Edit tour

Windows Analysis Report
bPkG0wTVon.exe

Overview

General Information

Sample name:	bPkG0wTVon.exe renamed because original name is a hash value
Original sample name:	36274aefe69f86532cee326b878f06ff.exe
Analysis ID:	1578055
MD5:	36274aefe69f86532cee326b878f06ff
SHA1:	6a33fb45bfa496c8559947640ae044b1d78d39b8
SHA256:	24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

PE file contains section with special chars

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Detected potential crypto function

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bPkG0wTVon.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\bPkG0wTVon.exe" MD5: 36274AEFE69F86532CEE326B878F06FF)

WerFault.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1396 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bPkG0wTVon.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bPkG0wTVon.exe.940000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bPkG0wTVon.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bPkG0wTVon.exe	Virustotal: Detection: 30%			Perma Link
Source: bPkG0wTVon.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Machine Learning detection for sample

Source: bPkG0wTVon.exe

Joe Sandbox ML: detected

Source: bPkG0wTVon.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bPkG0wTVon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: bPkG0wTVon.exe
Source:	Binary string: C:\Users\Raifon\source\repos\Arcana\Arcana\bin\Release\Arcana.pdb source: bPkG0wTVon.exe
Source:	Binary string: System.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdbL08w# source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb4 source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Security.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: Arcana.pdb< source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Drawing.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: Arcana.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb" source: bPkG0wTVon.exe
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.pdbU source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Web.pdb source: WERC857.tmp.dmp.5.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: bPkG0wTVon.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bPkG0wTVon.exe.940000.0.unpack, type: UNPACKEDPE

Source: bPkG0wTVon.exe	String found in binary or memory: http://89.23.100.233:1490/upload?File
Source: bPkG0wTVon.exe, 00000000.00000002.2230737594.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.100.233:1490/uploadp
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net

System Summary

PE file contains section with special chars

Source: bPkG0wTVon.exe	Static PE information: section name: .\C3
Source: bPkG0wTVon.exe	Static PE information: section name: ."@W

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404740 NtOpenFile,	0_2_05404740
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05403E68 NtClose,	0_2_05403E68
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054049C0 NtMapViewOfSection,	0_2_054049C0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404818 NtCreateSection,	0_2_05404818
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404B78 NtDeviceIoControlFile,	0_2_05404B78
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404320 NtProtectVirtualMemory,	0_2_05404320
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054043F8 NtAllocateVirtualMemory,	0_2_054043F8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404AB0 NtQueryVolumeInformationFile,	0_2_05404AB0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540473A NtOpenFile,	0_2_0540473A
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05403E62 NtClose,	0_2_05403E62
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054049B8 NtMapViewOfSection,	0_2_054049B8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404810 NtCreateSection,	0_2_05404810
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404B70 NtDeviceIoControlFile,	0_2_05404B70
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540431A NtProtectVirtualMemory,	0_2_0540431A
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054043F2 NtAllocateVirtualMemory,	0_2_054043F2
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404AA9 NtQueryVolumeInformationFile,	0_2_05404AA9

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Code function: 0_2_05404B78: NtDeviceIoControlFile,

0_2_05404B78

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146B1B8	0_2_0146B1B8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01461098	0_2_01461098
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146BAE0	0_2_0146BAE0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146BD68	0_2_0146BD68
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146D5E8	0_2_0146D5E8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01469700	0_2_01469700
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01468EC8	0_2_01468EC8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146B839	0_2_0146B839
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01460B45	0_2_01460B45
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146F3B1	0_2_0146F3B1
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0146BAD1	0_2_0146BAD1
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01469F69	0_2_01469F69
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01469E40	0_2_01469E40
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01469E30	0_2_01469E30
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_01468EB8	0_2_01468EB8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404C50	0_2_05404C50
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05406F98	0_2_05406F98
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540DE78	0_2_0540DE78
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05400990	0_2_05400990
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540E878	0_2_0540E878
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054020C0	0_2_054020C0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05403398	0_2_05403398
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540F208	0_2_0540F208
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_0540DD78	0_2_0540DD78
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05404C40	0_2_05404C40
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054014C2	0_2_054014C2
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054064C8	0_2_054064C8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054014D0	0_2_054014D0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054064D3	0_2_054064D3
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_054064D8	0_2_054064D8
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05401C90	0_2_05401C90
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05400EF0	0_2_05400EF0
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05400980	0_2_05400980
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05403828	0_2_05403828
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Code function: 0_2_05407830	0_2_05407830

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1396

Source: bPkG0wTVon.exe, 00000000.00000000.2139082818.0000000000BB8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameArcana.exe. vs bPkG0wTVon.exe
Source: bPkG0wTVon.exe, 00000000.00000002.2229690957.000000000110E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bPkG0wTVon.exe
Source: bPkG0wTVon.exe	Binary or memory string: OriginalFilenameArcana.exe. vs bPkG0wTVon.exe

Source: bPkG0wTVon.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bPkG0wTVon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6636

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e4d20398-f66a-48f7-9f3b-ad38858b4f17

Jump to behavior

Source: bPkG0wTVon.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bPkG0wTVon.exe	Virustotal: Detection: 30%
Source: bPkG0wTVon.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\bPkG0wTVon.exe "C:\Users\user\Desktop\bPkG0wTVon.exe"
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1396

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bPkG0wTVon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bPkG0wTVon.exe

Static file information: File size 3084288 > 1048576

Source: bPkG0wTVon.exe

Static PE information: Raw size of .\C3 is bigger than: 0x100000 < 0x184800

Source: bPkG0wTVon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: bPkG0wTVon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: bPkG0wTVon.exe
Source:	Binary string: C:\Users\Raifon\source\repos\Arcana\Arcana\bin\Release\Arcana.pdb source: bPkG0wTVon.exe
Source:	Binary string: System.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdbL08w# source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb4 source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Security.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: Arcana.pdb< source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Drawing.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: Arcana.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb" source: bPkG0wTVon.exe
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Net.Http.pdbU source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC857.tmp.dmp.5.dr
Source:	Binary string: System.Web.pdb source: WERC857.tmp.dmp.5.dr

Source: bPkG0wTVon.exe	Static PE information: section name: .\C3
Source: bPkG0wTVon.exe	Static PE information: section name: ."@W

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Code function: 0_2_0146FA60 push ss; retf

0_2_0146FA77

Source: bPkG0wTVon.exe	Static PE information: section name: .text entropy: 7.540602371038387
Source: bPkG0wTVon.exe	Static PE information: section name: .\C3 entropy: 7.349314887296056

