FEB1DCF6ACC0539ABAF2AF86300F09C4FA944CAA255DB784A85CF11

Analysis Process: AppLaunch.exePID: 4080, Parent PID: 2580COMMON

Executed Functions

Function 04B61580 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

Deq, xrefs: 04B6160F

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 81353d510368a2c406dbeff53c37932d25749e0dd0ddc24e3e501f0b7c7c18d5
Instruction ID: f27ffe4c9894c0860854fbcf9b86832ecbd74ef227e35ad48b53c7d928d391b0
Opcode Fuzzy Hash: 81353d510368a2c406dbeff53c37932d25749e0dd0ddc24e3e501f0b7c7c18d5
Instruction Fuzzy Hash: E4C1FE71A002108FEB14CF2DC494A9ABBF2FF89714B1585ADE4469B3A5DB35EC02CF81

Function 04B610C7 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

Te^q, xrefs: 04B61115
Te^q, xrefs: 04B611D8

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 1650002021c90ebe9aae4c56e4c2c9669b17e3af326cf392707b1864031c0c3f
Instruction ID: d23f01e2e1d2cebc91d91aa0f78dd7d55a10261b1b0fe8650a194da9368d0083
Opcode Fuzzy Hash: 1650002021c90ebe9aae4c56e4c2c9669b17e3af326cf392707b1864031c0c3f
Instruction Fuzzy Hash: F9411874B101049FCB08DF69C598AAEBBF2AF89300F6148A9E506EB361DA35AD01CF50

Function 04B61570 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

Deq, xrefs: 04B6160F

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: a2eaaefc816196cc47c9a75bd95e75e525ab9ac8972f14fc560ffe53763e0739
Instruction ID: 5cd80581a134de8cf21c99ff5baa358597df619244604569f5117e25773079b6
Opcode Fuzzy Hash: a2eaaefc816196cc47c9a75bd95e75e525ab9ac8972f14fc560ffe53763e0739
Instruction Fuzzy Hash: C8616B75A006009FCB14DF2DD584A59BBF2FF88310B1585A9E41AEB3A5EB34FC42CB90

Function 04B60AFF Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

MZ+, xrefs: 04B60A35

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID: MZ+
API String ID: 0-3439302414
Opcode ID: 9032c5d5eccced5e5a04b1ea8972b308ce6db4425626183906f1bd4ce3b4e820
Instruction ID: ade02a2789fcdfca30bd9b64c725bc45e26d9749d49b0b5501546970f8469e84
Opcode Fuzzy Hash: 9032c5d5eccced5e5a04b1ea8972b308ce6db4425626183906f1bd4ce3b4e820
Instruction Fuzzy Hash: BE111C70A08241CED755EF1B8504BA17BE1BF96240F5AC9FAC54B9B226E7787402EF11

Function 04B60A7F Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

MZ+, xrefs: 04B60A35

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID: MZ+
API String ID: 0-3439302414
Opcode ID: c7e0ff52ece80e65485135eb8cd567c2f5015e5b681afe1ad73f3ba716146881
Instruction ID: 8d84838413af9c1e42b8f8e9408fb8b3f4f2537fe2d8993b3fbd2d0d9c10752f
Opcode Fuzzy Hash: c7e0ff52ece80e65485135eb8cd567c2f5015e5b681afe1ad73f3ba716146881
Instruction Fuzzy Hash: 90F03771A08641CEE706EF1A84057A1B7E5BFA8240F4A84F6D14B8B262E33869429B01

Function 04B608A8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f2911e9e39ac8ec3a30202f7a87d9d8b55aba50f54e1522975bd33ecfdcedf
Instruction ID: 71c1ae5e2f53c3fb3b8402b8157cf2dd6efed135813f5aa6a12635a4e692f185
Opcode Fuzzy Hash: 58f2911e9e39ac8ec3a30202f7a87d9d8b55aba50f54e1522975bd33ecfdcedf
Instruction Fuzzy Hash: 4021AE343496549FD305EF69C848A6ABBB1FF8A314B1540E6E50ACF3A2DA21FC01C7A1