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior

Source: bPkG0wTVon.exe	Binary or memory string: IsRunningInVirtualMachine1
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: bPkG0wTVon.exe	Binary or memory string: IsRunningInVirtualMachine2
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: bPkG0wTVon.exe, 00000000.00000002.2229690957.0000000001142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: bPkG0wTVon.exe	Binary or memory string: IsVirtualMachine
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: bPkG0wTVon.exe	Binary or memory string: qemu-ga#SPICE Guest Tools
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\Users\user\Desktop\bPkG0wTVon.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bPkG0wTVon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bPkG0wTVon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bPkG0wTVon.exe	31%	Virustotal		Browse
bPkG0wTVon.exe	53%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
bPkG0wTVon.exe	100%	Avira	HEUR/AGEN.1310131
bPkG0wTVon.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://89.23.100.233:1490/upload?File	0%	Avira URL Cloud	safe
http://89.23.100.233:1490/uploadp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ax-0001.ax-msedge.net	150.171.27.10	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://89.23.100.233:1490/upload?File	bPkG0wTVon.exe	false	Avira URL Cloud: safe	unknown
http://89.23.100.233:1490/uploadp	bPkG0wTVon.exe, 00000000.00000002.2230737594.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578055
Start date and time:	2024-12-19 08:18:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bPkG0wTVon.exe renamed because original name is a hash value
Original Sample Name:	36274aefe69f86532cee326b878f06ff.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 23.218.208.109, 23.32.238.200, 23.32.238.203, 23.32.238.201, 23.32.238.227, 23.32.238.195, 23.32.238.209, 23.32.238.219, 23.32.238.232, 23.32.238.225, 40.126.53.11, 20.190.147.8, 13.107.246.63, 20.223.35.26, 2.16.158.82, 4.245.163.56, 150.171.27.10, 2.16.158.33, 20.74.47.205
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:19:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	https://pdf.ac/4lLzbt	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse	150.171.28.10
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	150.171.27.10
	tasktow.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	150.171.27.10
	bGcxY1mXHe.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	download.ps1	Get hash	malicious	Unknown	Browse	150.171.27.10
	PyIsvSahWy.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	bandwidth_monitor.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	Ball - Temp.data for GCMs.doc	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bPkG0wTVon.exe_37478cde76dd5faa858c137362678095d0b3b2a9_c32bdecd_34f30437-1048-4891-9fd4-1e0168d1bcde\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1973570654578964
Encrypted:	false
SSDEEP:	192:cvr7ALBLR605Zqwau6VUVWpSzuiF3Z24IO8l:kr7mt35ZqwaFPSzuiF3Y4IO8l
MD5:	E0B2E57114965B9BEC6F302F30DEC9C7
SHA1:	CC5DB4D1119B7462BB5DA07DEAEE270A0A4852B9
SHA-256:	06C130EDC9F3793149CE9980EB6D9C50D583036E30F11F0BC443C0E3A57C31F0
SHA-512:	7CE85EF8ECEDA8B19C2FD7D64015EC13238BAD0AFCB55A5AE026F1F483C3E8AB4014D9F8E64786B0A7765425AF55779033328FFF649C012F95F125B079C97D02
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.6.6.3.4.4.9.6.1.4.9.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.6.6.3.4.5.7.2.7.1.2.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.f.3.0.4.3.7.-.1.0.4.8.-.4.8.9.1.-.9.f.d.4.-.1.e.0.1.6.8.d.1.b.c.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.a.7.2.f.5.f.-.d.6.b.a.-.4.1.b.6.-.9.0.0.a.-.7.f.3.c.4.b.5.e.e.d.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.P.k.G.0.w.T.V.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.r.c.a.n.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.e.c.-.0.0.0.1.-.0.0.1.5.-.0.2.2.6.-.8.1.4.7.e.6.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.c.7.e.a.5.d.c.e.a.4.d.7.e.2.0.c.1.c.8.f.0.6.8.9.a.d.8.a.4.0.8.0.0.0.0.0.0.0.0.!.0.0.0.0.6.a.3.3.f.b.4.5.b.f.a.4.9.6.c.8.5.5.9.9.4.7.6.4.0.a.e.0.4.4.b.1.d.7.8.d.3.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC857.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 19 07:19:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	260039
Entropy (8bit):	3.6981567829781143
Encrypted:	false
SSDEEP:	3072:AgVlrbSJFA2T8anMpYXdS4uEqhjWLTgdxSy7dU1:AgXaJFA2gq7dS4dTgeyp
MD5:	59620415528882AF47F90F0DF34D520D
SHA1:	A4B0195D1E87F97AF4966FDD75B58D17A7D692B3
SHA-256:	8DD91CE4865FA30C6481CF37AFB924654D802B9507590A254414ADFE754009FA
SHA-512:	FBC506C12EECFE959B6A561179DBE3FE2084639252E8D857E4BDFB4E24328974C5812DA037DAA1636B563FA0C7A15AFDF82F7ED4BE01EB515277A597B2783CED
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........cg....................................$...@(.......!..~M..........`.......8...........T...........`7..g...........d(..........P..............................................................................eJ.............GenuineIntel............T.............cg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA3C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.695250115998422
Encrypted:	false
SSDEEP:	192:R6l7wVeJWd64K6Y2DASUcYL9gmfZksvqpDp89b3Psfh9m:R6lXJM64K6Y9SUlgmf5B30fS
MD5:	51373768A9C55EA74910D59CA4C921AC
SHA1:	734E68135C8B8E2EF2A180439F3ADBBF26B1837A
SHA-256:	B3C6674CB7584FB3DB1A3C9A64405757C1E7E64D18DCF94CB429BCECA4FCAA40
SHA-512:	4E4263CD282C28A6158AD38F4886B969CBEA6A068B2505FF7C987471647B9D6A9692E427250C29BB93BFE49E1CC54B33BC9C21E2260A8B55A6CEA6805A4F9ECF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4711
Entropy (8bit):	4.443460785247048
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9EXWpW8VYsYm8M4JV/ePFy/+q8vR/eEazZh3d:uIjfFI7Wm7V8JJ/K5azZFd
MD5:	457ACC6D5ECC363B02BF47C9B9344F08
SHA1:	D6740D1A9BECE9B1967C2D8927A56BAD670664E0
SHA-256:	C9CAC8B92BB31F81FB5EDF6C0B5381E0D0E25F149371D29F3B19C63CB3340590
SHA-512:	66161BD93632D0B08CD3FCBBCD5F2A5394F616875B70A4C8610121D581531B3B2C2FDB8F1511C8353183F4B959CE5E1754FF5E4A3E1948015E4D28CBDD48975A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="637821" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4687080682713685
Encrypted:	false
SSDEEP:	6144:azZfpi6ceLPx9skLmb0fxZWSP3aJG8nAgeiJRMMhA2zX4WABluuNTjDH5S:8ZHtxZWOKnMM6bFpxj4
MD5:	D135C3FC9E05B031FAD7BF120BEEAF34
SHA1:	88EC68ADDA85A982FF2BC58F04AFE5295664EB77
SHA-256:	95A692320BF2AC4E64C80F99F70D800A5CBC5AB056B6FA2BE5B375492ED01435
SHA-512:	6F27DC22C7A99673C77DAA3EEBDEA8452919D4CBB8079F61561A88A7C2B015B869F94D04D02B2C00BD49DCC36586D0B185F1772DBC7BCE488ADB861678C7B4B1
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj.pH.Q..............................................................................................................................................................................................................................................................................................................................................*.f\|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.381035863719706
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	bPkG0wTVon.exe
File size:	3'084'288 bytes
MD5:	36274aefe69f86532cee326b878f06ff
SHA1:	6a33fb45bfa496c8559947640ae044b1d78d39b8
SHA256:	24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89
SHA512:	d166256935a99047ab55fa0d7c613435f2bd3afc5369dabb45f7866622a171d078a1c92f97f5fb7334466221d9dc9a2e295a778d8c22c81e666db271e3b63d42
SSDEEP:	49152:wRAJl5aVqggHv4KAOV6AEnSgRIgtZMZKYTMFOZPNF2fdMrngQQ:wsvJAKR4AEnFIe8KYTYCN02rnzQ
TLSH:	17E5CF1836DCAD51D9BB1339D4A000F8D6F27B01B692DBABA92873D52F0E3847E1D257
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg................................. ... ....@.. ......................../...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4f1ee6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762DFC3 [Wed Dec 18 14:44:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004F1EF4h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
enter 0F1Eh, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
ret
fbld [edx+67h]
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
pop edx
add byte ptr [eax], al
add byte ptr [eax], bl
pop ds
ltr word ptr [eax]
add dword ptr [edi], ecx
add byte ptr [edx+53h], dl
inc esp
push ebx
punpcklwd mm4, mm1
xchg eax, esp
xchg eax, ebx
loope 00007F34806E8A5Ah
inc edx
mov dl, FFh
mov ecx, 0DBD3E20h
sbb eax, 00000001h
inc ebx
cmp bl, byte ptr [ebp+edx*2+73h]
jc 00007F34806E8A66h
pop esp
push edx
popad
imul esp, dword ptr [esi+6Fh], 6F735C6Eh
jne 00007F34806E8A64h
arpl word ptr [ebp+5Ch], sp
jc 00007F34806E8A57h
jo 00007F34806E8A61h
jnc 00007F34806E8A4Eh
inc ecx
jc 00007F34806E8A55h
popad
outsb
popad
pop esp
inc ecx
jc 00007F34806E8A55h
popad
outsb
popad
pop esp
bound ebp, dword ptr [ecx+6Eh]
pop esp
push edx
insb
popad
jnc 00007F34806E8A57h
pop esp
inc ecx
jc 00007F34806E8A55h
popad
outsb
popad
jo 00007F34806E8A57h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf1e98	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f4000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf1efc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf1ef4	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x29e450	0x48	."@W
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeff72	0xf0000	3e94d5bae1d0bb960c8f5f28afe5203d	False	0.7792093912760417	data	7.540602371038387	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.\C3	0xf2000	0x18465f	0x184800	2aa325b1d86903a44633411c262b0663	False	0.7537881073037324	COM executable for DOS	7.349314887296056	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
."@W	0x278000	0x7bb70	0x7bc00	51bb4349e5e634be3720f66baf47f03c	False	0.4955531881313131	OpenPGP Secret Key	6.421264542672329	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2f4000	0x596	0x600	0526fa3a22a873f725c4c611e71e0f25	False	0.4140625	data	4.035639834367624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f6000	0xc	0x200	b66d2ab5fddf98e5b0436566a1645f55	False	0.048828125	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2f4090	0x30c	data			0.4282051282051282
RT_MANIFEST	0x2f43ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 08:19:32.737071037 CET	1.1.1.1	192.168.2.6	0xdece	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 08:19:32.737071037 CET	1.1.1.1	192.168.2.6	0xdece	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 19, 2024 08:19:32.737071037 CET	1.1.1.1	192.168.2.6	0xdece	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: bPkG0wTVon.exePID: 6636, Parent PID: 4004

General

Target ID:	0
Start time:	02:19:02
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\bPkG0wTVon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bPkG0wTVon.exe"
Imagebase:	0x940000
File size:	3'084'288 bytes
MD5 hash:	36274AEFE69F86532CEE326B878F06FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7048, Parent PID: 6636

General

Target ID:	5
Start time:	02:19:03
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1396
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: bPkG0wTVon.exePID: 6636, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	26.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 01461098 Relevance: 12.3, Strings: 4, Instructions: 7261COMMON

Download Yara Rule

Strings

2,z, xrefs: 01461B0A
s, xrefs: 014637F3, 014637F8
%`=B, xrefs: 01461F43
)i">, xrefs: 01465B0D

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: %`=B$)i">$2,z$s
API String ID: 0-205558389
Opcode ID: b961e1aad8599edb9c53c49f691fa665bbde9103110b4579d34cf16ebab30e25
Instruction ID: 4b4fa730c498a8929a19cf9e405fa8cf9f7f55111b211c1dfacb09e9729a75eb
Opcode Fuzzy Hash: b961e1aad8599edb9c53c49f691fa665bbde9103110b4579d34cf16ebab30e25
Instruction Fuzzy Hash: 80E33A75F0122A8FDB64DF29C840A9EB3B7FB88254F5545AAE409E7750DB30AD82CF50

Function 0146D5E8 Relevance: 4.6, Strings: 2, Instructions: 2102COMMON

Download Yara Rule

Strings

qj2 , xrefs: 0146EF81
:d*, xrefs: 0146E066

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: :d*$qj2
API String ID: 0-3133915969
Opcode ID: 7a65f5d4473279fd6c44007bbf55615b6645b08c846a93c5b90d5bf76e49d94f
Instruction ID: ad729f8f2d3f92d62b972f664436ada89165acac1f2a8680fe84417cc535944c
Opcode Fuzzy Hash: 7a65f5d4473279fd6c44007bbf55615b6645b08c846a93c5b90d5bf76e49d94f
Instruction Fuzzy Hash: 45135E75E10229DFCB14DFA8E894A9DBBB2FF88314F14419AE909AB361DB319D41CF41

Function 0540DD78 Relevance: 3.2, Strings: 2, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0V16, xrefs: 0540DED4
-,G, xrefs: 0540E2BC

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: -,G$0V16
API String ID: 0-2930258375
Opcode ID: 01ffd5068d6dba063ddc273a8937e25b835fa00450f0295aeb59681f436fee10
Instruction ID: 75334a8285bc52195ef4bb68a0ccd192d5e4fdbd3117623ad4615f2f5cd33d05
Opcode Fuzzy Hash: 01ffd5068d6dba063ddc273a8937e25b835fa00450f0295aeb59681f436fee10
Instruction Fuzzy Hash: 8D623974A1121ADFCB08DFA8D590A9EBBB2FF89300F5084AED506AB350DB346D85CF51

Function 0540DE78 Relevance: 3.1, Strings: 2, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0V16, xrefs: 0540DED4
-,G, xrefs: 0540E2BC

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: -,G$0V16
API String ID: 0-2930258375
Opcode ID: 29670b126d33a06edb17c3fbb9aaf8915016e75fbfef2261a73406bd73f9782f
Instruction ID: 6cbdaab5ca8f4a64b199d94426aebdecc1feeddfe9dd8a270f6034bb0b452545
Opcode Fuzzy Hash: 29670b126d33a06edb17c3fbb9aaf8915016e75fbfef2261a73406bd73f9782f
Instruction Fuzzy Hash: 29520774A1120ADFCB58DFA4D590AADBBB2FF88300F6084ADD506AB350DB35AD85CF51

Function 0146B1B8 Relevance: 2.9, Strings: 2, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=!2, xrefs: 0146B27A
4~+, xrefs: 0146B20F

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: 4~+$=!2
API String ID: 0-3977499709
Opcode ID: e4cb9ce08dec8f68a69e91de72f435c5b67ee661e6c05ce92f8795aaab8477aa
Instruction ID: 6d9d4503e68cbcb721d5ba3f0f0111a6f38ab9c97c09e61f743c3f22f59a60e3
Opcode Fuzzy Hash: e4cb9ce08dec8f68a69e91de72f435c5b67ee661e6c05ce92f8795aaab8477aa
Instruction Fuzzy Hash: 84D19C39B104218FC749AB3DD49892D77E6FF8865435541BAEA0BEB371DE30DC058B82

Function 0540E878 Relevance: 1.9, Strings: 1, Instructions: 622
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)_%v, xrefs: 0540EAE2

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: )_%v
API String ID: 0-3389739723
Opcode ID: 4206c92f8cce6b0883df40533a4cc38645c84b00da5a9e9f25521aedd9b3f756
Instruction ID: 009a0bbd3a23d6c1da6122d1cb46a5ab937b7fdb86350ad1061ca2e7c44417df
Opcode Fuzzy Hash: 4206c92f8cce6b0883df40533a4cc38645c84b00da5a9e9f25521aedd9b3f756
Instruction Fuzzy Hash: FA32F5346093918FC306CB28C961A96BBB1AF86310B1A85EBD555CF3A3DB35DC17CB91

Function 05406F98 Relevance: 1.8, Strings: 1, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 054073B6

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 48392cdc3738d8d205e383ea75f7899dbc51d48ec1be258e3fb144ab97fc4754
Instruction ID: 49411f5241a836f9f92078dfb07117ea52149ce808d5740d61cf2f0b2f653cc1
Opcode Fuzzy Hash: 48392cdc3738d8d205e383ea75f7899dbc51d48ec1be258e3fb144ab97fc4754
Instruction Fuzzy Hash: B1228D71A006159FDB14CFA9C4809AAFBF2FF88310B25866AD919E7795D730FC46CB90

Function 054049C0 Relevance: 1.6, APIs: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 05404A5E

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: b8ecfd9d3e23d2d74c8bfd05ecf70508482b24874ab262c1e7b692b4f4abfa8e
Instruction ID: c99bcd4f8cff5f53182c0196d8d2ce0bbbb9eef475fa1f2e75072945eed82083
Opcode Fuzzy Hash: b8ecfd9d3e23d2d74c8bfd05ecf70508482b24874ab262c1e7b692b4f4abfa8e
Instruction Fuzzy Hash: 5931E5769002099FDF10DFA9D880ADEBBF5FF4C324F14841AE919A7250C7759950CFA4

Function 054049B8 Relevance: 1.6, APIs: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 05404A5E

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: e0a76a23e3d12a869ce595ecd9a3d8493eaf845a48ededba581187eebdc81e4b
Instruction ID: 4886952ce74be7d143830a985b1cc7bcf181ec746d2b5199962582b0d1eabe75
Opcode Fuzzy Hash: e0a76a23e3d12a869ce595ecd9a3d8493eaf845a48ededba581187eebdc81e4b
Instruction Fuzzy Hash: D631F1B6900209AFDF10CFA9D980ADEBBF5BF4C324F24841AE918A3250D7759950CFA4

Function 05404810 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 054048A4

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: b8d3d203f43302bae58fad7927ba2a0332a8b3bf8a4215d26cbe3321003f8f7d
Instruction ID: cf4988d52803c6c36587852805f8d8faef23bb684c51a5139af3b614a1ca4f80
Opcode Fuzzy Hash: b8d3d203f43302bae58fad7927ba2a0332a8b3bf8a4215d26cbe3321003f8f7d
Instruction Fuzzy Hash: 362126B6D0125AAFDF00CF99C980ADEFBB4BF48310F20842AE918A7240D7759950CB94

Function 05404818 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 054048A4

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 64e906c230f3f7c9ea950c70bfed6ebeb10d27c8c2b4a9023251c0fc7106928a
Instruction ID: 3c5b537eb9186ea288c0fe103b75d6f441aae4eb9de5038b6457e9412d8034c8
Opcode Fuzzy Hash: 64e906c230f3f7c9ea950c70bfed6ebeb10d27c8c2b4a9023251c0fc7106928a
Instruction Fuzzy Hash: 0221F5B1D01259AFDF00DF9AD980ADEFBB5FF48710F20852AE518A7240C7759910CB94

Function 05404740 Relevance: 1.6, APIs: 1, Instructions: 63
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 054047C9

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: f75823b01a37093944d05d2e7adae6197e6027e8e767a06a2a539fa6e21b102c
Instruction ID: de01e3d81b96e9c4f3381baaa526906bfd47793716e93322177ed35c39d5bbfa
Opcode Fuzzy Hash: f75823b01a37093944d05d2e7adae6197e6027e8e767a06a2a539fa6e21b102c
Instruction Fuzzy Hash: 7D21F4B1D01219AFDF00CFAAD980ADEFBF4FF48710F20812AE518A7240C7759910CBA5

Function 05404320 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 054043A9

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a042cfa694942a292de64320037e6d3c575ab4de22dd4d10a45898a499765056
Instruction ID: f9198deff0c64eb44a0a0e2a76bf2b085dc6073a83ab606c6eac76468e0d6d85
Opcode Fuzzy Hash: a042cfa694942a292de64320037e6d3c575ab4de22dd4d10a45898a499765056
Instruction Fuzzy Hash: B221C0B19013499FDB10DFAAD980ADEFBF5BF48310F20842AE519A7250C775A910CBA5

Function 0540473A Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 054047C9

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 279a59256a2aebf009c3036d4268e474956942968089cd92043b7d75dc45b696
Instruction ID: 9db192dad6bca2c98df5d4e77de8742f83425b158f69b5ac7c16562e7249218d
Opcode Fuzzy Hash: 279a59256a2aebf009c3036d4268e474956942968089cd92043b7d75dc45b696
Instruction Fuzzy Hash: 4F2105B5D01219AFDF00CFA9D981AEEFBF4FF48710F20852AE518A7240D7759910CBA4

Function 05404B70 Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05404BFE

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: fdcc4aaa586c73268ea128fcc5a5d5e70b0f544407db94f9df2ae76680ec313f
Instruction ID: 1bac8968fb3fae1a39c8185bad9913583161a08f945bdc381279906b546a1fb5
Opcode Fuzzy Hash: fdcc4aaa586c73268ea128fcc5a5d5e70b0f544407db94f9df2ae76680ec313f
Instruction Fuzzy Hash: 882125B29002499FDF10CFAAC940ADEBBF5BF48324F15841AE619A7250C7759950CFA0

Function 05404B78 Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05404BFE

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: bf324668d7ad2f5d96f4398470e34c21b8cf3876543c0b267d2578efa63ef5aa
Instruction ID: 46e23fde88ddcfdd768fc6e00be82fd03f9cd90ec333cdaa68f6e91ad7b5e3ed
Opcode Fuzzy Hash: bf324668d7ad2f5d96f4398470e34c21b8cf3876543c0b267d2578efa63ef5aa
Instruction Fuzzy Hash: 532114729002499FDF10CFAAC840ADEBBF5FF88324F14842AEA19A7250C7759950CFA1

Function 0540431A Relevance: 1.6, APIs: 1, Instructions: 62
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 054043A9

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: fc6b69b3f6a2c9f771368ff3d43b47775e4ec61128791274f3bf748ede263881
Instruction ID: dff4d484a26b0dd00aaeb40c7fead5d6f2cea4c13ef8153337609dc874d8c332
Opcode Fuzzy Hash: fc6b69b3f6a2c9f771368ff3d43b47775e4ec61128791274f3bf748ede263881
Instruction Fuzzy Hash: 5E21FFB1D013499FDF10CFAAD980AEEFBF5BF48310F20842AE519A7250D775A910CBA5

Function 054043F8 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0540447B

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: be55062eb88b4b830515cba1fc17c1d1b1505897460be17711ccda6e7b20c3da
Instruction ID: bfcda77b28fde926e9229b68644bf9e38e9e53e934cedc50936f92c5826014c7
Opcode Fuzzy Hash: be55062eb88b4b830515cba1fc17c1d1b1505897460be17711ccda6e7b20c3da
Instruction Fuzzy Hash: E92114B19003499FDF10CFAAC881ADEFBF5BF48310F10842AE519A7250C7759910CBA4

Function 054043F2 Relevance: 1.6, APIs: 1, Instructions: 60memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0540447B

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3231cd96e3a4452404d1efa4f52635db0b362f39eb5f93aa9eaedc366a765345
Instruction ID: efd12f231507cf6292adf62cc04abe5efd6012c0f43ddf3905b235418ae34ee4
Opcode Fuzzy Hash: 3231cd96e3a4452404d1efa4f52635db0b362f39eb5f93aa9eaedc366a765345
Instruction Fuzzy Hash: C52123B6D003099FDF10DFAAC981ADEFBF5BF48310F20842AE619A7250D7759910CBA0

Function 05404AA9 Relevance: 1.6, APIs: 1, Instructions: 59filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05404B27

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: c7d9304236a35c3290e802a20aa3baa1231fb8d2143a5f1358d16be59b41a66f
Instruction ID: 2e81a9b3d1677895388883caaa64d08cd6e32d695b78380397562f3c772169d5
Opcode Fuzzy Hash: c7d9304236a35c3290e802a20aa3baa1231fb8d2143a5f1358d16be59b41a66f
Instruction Fuzzy Hash: 502115B19003499FDB10DFAAC884BDEFBF4BF48314F14842AE519A7250C7759904CFA1

Function 05404AB0 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05404B27

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 264c6d40dcdc485c831a457c007c0ca51d22faa983ede3526c58b87a6a673b62
Instruction ID: d5d6f13bef197e0917c9b039e9067a670265fea005aec759a3998901641141e3
Opcode Fuzzy Hash: 264c6d40dcdc485c831a457c007c0ca51d22faa983ede3526c58b87a6a673b62
Instruction Fuzzy Hash: 152115B19002499FDB10DFAAC844BDEFBF4BF48310F10842AE519A7250C7759900CFA1

Function 05403E68 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 05403ECA

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1d85a3003393c7bfe2a67bc69ba6910973ae09308d9429ac76e20db218ceb056
Instruction ID: b14c71110b6928fe9625a8918cd76a0ced82d03ef0bc7b1938581560aace6a0c
Opcode Fuzzy Hash: 1d85a3003393c7bfe2a67bc69ba6910973ae09308d9429ac76e20db218ceb056
Instruction Fuzzy Hash: EE110AB19003498FDB10DFAAC4457DFFBF5EF88724F24881AD519A7240CB75A944CB95

Function 05403E62 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 05403ECA

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1cacb6ca1ba22c7d52c81cdf65d7f5d1286536e4db68a0a2857da85dcf65db6c
Instruction ID: 490824f664866f20cfde148f1ed77ab6a245a3acb59924333cb4c3322f901fb4
Opcode Fuzzy Hash: 1cacb6ca1ba22c7d52c81cdf65d7f5d1286536e4db68a0a2857da85dcf65db6c
Instruction Fuzzy Hash: 2C116AB1D00349CFDB10CFAAC5457EEFBF4AF88724F24881AD119A7240C775A900CB94

Function 0540F208 Relevance: 1.5, Instructions: 1477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15494350a9795a523f0eb5c54ad4b03909471b4908a3a186b4e0b3815feeaccd
Instruction ID: 40871d18f2142469f4901edc3e053011ac839aae341d743a10760da3fb678684
Opcode Fuzzy Hash: 15494350a9795a523f0eb5c54ad4b03909471b4908a3a186b4e0b3815feeaccd
Instruction Fuzzy Hash: BCF1F8357082909FC316DB68D960B66BBA6EF86310B2984FBD549CB393CA31DC17C791

Function 01468EC8 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ebfc34c572bbea5c1b2f90659fe3cc991777d1aaf2c6527394af678434230e
Instruction ID: ffddb9ef84208052d3ad6abccc2def3b7827cfcb0e9c1615c839ad7839eefbed
Opcode Fuzzy Hash: 65ebfc34c572bbea5c1b2f90659fe3cc991777d1aaf2c6527394af678434230e
Instruction Fuzzy Hash: AF129775E012098FCB08CFA9DA905EEBBF2BB88314F20456AD906FB360D7719D41CB61

Function 01469700 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19e7287e6999e3c63c49a222b83f792cb781fd9306b580af6840e3a3e93491d
Instruction ID: d2deedf175332d518528659a77a47fc4b9fd497285c0747a7e8728de7036aec8
Opcode Fuzzy Hash: b19e7287e6999e3c63c49a222b83f792cb781fd9306b580af6840e3a3e93491d
Instruction Fuzzy Hash: 7BF1BF72B003058FDB18CFA9C8D05AEB7F6BF98318B15816ED506DB362DAB49C46CB51

Function 0146BD68 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ad3afa4f8b35d9ae51dab9810e36da5f4df7683ee695c5bc491e77a67a7b8
Instruction ID: b81dd281a7d3372b1da38d40cab95e3b11cd07cdd6d1d5d86989af690a3b81f2
Opcode Fuzzy Hash: 2b1ad3afa4f8b35d9ae51dab9810e36da5f4df7683ee695c5bc491e77a67a7b8
Instruction Fuzzy Hash: D1D14676F101218B8B19AA7D489417E69DBABD8658349447FDA0BFF3A4DE70CC0687C3

Function 054020C0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac248d2d47cfc77922b73d6f17fc4b3af054f3b1b714e40cc8756f40a4084d99
Instruction ID: aac2b7295f3e97750ee6ddad96ff210702e3b8b8fd0886cc08b265a96463a4ba
Opcode Fuzzy Hash: ac248d2d47cfc77922b73d6f17fc4b3af054f3b1b714e40cc8756f40a4084d99
Instruction Fuzzy Hash: 75C10876F142258FC714DFA9C8849AEB7E2BFC421071A45BAD919EB391D7709C01C7D1

Function 05400990 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc52a712733df4f27dadfb19c3412a43515e678d51b22349e312de7b3b77c8e
Instruction ID: 396555b6565fce15fc9281670b1c3e1f46386832e0cc61decefbbc3ec0f9ee77
Opcode Fuzzy Hash: 9fc52a712733df4f27dadfb19c3412a43515e678d51b22349e312de7b3b77c8e
Instruction Fuzzy Hash: 8EC14834B043098FDB14DFA9C894A9DB7F2BF88300F6581AAD509EB365DA71AC45CF50

Function 05403398 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6559725b0529ca235c5e4c510ef100f1fdb0d9d3dba1a54ea436f91b56307e
Instruction ID: 0fb54811ba209a54bb8c0ac1c06e8e178ba104b65352bff6338ed3d1847a6554
Opcode Fuzzy Hash: ea6559725b0529ca235c5e4c510ef100f1fdb0d9d3dba1a54ea436f91b56307e
Instruction Fuzzy Hash: FEA13F76F101258FCB14DFADD98499DBBF2FF88310B15856AE90AEB361D6359C05CB80

Function 01468EB8 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e86269ad566c4d0b1cd2cf8c2c7fa83d830e9a20a56cd8baf3e728404916cc
Instruction ID: bf272a7bf830472cb44377a7485d67126f77e21fd59b49ce36031fff2d66daf4
Opcode Fuzzy Hash: b2e86269ad566c4d0b1cd2cf8c2c7fa83d830e9a20a56cd8baf3e728404916cc
Instruction Fuzzy Hash: 63B1F275E012098FCB58CFA9D6905EDBBF2BB88314B2040AAD506FB361D7769E41CF25

Function 05404C50 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4027b6c1552a047517a69a20ef6f61b63aafb6330d275eb6fb478000fcfd6e
Instruction ID: acabd6dc2d10a7ef30c0ace09a60f6142c5210788c510bc2627233dfaf5d0ebc
Opcode Fuzzy Hash: 7e4027b6c1552a047517a69a20ef6f61b63aafb6330d275eb6fb478000fcfd6e
Instruction Fuzzy Hash: 94919E72E002268BCB14EF79C58459EB7B2BF84214766857AD816FB394DB35EC41CBD0

Function 05400980 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134256bb1f67385254e318e15b0b310e53c3d66da5f89931d954ec6448b1f84b
Instruction ID: 615a403dabc43b1592291d4ce58f7f407ccb26839746fdfc92f488a94e6c767b
Opcode Fuzzy Hash: 134256bb1f67385254e318e15b0b310e53c3d66da5f89931d954ec6448b1f84b
Instruction Fuzzy Hash: E4714A35F143098BDB28DFA9C894B9EB7F2BF98200F65816AD409EB351DB70AD458F50

Function 05404C40 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6930edc45316caa824fe20d14a881a87429ec0c448774ef2055bf320412ce274
Instruction ID: 6b60f036ff488e648a249a7bfae2aec271470bd568e773a5dadc7ee6b0d617f3
Opcode Fuzzy Hash: 6930edc45316caa824fe20d14a881a87429ec0c448774ef2055bf320412ce274
Instruction Fuzzy Hash: D451B172E016268BCB28AF79C94449DB7B2BB98255326457ED806EB3A0DB319C41CBD0

Function 0146BAD1 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cf1226505d1926d32303d4c97cfb3fe7e33020ef3b0796dfd38fcf71448cfe
Instruction ID: a52c97a713cd30e4e74ace68b48dd59e1cc161d5e9956ba66e577d7374f4babc
Opcode Fuzzy Hash: 22cf1226505d1926d32303d4c97cfb3fe7e33020ef3b0796dfd38fcf71448cfe
Instruction Fuzzy Hash: 4F51C377F101258FCB18DFADC88449AB7BAEB94214716806AE906FB335DB759C01CBD1

Function 0146BAE0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50e4f08b4b13b53e06303036ee35df876228bfc0dc7cbb8d88cfbcfa5c46074
Instruction ID: cd521d3355d6baf12338a4be82a3ac5eca3d22f67457328410607270baf9f374
Opcode Fuzzy Hash: e50e4f08b4b13b53e06303036ee35df876228bfc0dc7cbb8d88cfbcfa5c46074
Instruction Fuzzy Hash: 8041B376F101258F8B18DFADC48449AB7BAEB84214316806AED0AEB324DB759C41CBD1

Function 0146C478 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a049c5a44170d25c068a92d94694d98080831febc43e4b2defab1c1ef49de18c
Instruction ID: 9dccf65713bae4549bad3eb7e678ee303d4ef3c95d16072810dd68f846927c20
Opcode Fuzzy Hash: a049c5a44170d25c068a92d94694d98080831febc43e4b2defab1c1ef49de18c
Instruction Fuzzy Hash: 0B419D337043364FC70996BDA89416E7B96EBC1564749057FDA4EE73A1DE248C0283D5

Function 0146C9D8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec80d86c7faf46952e75872c75da4808216c73fdeef1903f36d83cc49213e30
Instruction ID: cce157d717aa0372b244a4799081692c0c6725e141faa85dda84ffd28acb06e9
Opcode Fuzzy Hash: cec80d86c7faf46952e75872c75da4808216c73fdeef1903f36d83cc49213e30
Instruction Fuzzy Hash: E241D476B011118FD754CF3DD884A6A77E6AF8862871A41BAE549DB372DB31DC01CB81

Function 0146CC38 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d21d142679e3348da6d1070aaee1dc6d5eb91b928a229616908fa685373ca1
Instruction ID: 1ab5c4cc814f2dd4b1fb4bf70b1a3fcbe79dba160fdac6e701e2870590b1ab8c
Opcode Fuzzy Hash: 34d21d142679e3348da6d1070aaee1dc6d5eb91b928a229616908fa685373ca1
Instruction Fuzzy Hash: 52411836B101244FDB44DF6DC884E6A7BEAEF8966471640AAEA09DF372DA31DC01C790

Function 0146CC6A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee2e46266e3cfda24cbaa4bf8935701a52418f749b6b2279c089820c67744e0
Instruction ID: b0fe9623a463b8f970257c486aaa615a8716ed7d24cced3f6044e26b1777879c
Opcode Fuzzy Hash: aee2e46266e3cfda24cbaa4bf8935701a52418f749b6b2279c089820c67744e0
Instruction Fuzzy Hash: A8411736B101204FDB44DF6CC894A6E7BEABF89264B1640AEE906DF371DA30DC01CB90

Function 0146CC78 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06a786417e9f5cf3c978734e852c219b3c8c23197fad090e786427ea443ce1e
Instruction ID: 5b0437d16aaa25251ca94d55341c03f266aba310144cc33d4bf97b24ea6c568d
Opcode Fuzzy Hash: f06a786417e9f5cf3c978734e852c219b3c8c23197fad090e786427ea443ce1e
Instruction Fuzzy Hash: 8331D636B101244FDB44DF2DC894A6B7BEABF8966471641AAEA06DF371DE70DC01CB90

Function 01468AF0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab58851422df95d46a43531b123195a99908ef1afd74fcfcb4cd653829135f3
Instruction ID: 2d0f2a00633791c79546d15c09a39179e9e032c5599ff3c411c6ca5f9887e4e1
Opcode Fuzzy Hash: 6ab58851422df95d46a43531b123195a99908ef1afd74fcfcb4cd653829135f3
Instruction Fuzzy Hash: 54417B75E00706CFCB14CF65C548959BBB6FF88314B15856AE806AB321CB71AC82CB81

Function 0146A628 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c002714020f705200f8456eab9c0aafaa20e0292f4f35a2582198575e334dd5
Instruction ID: d9e510a513248612ddd99602772ccab3332763105e1adb75d2c6a21d96c7ffea
Opcode Fuzzy Hash: 3c002714020f705200f8456eab9c0aafaa20e0292f4f35a2582198575e334dd5
Instruction Fuzzy Hash: F931C471E016189BDB05DFA9C490BAEBBFAEF88304F24406AD605BB360DB359C01CF91

Function 0146D070 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91fab2a706a244408ca73f4f5ddc3030b17302ff573f739d633d97e58ce918d
Instruction ID: c77f6fa90f23c844bca74f03f302f97b421e671d1231ed9863b35b9d4bfdab6c
Opcode Fuzzy Hash: d91fab2a706a244408ca73f4f5ddc3030b17302ff573f739d633d97e58ce918d
Instruction Fuzzy Hash: 923101367043519FC311AB69C850A1A77EAEFD936972684BFD109CB371CA71EC02CB91

Function 0146077D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e474940326dbca045273329109e4c5de2c295b27eef213252ed13a6f47a957
Instruction ID: 77f0f7471884ffd8609061f6a39a92784e288b54084a83d24279ac03d8d02179
Opcode Fuzzy Hash: 82e474940326dbca045273329109e4c5de2c295b27eef213252ed13a6f47a957
Instruction Fuzzy Hash: CE314D6194E3D29FD7438BB499652C97FB0AF47224B0E40EBC085CF0A3DA7C094AC766

Function 0146F228 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56737e639f2b6bdef57f4b49da95b4fc89b12014afa9fe1ef432e507b8f684b5
Instruction ID: 1b1a165e545947d957ed4e4476562d5bb6acd0bfe1dc2c6212e3f8d3b8da7131
Opcode Fuzzy Hash: 56737e639f2b6bdef57f4b49da95b4fc89b12014afa9fe1ef432e507b8f684b5
Instruction Fuzzy Hash: BA41F470D1022DDFCB15CFA4E891ACDBBB1BF44304F50869AE905BB260D7716985CF91

Function 0146D777 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1f5bebb6acb9cf58c5646054a49cfa85cb97a1f500261fe6324eab731b8756
Instruction ID: c2d179b1e77282470f29448e480c8edd58c5e936cb7b030fd069fdf740d96fb1
Opcode Fuzzy Hash: 8c1f5bebb6acb9cf58c5646054a49cfa85cb97a1f500261fe6324eab731b8756
Instruction Fuzzy Hash: C521E972F00216CFCB10DBA9C88486EFBB6BF95244B55806BD949A7365DB308C01C792

Function 01468ADF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579cbeb6de5dbbf54974585b292faeb8ae973f83df743dcb270fa973d0b4ef1b
Instruction ID: 999d71cf9729160ac7ce84b5d0199b6771c954b761228a3f6ad48d3623d7372a
Opcode Fuzzy Hash: 579cbeb6de5dbbf54974585b292faeb8ae973f83df743dcb270fa973d0b4ef1b
Instruction Fuzzy Hash: 1F21B676B003118FC715DF69D448869BBB6EF88224719847AD906EB361CB31DC43CB81

Function 01469D50 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5b7097f461d1b6243e49a75539b30f4e2e02fec4cafbe9dfa4bf0a34e7ce18
Instruction ID: 3b70a3def94fdd46d9d1738d03aac2138202b1f19c032e4a022a4e56ee0a4248
Opcode Fuzzy Hash: ce5b7097f461d1b6243e49a75539b30f4e2e02fec4cafbe9dfa4bf0a34e7ce18
Instruction Fuzzy Hash: 8621FFB2D00226EFCB10AFA5C9804EEBB76FF50218B40053ED819A7750C7769C51CBC2

Function 0146D788 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4049ec39d67a11628bb128d4bcbc763b332152355b05a4e1cebccc8e8b5107
Instruction ID: 54e889f6d468e6a0efe9bc5df69e687be0795310309612c6e7d6baaac6b52eff
Opcode Fuzzy Hash: db4049ec39d67a11628bb128d4bcbc763b332152355b05a4e1cebccc8e8b5107
Instruction Fuzzy Hash: 35210672F00216CFCB10DBADC88486FFBBABF94204B56406AD909AB365DB319C01C792

Function 0146D42F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b287acbb792bf9ec1bfd00d3b5a27f4fd4dd9cd6fbe61783339ea22fd0673018
Instruction ID: 267c32388b76be1fe8dbd9d0c9622306a8136789658b1a8db2009c06a1258477
Opcode Fuzzy Hash: b287acbb792bf9ec1bfd00d3b5a27f4fd4dd9cd6fbe61783339ea22fd0673018
Instruction Fuzzy Hash: 9E216832B00211AFC710DB69D840A95B7EAEBD122DB29C07AD449DB725D736FC02CB81

Function 01469D60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5330bdb81c2da9462ff6001e63c4cf829202c3e95db2b416bc2351048c625392
Instruction ID: 6f5cb07a05ec0326cc6714187115e5b4cb4a686f60a30a7158187bd06bf16fe5
Opcode Fuzzy Hash: 5330bdb81c2da9462ff6001e63c4cf829202c3e95db2b416bc2351048c625392
Instruction Fuzzy Hash: E221CFB2D00226DFCB14AFA5D9804EEBB76FF50218740453DD91967710C7769C51CBC1

Function 01468E00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483cc2031fe0c18cf0879183a7d5dbbe7d2ba8ca49c0b88e02fc09313fec511a
Instruction ID: 23a462e82962ac8830d3c2c71d450063a7becb96e106ee215e1094b27dab319c
Opcode Fuzzy Hash: 483cc2031fe0c18cf0879183a7d5dbbe7d2ba8ca49c0b88e02fc09313fec511a
Instruction Fuzzy Hash: 6D113673B041514FE318CE6A8C846AAB7E7EBD832171F85BFD80ECB255DA348C068B50

Function 0146A8D7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57980593c7bc8df2857204e38ae19b733993e9c09374651935311bc0f4be9e4b
Instruction ID: a9e9498efb4fe5e6f29884d95cc75861d91a514c4fcb5da32b93b8cb41c84912
Opcode Fuzzy Hash: 57980593c7bc8df2857204e38ae19b733993e9c09374651935311bc0f4be9e4b
Instruction Fuzzy Hash: 1C11C176B106148FC3089F7CD49485A77E6EF9922572745BEE409EB371CA31CC41CB81

Function 0146A8E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1746dcb02322a4577a77072c67180aa307e1239adaf2397b1091c7d5cb023ceb
Instruction ID: a233813f34b96c80e136c0986a6cb21dd323d515d829cc57f955ffd2c09634ff
Opcode Fuzzy Hash: 1746dcb02322a4577a77072c67180aa307e1239adaf2397b1091c7d5cb023ceb
Instruction Fuzzy Hash: A9118E3AB102248F8308DF6DD45481AB7EAAF8922532641B9E909EB371CA35DC41CB90

Function 01468BB9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122b8b1f2b4e53c66884bfc0f8bff00864ac3dd7a6d6a7d1c17254cd23e604fc
Instruction ID: bd5c1397ccdd97fea47a13c17fc8f87ad7d1deec3c1959c50f3f85e02606e47e
Opcode Fuzzy Hash: 122b8b1f2b4e53c66884bfc0f8bff00864ac3dd7a6d6a7d1c17254cd23e604fc
Instruction Fuzzy Hash: 4E11A376E01315CFCB14DF68D548929BBA6EF8421870A44AAED02EF371C771DC82CB82

Function 01468E28 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352d37bda8d202608c4e6d1ef7074194d7fe3b1d17bd9d4784f4af28bcc0cd76
Instruction ID: d2b29aa2e24d771003a7436805e706c536b0abd2d45cd55922340400b330ba6e
Opcode Fuzzy Hash: 352d37bda8d202608c4e6d1ef7074194d7fe3b1d17bd9d4784f4af28bcc0cd76
Instruction Fuzzy Hash: FD01D437B045154BA718CE6EDC85666B7EBABC832031EC17FA80DCB319CA759C058790

Function 0146C468 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea51fbaf9727eab41a4be80871b37c1bbf262c0ac651493fcea507dde8ce07c0
Instruction ID: 90e8828f863d85d3a8f73e05ed1ef4d2373f86b791ff7ee21ba2362ee25c115f
Opcode Fuzzy Hash: ea51fbaf9727eab41a4be80871b37c1bbf262c0ac651493fcea507dde8ce07c0
Instruction Fuzzy Hash: 49012632B0066A4BD718C9ECE8845BABBA6EBC4324704423BE118DB260CBB49C028790

Function 054200F5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232674951.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107d6476cc41013fcb91548b9a7a314418a4e74646fe6e59d0af70b40ffeb25c
Instruction ID: 8ff9faf4801cd8d56878a31011765d0d61ae7aa414c174617bbfff5276102845
Opcode Fuzzy Hash: 107d6476cc41013fcb91548b9a7a314418a4e74646fe6e59d0af70b40ffeb25c
Instruction Fuzzy Hash: 7FF09015B0E3B54FC726577A18280A67BF22A8355039941E7C484CB297D929884BC793

Function 0146B7E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eed4c7ee2c7bbd5957f790b47e054450c26695858eb6de291a0092dc2a94ef4
Instruction ID: dc6131d73fdafb6a595ef16a90bde8e5496df68f7aedef09f0fc8fa5442b6c21
Opcode Fuzzy Hash: 7eed4c7ee2c7bbd5957f790b47e054450c26695858eb6de291a0092dc2a94ef4
Instruction Fuzzy Hash: E0F027317083128FC316673AA81442A77EAEFE616431404BFD50ED7360CE329C02C7A2

Function 0146F85D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d376c9169ab450f45486a0676c7760f99f4ca001250c811501092434cba746
Instruction ID: d8a56d3e83d1df20ca56e97af592a6b00798f24719f9a154e7b81474d84c23ac
Opcode Fuzzy Hash: 70d376c9169ab450f45486a0676c7760f99f4ca001250c811501092434cba746
Instruction Fuzzy Hash: 09F0E231A443654FD395A7789C5039D7BB46FD1290F2405EBE109EB2A1DE248C4ACB51

Function 0146B7F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46d83cb07cb1a593b4ace7f7ef35f23de56a4b464795664cd60358c548652c9
Instruction ID: 9bb3daa1869989d8152edb65e811d74bcbf74cd2c18c0a5bcf7776ddb370d627
Opcode Fuzzy Hash: a46d83cb07cb1a593b4ace7f7ef35f23de56a4b464795664cd60358c548652c9
Instruction Fuzzy Hash: BAE092317003129B8215663BA81041E73DFEFF9169350083ED10ED7360CE71EC0287A5

Function 0146082D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372e1336e244ce309d38cf46208af2bc06d80f0833e965cca24e8c09036e9385
Instruction ID: 71c3d60a176617049066ca82b258216a83687aef136c8aba9f338063a1fca525
Opcode Fuzzy Hash: 372e1336e244ce309d38cf46208af2bc06d80f0833e965cca24e8c09036e9385
Instruction Fuzzy Hash: CDF0B431D09385DFCB56CBA4961455C7FB1DF4224070A40EFD405CB1A2D9308E04C711

Function 0146C9E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e83f61455b6cd3acacfde2c407a5975c6ddd131c4cf973bfbadd02b8343e13
Instruction ID: e5be1ed55674d9530ffec6266442df1f4e1fbbeaacce3c47b904a3018414437c
Opcode Fuzzy Hash: 61e83f61455b6cd3acacfde2c407a5975c6ddd131c4cf973bfbadd02b8343e13
Instruction Fuzzy Hash: 20E04F35700212DF8758AB3AD40081A73EADFE966936540BED409CB730CE71EC42C791

Function 0146D0C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200ef16514bac32ff5acd91b40b27400c45a9b12157d56dc08b98580869c125f
Instruction ID: 6099f2941c575988f784cfdcc2b7a01ed0da247684e2d782c26a9d8411dfa32e
Opcode Fuzzy Hash: 200ef16514bac32ff5acd91b40b27400c45a9b12157d56dc08b98580869c125f
Instruction Fuzzy Hash: 8BE04F353105115F8604EB6ED454C19B3EAFFCEA6531104BEE20ACB370CE71EC018B94

Function 0146D440 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b071ee0488e636f97b3f3af43992abc19c46170158dc21e3a50187d1f25ea4f
Instruction ID: fcc0edf4d36056d7df54bb2e11b9a6bc3379447a48ae18bed2cf09f01626450f
Opcode Fuzzy Hash: 8b071ee0488e636f97b3f3af43992abc19c46170158dc21e3a50187d1f25ea4f
Instruction Fuzzy Hash: 6FE01A35701711CFC369AB3AD004819B7EAEF9A22935084BED84A8BB34CA32EC41CB40

Function 0542014D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232674951.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede13ba0581dcc90292b4cd5976acb4f6339e854eda92a31a6256e7d6f039a5
Instruction ID: 8ec3a53bfb67bb0b48461c4dc89d98c5d563eee06ae8367f6d44b07bf9b1fe36
Opcode Fuzzy Hash: 8ede13ba0581dcc90292b4cd5976acb4f6339e854eda92a31a6256e7d6f039a5
Instruction Fuzzy Hash: 20E04F2450E3E45FD7A74B7448394F17FF26A5321038AD1E7C484CF1A7DA690985C763

Function 01460848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f2ff65164514fe874be1977e1e65238f967363bfd281f9af0cf471753f06dc
Instruction ID: e01c6b7906224428f9ebaa8def54a7579e451a0ca816d27d6e39bca67f353f1c
Opcode Fuzzy Hash: 31f2ff65164514fe874be1977e1e65238f967363bfd281f9af0cf471753f06dc
Instruction Fuzzy Hash: 67D01232E0120EEF8B44DFA5EB0595D77F9EB4924075440A99905D3250EA311F009754

Function 0146CC48 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee8e2b20919cdda6c1ae22023fff9c10f6ac73390311b789c8f37aa27d1708f
Instruction ID: 52595a7af2e4de061e2688e64fcb47eecf666ce389b37b697b93cb5b1817a7bb
Opcode Fuzzy Hash: 2ee8e2b20919cdda6c1ae22023fff9c10f6ac73390311b789c8f37aa27d1708f
Instruction Fuzzy Hash: E3D0C9363101249F8640DA5DD440C41B3ECEF4D6343158099E50CCB322D662EC038B90

Function 0146CA50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a5012bc9718f41ecddf22eb8e65365f364c913bce36dff3da9bcc525ad1969
Instruction ID: 88eb40e917cdf194bf7601680b3d9cf14a6c7b673e4117d6b638cbe01be8d999
Opcode Fuzzy Hash: 73a5012bc9718f41ecddf22eb8e65365f364c913bce36dff3da9bcc525ad1969
Instruction Fuzzy Hash: ABC002342642048F8344DB59D488C11B3E9FF48A2435680D5E9098B732C631FC00CA44

Non-executed Functions

Function 054064D8 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e64376741630d85c576cb28c012b94bf64b86bf97a78c0c822881303c6bf488
Instruction ID: 07b11cd57685c146208ea3bd6e8b5bc1a48700a4998623003e47025cb3f06b91
Opcode Fuzzy Hash: 6e64376741630d85c576cb28c012b94bf64b86bf97a78c0c822881303c6bf488
Instruction Fuzzy Hash: 0AC17F76F001298BCB18CF9DD9809EEF7F3BB8831071A856AE806EB355D7749D158B84

Function 05403828 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5ee529e71ac66813eef0d74c84fc2be5130c4a8a2338c5e587a04b0abc73f3
Instruction ID: 1c09f096910a329af617efb2e73feed1e7950417963a672a745cebeecaca2dde
Opcode Fuzzy Hash: 8b5ee529e71ac66813eef0d74c84fc2be5130c4a8a2338c5e587a04b0abc73f3
Instruction Fuzzy Hash: D9B1A776F145298BCB14CF58C8809EEBBF2BF98710B26856AD806EB355D630AD458BC0

Function 01469F69 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be568f167be79e2bffb900040eeac8faf30d248e7dcb71feef572006c4d4534e
Instruction ID: 216bbac2dd494c4dbf1a429c2e7d4e590e1ce976b3898ac892204d7a04a12da5
Opcode Fuzzy Hash: be568f167be79e2bffb900040eeac8faf30d248e7dcb71feef572006c4d4534e
Instruction Fuzzy Hash: A6A10472E0062A8BCB14CF58C9945AEFBF6BB88214B1A816AD805F7360D774EC05CBD1

Function 05401C90 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2bc92c6330062f5a606b30022de4e08457041f75b574dcc4ede4543dd6c333
Instruction ID: 826aaff8fb366c0c28ee849baac4e5e5af0fc47c64791b82c8690f5ad2bc66c7
Opcode Fuzzy Hash: 6f2bc92c6330062f5a606b30022de4e08457041f75b574dcc4ede4543dd6c333
Instruction Fuzzy Hash: 35812672F046254BC708DAAD9C506AEB6E27FC925072A657FD80BEB381EA30DC05C7D1

Function 05400EF0 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1895c9cd9e42c9c3468c46d7ad25c8b45d3866a8e57164abd6e599e32d102a
Instruction ID: 1bee5a34720f4d7c2b3f8ae3b8092429872797c81892b8279cf22b77ee8b13ce
Opcode Fuzzy Hash: dd1895c9cd9e42c9c3468c46d7ad25c8b45d3866a8e57164abd6e599e32d102a
Instruction Fuzzy Hash: 10A16F75E0422A8FCB08CFA9DC905EFBBB2FF88300B24996AD415E7355D3749A45CB90

Function 05407830 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6399291cc8b7d91f437f004fd3e12eaeea7c2e9ac9d41683a7766a90213f86
Instruction ID: b8f28e46791090bd509c861d1a8f2b4073ed95d9b88a55163c8ab1a3e0c8a5f3
Opcode Fuzzy Hash: 6b6399291cc8b7d91f437f004fd3e12eaeea7c2e9ac9d41683a7766a90213f86
Instruction Fuzzy Hash: C181C576F102258FCB04DF69C8409AEB7B6BF88254B1654BAD905EB3A0DB31EC01CB91

Function 0146B839 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcf90a4ff5d011266ea8c01362fc4224d478e382ef482bdfbd7043dfb82bd3c
Instruction ID: 1ef3a1bc67c1312daaeaea1b88cdb7ba6440f63b286acd2b116963b89fc3f23d
Opcode Fuzzy Hash: 3bcf90a4ff5d011266ea8c01362fc4224d478e382ef482bdfbd7043dfb82bd3c
Instruction Fuzzy Hash: D4610772F102298FDB14DFA9D88069EBBF6AF88214F19816BD915F7361D7309C02CB91

Function 054014D0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8b5f66516166aeda1792b9435c12de7eae81cdba59ce0e18b55db8d2a43033
Instruction ID: dc211d420e9a65d0f21863812a154b3f26357f76c40a64dd646dab5b278728ad
Opcode Fuzzy Hash: fe8b5f66516166aeda1792b9435c12de7eae81cdba59ce0e18b55db8d2a43033
Instruction Fuzzy Hash: 2A51C176F011258F8B04DBADC98489EB7F6AFCC21471A41BAE909FB361DA719C01CBD0

Function 0146F3B1 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1140826338fc609d11de9f2bfcb78222dd6720ba4e7c515a3ab3f7d6f9270e0b
Instruction ID: 909da576b411b2a1d775a2f0e1a8289dc52803a92f5ac392dc3f4dd24c53afaf
Opcode Fuzzy Hash: 1140826338fc609d11de9f2bfcb78222dd6720ba4e7c515a3ab3f7d6f9270e0b
Instruction Fuzzy Hash: 78810970A20229DFDB58CFA8E894E9DB7B6FF44314F00429AE909AB361D7319D85CF41

Function 01460B45 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1718d8202d2fae8d70cdafa892e234ecbc7f3953bc08b24a9c03bf34e88b514f
Instruction ID: 5d1f0d620696fecadfe8d245665b2d4085877b6f3fc085a2693927659c9f5c61
Opcode Fuzzy Hash: 1718d8202d2fae8d70cdafa892e234ecbc7f3953bc08b24a9c03bf34e88b514f
Instruction Fuzzy Hash: 0651B035B407098FDB18DFBEC8D45ADB6F6AB8C208B54813EE519DB362DA749C06CB01

Function 054064D3 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a724a97aecd7958dd996ce66509ef298ef261dd18a3a706b030b624301847e2b
Instruction ID: 54d1bf9a7dea911040ed8e8c693cd330e1614b3fc75798e82bf0f17863918dce
Opcode Fuzzy Hash: a724a97aecd7958dd996ce66509ef298ef261dd18a3a706b030b624301847e2b
Instruction Fuzzy Hash: F851F672F002388B9718DB9DD4809EEB6E7BBC835075B817AD81AEB354EA709D15C7C0

Function 054064C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774bfd2635198cb2a725d53cfa156400aa6547f3092fd558ac22ea7278b44c14
Instruction ID: 24f1314beafb354c5f3a3a83c8d408030038f20adbd81439ccb642f34928a7dd
Opcode Fuzzy Hash: 774bfd2635198cb2a725d53cfa156400aa6547f3092fd558ac22ea7278b44c14
Instruction Fuzzy Hash: 2F41E576F001388B9718DAADD4809EEB2E3BBC4350767857BD81AEB784DA749D16C7C0

Function 054014C2 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232627690.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65373509334b2167007480bd122365a57c05939d7eaf2e51823f27ffd26e541c
Instruction ID: 2c20d135ae29ae6302d77aa07c38272e6f39e0457af56d4c14f81dd720e1073f
Opcode Fuzzy Hash: 65373509334b2167007480bd122365a57c05939d7eaf2e51823f27ffd26e541c
Instruction Fuzzy Hash: FF31A077F001258F9B14CBA9C9848AEB7F6AF9821475A41BAE806FB361D6309C05CBD0

Function 01469E30 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2c65605927201e829dc3a82dcb574157fc18c3e606f1db289c513e20330efb
Instruction ID: 54376b7cbd7213d36b40d074a150663c4b63acafc286d6c009116d19211dfe63
Opcode Fuzzy Hash: 6b2c65605927201e829dc3a82dcb574157fc18c3e606f1db289c513e20330efb
Instruction Fuzzy Hash: 10312533F452394BD714CA6DCC404EAB7EBABD822470E816BD819F7361D9789D058780

Function 01469E40 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230470144.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_bPkG0wTVon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b433b26419e3f2603e7fe77a1c72dd2512189c42c7fdd2a13dfcc1258cccc9
Instruction ID: a00a2bbd5bbaa00b8d3249d4a39e5b6371eecf506896ee777a183813081cc261
Opcode Fuzzy Hash: 94b433b26419e3f2603e7fe77a1c72dd2512189c42c7fdd2a13dfcc1258cccc9
Instruction Fuzzy Hash: 6C312233F501394BD718CA6ECC404EAF6EBABD8224B0E816BE809F7360D9749D0587C0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bPkG0wTVon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bPkG0wTVon.exe_37478cde76dd5faa858c137362678095d0b3b2a9_c32bdecd_34f30437-1048-4891-9fd4-1e0168d1bcde\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC857.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA3C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8B.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
bPkG0wTVon.exe

Function 0540DD78 Relevance: 3.2, Strings: 2, Instructions: 701
COMMON

Function 0540DE78 Relevance: 3.1, Strings: 2, Instructions: 608
COMMON

Function 0146B1B8 Relevance: 2.9, Strings: 2, Instructions: 379
COMMON

Function 0540E878 Relevance: 1.9, Strings: 1, Instructions: 622
COMMON

Function 05406F98 Relevance: 1.8, Strings: 1, Instructions: 545
COMMON

Function 054049C0 Relevance: 1.6, APIs: 1, Instructions: 70
nativeCOMMON

Function 054049B8 Relevance: 1.6, APIs: 1, Instructions: 70
nativeCOMMON

Function 05404810 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Function 05404818 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Function 05404740 Relevance: 1.6, APIs: 1, Instructions: 63
filenativeCOMMON

Function 05404320 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Function 0540473A Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Function 05404B70 Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Function 05404B78 Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Function 0540431A Relevance: 1.6, APIs: 1, Instructions: 62
nativeCOMMON