Function 04B0D1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910391387.0000000004B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b0d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3785e86e6510f0337556bd6305060c51eb2f1f1714f66d2ca6a943a208a553
Instruction ID: 30cb08b480cd5c64aa2db41f6ac20236720ecd63591a16992821e83ee2975369
Opcode Fuzzy Hash: 1b3785e86e6510f0337556bd6305060c51eb2f1f1714f66d2ca6a943a208a553
Instruction Fuzzy Hash: 4621D371604200DFEF05DF94D9C4B2ABF69FB88315F24C6A9E9094B2D6C336E456CBA1

Function 04B0D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910391387.0000000004B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b0d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72e35e5724fe6b5cca3fb715342c78ae7b300bcf1825f2d9cf0d33637ee9891
Instruction ID: f80a946b847efd1906311eed15ee1414e65ff5496b2a6f483a41ceef100764f8
Opcode Fuzzy Hash: d72e35e5724fe6b5cca3fb715342c78ae7b300bcf1825f2d9cf0d33637ee9891
Instruction Fuzzy Hash: 24210671604200DFDB05DF58D9C0B2ABF69FB84319F20C1A9ED090A2D6C336E455CAA1

Function 04B64820 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2b0c1e6d77b0ac886837ccccec13eb641b4c5be29fbd720fdd44d8747d2e83
Instruction ID: d9c03a9069f3c236b38dfb37386670106d3c999b2de05d9f62d9f3ddb2a28433
Opcode Fuzzy Hash: ca2b0c1e6d77b0ac886837ccccec13eb641b4c5be29fbd720fdd44d8747d2e83
Instruction Fuzzy Hash: 62119770908684EFEB04EFA9C44829D7FF2EF49304F5080EAD01A9B665E73C6A84CB01

Function 04B0D1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910391387.0000000004B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b0d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: a2a88b26d8bb4c0013e7d96277d4cd057632fb755e446e046c097d7e7efa9020
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: A8218C76504240DFDF16CF54D984B16BF62FB84314F24C2AADD090A696C33AE46ACBA1

Function 04B0D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910391387.0000000004B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b0d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a698446ecc6ef76673d9ccc391fd07e1190e655a3a55917372c742852efb4371
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C611B176504240CFDB16CF54D5C4B16BF71FB84328F24C5A9DD090B296C336E45ACBA2

Function 04B64830 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e555f456ffdfe88ef0138c1946c96f180253f5cf3247bd2c46787ca8ffe5af1c
Instruction ID: 4458a900884844bbe362849bc9cb985a14eb3557c4e89091fec98a9d7315e7e8
Opcode Fuzzy Hash: e555f456ffdfe88ef0138c1946c96f180253f5cf3247bd2c46787ca8ffe5af1c
Instruction Fuzzy Hash: D3115A70E04688DFE704DFA9D14835DBBF2FB48304F5080EAD41A97254EB786E80DB05

Function 04B60899 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0ac8b8ff5dc7ae0ade74622d3598e9b77bbf3e81c64c01b06e263d2dac9a8b
Instruction ID: b19f80c9401f2915acf50be602f4b2018c1f06722205c53af1e25a2438acdbe9
Opcode Fuzzy Hash: 7c0ac8b8ff5dc7ae0ade74622d3598e9b77bbf3e81c64c01b06e263d2dac9a8b
Instruction Fuzzy Hash: 6CF02B353091549FF300E66A94145A67BD1EB8A35471880F6E20BCF391E516FC0583E1

Function 04B61040 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb5652d90c2bb305be370881454c9142ed01d7fe0ed206579eb08423c1e48bd
Instruction ID: 7630a0caa787b5f466b54a3a8fff0b63346bc86a4664ff99f478f63b2c93ae7b
Opcode Fuzzy Hash: 6cb5652d90c2bb305be370881454c9142ed01d7fe0ed206579eb08423c1e48bd
Instruction Fuzzy Hash: F3E09B753104245FC305EB6CE158A467BD5EF8D6657514096E10ACB361CA66DC028B51

Function 04B61091 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b4832fd9ddec5baa3675ea63b4fcce462842bad6dba14b2ec02b3497e8edaa
Instruction ID: 7d230155d76b1e1a4df9e187e322f71a0b862bca555cf28a3cb09b9774862c5a
Opcode Fuzzy Hash: a8b4832fd9ddec5baa3675ea63b4fcce462842bad6dba14b2ec02b3497e8edaa
Instruction Fuzzy Hash: E6E012357041904FCB006778905C6897BB5DF8766AB1440E9E54DCB762DA369C138794

Function 04B610A0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a32fe9eaa671b44ed91893c81d9d378d7ef5be8a6fc1d63b42fb6fc0c714ae
Instruction ID: b03b7f9e3199099d734be1aa8a1390df6c0485ae260bf10c05e1e01ae512d700
Opcode Fuzzy Hash: a5a32fe9eaa671b44ed91893c81d9d378d7ef5be8a6fc1d63b42fb6fc0c714ae
Instruction Fuzzy Hash: 5FD0C9357002148FCB00ABB9E40C85E77E9EF8966574100A6F90EC7370EF39AC018BA5

Function 04B60881 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d99cf0e88adc06cb4113a85c95b819b68c3548e47bf17837a7ffd0b54e0bd8d
Instruction ID: 2b77c1a0edcb48fbeea5ab98a6c16dc6c81bc67e4a6243591b681f970e6f00f7
Opcode Fuzzy Hash: 4d99cf0e88adc06cb4113a85c95b819b68c3548e47bf17837a7ffd0b54e0bd8d
Instruction Fuzzy Hash: 33C04CA54097D25FFF02127014341C63FA0AD1330876560D7C2468B252D5046409D361

Function 04B625AC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59521b335c4eb7dcc5a113b0912e1e16510933004aefeaec5e0297090c474f09
Instruction ID: e65d1b24d4e7d49c074cefeda08445d360fbbef7067c03c89fd456c6e5376f07
Opcode Fuzzy Hash: 59521b335c4eb7dcc5a113b0912e1e16510933004aefeaec5e0297090c474f09
Instruction Fuzzy Hash: B8C08035711004FFEF005BE4DC14DED7A72FB88301F40C455E50273260D5256C046B20

Function 04B66555 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef3138c618d15d43daacb2cb6bba78caab13336530fdfbfca2e27b95bc91a67
Instruction ID: b57b4b61187342b569c1e45ae095f10a70e7609a8bec1858e909cbbcf0e121c2
Opcode Fuzzy Hash: fef3138c618d15d43daacb2cb6bba78caab13336530fdfbfca2e27b95bc91a67
Instruction Fuzzy Hash: FCC04CB4F00690CBDF449B74903C25976A1EB45205F50446AE54FC3394E93C9D40CA26

Function 04B6C3F0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2910574654.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b60000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a46693efa5091366106c8200b798a168e58b3b6504b4330a3669b0d6bd293c
Instruction ID: 15eb8f515c664cd7ad9469a34f5e8f3b213664bbb090928b6a75950606a246cc
Opcode Fuzzy Hash: 87a46693efa5091366106c8200b798a168e58b3b6504b4330a3669b0d6bd293c
Instruction Fuzzy Hash: 5DA0223008AF0C83820032B0AA00A20338C088000C3C000F8820C0AA20083BF0A08088

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: file.exePID: 2312, Parent PID: 2580

General

Chronological Activities

Analysis Process: AppLaunch.exePID: 4080, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
file.exe

Function 05B93570 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Function 05B93560 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Function 0257C5B0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Function 0257C5C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON