Edit tour

Windows Analysis Report
Browser.Daemon.exe

Overview

General Information

Sample name:	Browser.Daemon.exe
Analysis ID:	1578858
MD5:	294a647f4efd42428dc119f961416b76
SHA1:	bb39ff1d015ca479e9f9c1a78648ba8aa525e159
SHA256:	bfd96babeb4eae22aa2ad642d036c1f57525cf709cf8481b930329f298f208ea
Tags:	BrowserDaemonexeuser-NDA0E
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains a sample name check

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates or modifies windows services

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Browser.Daemon.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\Browser.Daemon.exe" MD5: 294A647F4EFD42428DC119F961416B76)

Browser.Daemon.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\Browser.Daemon.exe" MD5: 294A647F4EFD42428DC119F961416B76)

cleanup

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\Browser.Daemon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Browser.Daemon.exe, ProcessId: 6992, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Browser.Daemon.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Browser.Daemon.exe	Virustotal: Detection: 40%			Perma Link
Source: Browser.Daemon.exe	ReversingLabs: Detection: 42%

Source: unknown

HTTPS traffic detected: 82.156.94.45:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: Browser.Daemon.exe

Static PE information: certificate valid

Source: Browser.Daemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \Apps\Browser.Daemon\obj\Release\Browser.Daemon.pdb8mRm Dm_CorExeMainmscoree.dll source: Browser.Daemon.exe
Source:	Binary string: \Apps\Browser.Daemon\obj\Release\Browser.Daemon.pdb source: Browser.Daemon.exe

Source: global traffic

HTTP traffic detected: GET /download/cszs/BrowserDaemonConfigNew HTTP/1.1Host: market-1304768263.cos.ap-beijing.myqcloud.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 82.156.94.45 82.156.94.45

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 82.156.94.45:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /download/cszs/BrowserDaemonConfigNew HTTP/1.1Host: market-1304768263.cos.ap-beijing.myqcloud.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: market-1304768263.cos.ap-beijing.myqcloud.com

Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bj.file.myqcloud.com
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bj.file.myqcloud.comd
Source: Browser.Daemon.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Browser.Daemon.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Browser.Daemon.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Browser.Daemon.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Browser.Daemon.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Browser.Daemon.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: Browser.Daemon.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Browser.Daemon.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Browser.Daemon.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Browser.Daemon.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Browser.Daemon.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: Browser.Daemon.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://market-1304768263.cos.ap-beijing.myqcloud.com
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://market-1304768263.cos.ap-beijing.myqcloud.comd
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Browser.Daemon.exe	String found in binary or memory: http://ocsp.sectigo.com00
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://market-1304768263.cos.ap-beijing.myqcloud.com
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, BrowserDaemonConfigNew.0.dr, Browser.Daemon_2024-12-20.log.0.dr	String found in binary or memory: https://market-1304768263.cos.ap-beijing.myqcloud.com/download/DaemonHelper.zip
Source: Browser.Daemon.exe	String found in binary or memory: https://market-1304768263.cos.ap-beijing.myqcloud.com/download/cszs/
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://market-1304768263.cos.ap-beijing.myqcloud.com/download/cszs/BrowserDaemonConfigNew
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://market-1304768263.cos.ap-beijing.myqcloud.comPQ
Source: Browser.Daemon.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Code function: 0_2_02972E45	0_2_02972E45
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Code function: 0_2_02976898	0_2_02976898
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Code function: 0_2_02975C80	0_2_02975C80
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Code function: 0_2_02975FC8	0_2_02975FC8

Source: Browser.Daemon.exe, 00000000.00000002.3116252564.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Browser.Daemon.exe
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Browser.Daemon.exe
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Browser.Daemon.exe
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Browser.Daemon.exe
Source: Browser.Daemon.exe, 0000000A.00000002.1373675765.0000000002D44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Browser.Daemon.exe
Source: Browser.Daemon.exe, 0000000A.00000002.1373675765.0000000002D44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Browser.Daemon.exe

Source: classification engine

Classification label: mal52.evad.winEXE@2/4@1/1

Source: C:\Users\user\Desktop\Browser.Daemon.exe

File created: C:\Users\user\Desktop\Logger

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Browser.Daemon20230117

Source: Browser.Daemon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Browser.Daemon.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Browser.Daemon.exe	Virustotal: Detection: 40%
Source: Browser.Daemon.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Browser.Daemon.exe "C:\Users\user\Desktop\Browser.Daemon.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Browser.Daemon.exe "C:\Users\user\Desktop\Browser.Daemon.exe"

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Section loaded: profapi.dll	Jump to behavior

Source: Browser.Daemon.exe

Static PE information: certificate valid

Source: Browser.Daemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Browser.Daemon.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Browser.Daemon.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \Apps\Browser.Daemon\obj\Release\Browser.Daemon.pdb8mRm Dm_CorExeMainmscoree.dll source: Browser.Daemon.exe
Source:	Binary string: \Apps\Browser.Daemon\obj\Release\Browser.Daemon.pdb source: Browser.Daemon.exe

Source: Browser.Daemon.exe

Static PE information: 0xD464433C [Tue Dec 1 08:50:04 2082 UTC]

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Code function: 10_2_02BE0F39 push es; ret

10_2_02BE0F3A

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Browser.Daemon.exe			Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Browser.Daemon.exe			Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

.NET source code contains a sample name check

Source: Browser.Daemon.exe, App.cs

.Net Code: RunAllRoundExe contains sample name check

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe TID: 4800	Thread sleep count: 197 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe TID: 6920	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Browser.Daemon.exe, 00000000.00000002.3120112250.000000000612C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitiono4
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q!Hyper-V Hypervisor Root Partition
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q*Hyper-V Dynamic Memory Integration Service
Source: Browser.Daemon.exe, 00000000.00000002.3120692098.0000000006438000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processo
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.000000000612C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q$Hyper-V Hypervisor Logical Processor
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Browser.Daemon.exe, 00000000.00000002.3121141193.0000000006FBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervis
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesyu1
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umqhiwonvjwwxsk Bus
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: Browser.Daemon.exe, 00000000.00000002.3121076122.0000000006F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot489
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006050000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umqhiwonvjwwxsk Bus PipesaC
Source: Browser.Daemon.exe, 00000000.00000002.3116252564.0000000000D3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorl
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q!Hyper-V Virtual Machine Bus Pipes
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)Hyper-V Hypervisor Root Virtual Processor
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: Browser.Daemon.exe, 00000000.00000002.3120112250.0000000006084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviced
Source: Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: Browser.Daemon.exe, 00000000.00000002.3116252564.0000000000D3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Browser.Daemon.exe, 00000000.00000002.3120566123.0000000006316000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot?

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe	Queries volume information: C:\Users\user\Desktop\Browser.Daemon.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Browser.Daemon.exe	Queries volume information: C:\Users\user\Desktop\Browser.Daemon.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Browser.Daemon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	2 Windows Service	2 Windows Service	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Office Application Startup	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Browser.Daemon.exe	40%	Virustotal		Browse
Browser.Daemon.exe	42%	ReversingLabs	Win32.Trojan.Jalapeno

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bj.file.myqcloud.com	82.156.94.45	true	false		high
market-1304768263.cos.ap-beijing.myqcloud.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://market-1304768263.cos.ap-beijing.myqcloud.com/download/cszs/BrowserDaemonConfigNew	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	Browser.Daemon.exe	false	high
http://ocsp.sectigo.com00	Browser.Daemon.exe	false	unknown
https://market-1304768263.cos.ap-beijing.myqcloud.com/download/DaemonHelper.zip	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, BrowserDaemonConfigNew.0.dr, Browser.Daemon_2024-12-20.log.0.dr	false	unknown
https://sectigo.com/CPS0	Browser.Daemon.exe	false	high
http://market-1304768263.cos.ap-beijing.myqcloud.comd	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://market-1304768263.cos.ap-beijing.myqcloud.com	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://bj.file.myqcloud.comd	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Browser.Daemon.exe	false	high
http://ocsp.sectigo.com0	Browser.Daemon.exe	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	Browser.Daemon.exe	false	high
https://market-1304768263.cos.ap-beijing.myqcloud.comPQ	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Browser.Daemon.exe	false	high
https://market-1304768263.cos.ap-beijing.myqcloud.com/download/cszs/	Browser.Daemon.exe	false	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	false	high
https://market-1304768263.cos.ap-beijing.myqcloud.com	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://bj.file.myqcloud.com	Browser.Daemon.exe, 00000000.00000002.3117395010.0000000002C29000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.156.94.45	bj.file.myqcloud.com	China		12513	ECLIPSEGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578858
Start date and time:	2024-12-20 15:57:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Browser.Daemon.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@2/4@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiApSrv.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Browser.Daemon.exe, PID 6992 because it is empty
Execution Graph export aborted for target Browser.Daemon.exe, PID 7616 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:58:36	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Browser.Daemon.exe C:\Users\user\Desktop\Browser.Daemon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
82.156.94.45	setup#U67e5#U8be2.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_185.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_276.exe	Get hash	malicious	Unknown	Browse
	4a9OE5cKJo.exe	Get hash	malicious	Unknown	Browse
	1q3HnZAcnJ.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bj.file.myqcloud.com	setup#U67e5#U8be2.exe	Get hash	malicious	Unknown	Browse	82.156.94.45
	LisectAVT_2403002B_185.exe	Get hash	malicious	Unknown	Browse	82.156.94.48
	LisectAVT_2403002B_185.exe	Get hash	malicious	Unknown	Browse	82.156.94.45
	LisectAVT_2403002A_276.exe	Get hash	malicious	Unknown	Browse	82.156.94.45
	https://appservies02342-1321331581.cos.ap-beijing.myqcloud.com/cummon/update-agreements/claim	Get hash	malicious	HTMLPhisher	Browse	82.156.94.13
	setup#U67e5#U8be2_pf2024.exe	Get hash	malicious	GhostRat, Nitol	Browse	82.156.94.17
	https://appservies02342-1321331581.cos.ap-beijing.myqcloud.com/cummon/update-agreements/claim	Get hash	malicious	HTMLPhisher	Browse	82.156.94.13
	New_Text_Document_mod.exse.exe	Get hash	malicious	AgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoader	Browse	82.156.94.48
	4a9OE5cKJo.exe	Get hash	malicious	Unknown	Browse	82.156.94.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECLIPSEGB	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	91.84.160.165
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	81.168.94.59
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	109.176.30.14
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	109.176.30.14
	ppc.elf	Get hash	malicious	Unknown	Browse	82.153.67.118
	armv5l.elf	Get hash	malicious	Unknown	Browse	91.84.182.242
	TRC.mips.elf	Get hash	malicious	Mirai	Browse	82.153.67.135
	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	82.152.189.147
	dc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.176.207.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	82.156.94.45
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	82.156.94.45
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	82.156.94.45
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	82.156.94.45
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	82.156.94.45
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	82.156.94.45
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	82.156.94.45
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	82.156.94.45

Process:	C:\Users\user\Desktop\Browser.Daemon.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1687
Entropy (8bit):	5.338930762014548
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeR:iqlYqh3ou0aymsqwtI6eqzm
MD5:	15E04367C03184DCF6E0D75C17713029
SHA1:	ED1BF186345A11D8B4741F52B9DDCCE8702C8A12
SHA-256:	C10A3B6F0C9F3DA0C85A63F296C3E027E486BC174FFDDA6371B00AE605799D76
SHA-512:	EE9ADFDF176D8171AFB95920C265CBE5AC652D34990CF924E491C06337929BBDBF9EEEADE96EFB7943D07C25D66D634F49FD9C2B4CFFE072747FAD7E40ED4618
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\Desktop\BrowserDaemonConfigNew

Download File

Process:	C:\Users\user\Desktop\Browser.Daemon.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	359
Entropy (8bit):	6.251691969248054
Encrypted:	false
SSDEEP:	6:dlIpAIO6lSD2ohpxADn4Rw2KSS0al6LmAMGbCeXAzb+EhKh0ZMofJHv:/jZDVpxq2iBtXJRyuJP
MD5:	5399118D6FD67D3C4380D350C68656BB
SHA1:	19C65D08F4DD7A2E12709614385FCA6FE5D3C055
SHA-256:	51B98382835ED60E3A8D2826A77E6CE213FE36531724B5072DA0A3209FBE43C1
SHA-512:	3BCA044037C29F67F84D0079CA2BC04069ADCBD39E5468B52798FF691C18FF156742968D4810E02A11E893C3F30EDC21BB2D1CE0E0E256AF8907A08E527329F3
Malicious:	false
Reputation:	low
Preview:	#......(.....)..3..#....(.............)..<=3.1.7.766524..#........(...zip)..https://market-1304768263.cos.ap-beijing.myqcloud.com/download/DaemonHelper.zip..#...........(.......&...........)..Browser.Robot&Browser.Robot.exe

C:\Users\user\Desktop\LocalVersion

Download File

Process:	C:\Users\user\Desktop\Browser.Daemon.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	3

C:\Users\user\Desktop\Logger\Browser.Daemon_2024-12-20.log

Download File

Process:	C:\Users\user\Desktop\Browser.Daemon.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	modified
Size (bytes):	1583
Entropy (8bit):	6.172071575511364
Encrypted:	false
SSDEEP:	48:oHK9KLKaKYKHK1HKY2KYV37YXlH7SwGwYGYLPwVx:ozKSww1
MD5:	C9CD66139C60173CCC57322D5E131DD9
SHA1:	B8334C10E142CF7768D21E19550CBCCAA65A7881
SHA-256:	35EA24378CBA04BD33EA354C87E9A5C7B0DBF875E1C7C269ED0A7A2364D472A8
SHA-512:	E52B9724DDCE65D28CC0BC39C90985620BE68E239ACC16FD89FD87DAA6FB14F640AF1B735B8133127B9BB78F46B913CEE75E067DFA67E339DDA1C71585218570
Malicious:	false
Preview:	[2024/12/20 09:58:32][INFO][[Browser.Daemon.App][OnStartup]:.......3.3.8.860075..[2024/12/20 09:58:32][INFO][[Browser.Daemon.App][OnStartup]:...........[2024/12/20 09:58:32][INFO][[Browser.Daemon.App][OnStartup]:..........[2024/12/20 09:58:32][INFO][[Browser.Daemon.LogManager][ClearLogForDays]:....7.......[2024/12/20 09:58:32][INFO][[Browser.Daemon.LogManager][ClearLogForDays]:........[2024/12/20 09:58:32][INFO][[Browser.Daemon.App+<>c__DisplayClass6_0][<OnStartup>b__0]:...........[2024/12/20 09:58:32][INFO][[Browser.Daemon.App+<>c__DisplayClass6_0][<OnStartup>b__0]:...............[2024/12/20 09:58:36][INFO][[Browser.Daemon.App+<>c__DisplayClass6_0][<OnStartup>b__0]:.....3\|&\|<=3.1.7.766524\|&\|https://market-1304768263.cos.ap-beijing.myqcloud.com/download/DaemonHelper.zip\|&\|Browser.Robot&Browser.Robot.exe..[2024/12/20 09:58:36][ERROR][[Browser.Daemon.App][RunAllRoundExe]:..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.6444678952852865
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Browser.Daemon.exe
File size:	35'232 bytes
MD5:	294a647f4efd42428dc119f961416b76
SHA1:	bb39ff1d015ca479e9f9c1a78648ba8aa525e159
SHA256:	bfd96babeb4eae22aa2ad642d036c1f57525cf709cf8481b930329f298f208ea
SHA512:	50a9724c8bfb9778d5ee6bf593ada381c435eba8ca77ee7dc1a5100379774bc205953ffc1944ea49f93b74f225243411633eef91bd17a3fc3282b89bbba9994b
SSDEEP:	384:WPGfaDdK2kfoIoUM1QvpAu7CsagfuHu9XKXAE2XS7uiHtEbMGBnqpwK3hBmIAjvV:WI0dK1f/oORAKy/uyOwKY1AC2EQ
TLSH:	21F28E42ABB4464ADA5E4E3634F56E224AB0F343ED51C6CE1DC9C09D4F923C45614AFB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<Cd..........."...0..N..........bm... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406d62
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD464433C [Tue Dec 1 08:50:04 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/03/2024 20:00:00 27/03/2025 19:59:59
Subject Chain	CN=\u5317\u4eac\u5b50\u656c\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u5317\u4eac\u5b50\u656c\u79d1\u6280\u6709\u9650\u516c\u53f8, S=\u5317\u4eac\u5e02, C=CN, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91110108MA04D1RJ14
Version:	3
Thumbprint MD5:	F787F139795472C630D545CC3030964D
Thumbprint SHA-1:	5FD20CE2B39EC12FBEA5BB747161FA19F3D770CB
Thumbprint SHA-256:	19B85BA879F762C8052F5B9E4934B59DD67CE6B583F273E5AA66AB390E054467
Serial:	1EF1CBEFEF67C3480F5EDBCB582C9BDE

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d10	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x5e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5800	0x31a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c58	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4d68	0x4e00	816cd1b45b258919e400f27156fb8d94	False	0.5317508012820513	data	5.9251757262189875	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x5e8	0x600	244fe117e911f93553fd3c8a238fc4cb	False	0.4329427083333333	data	4.193069141179276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	264e48a624d97f68bd9b9ef19531db21	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8090	0x358	data			0.4264018691588785
RT_MANIFEST	0x83f8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 15:58:34.539472103 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:34.539519072 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:34.539624929 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:34.549192905 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:34.549211979 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:36.792515993 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:36.792663097 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:36.793663979 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:36.793744087 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:36.800403118 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:36.800419092 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:36.800832033 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:36.851181030 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:36.853456020 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:36.899326086 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:37.420068026 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:37.421253920 CET	443	49703	82.156.94.45	192.168.2.7
Dec 20, 2024 15:58:37.421303988 CET	49703	443	192.168.2.7	82.156.94.45
Dec 20, 2024 15:58:37.427305937 CET	49703	443	192.168.2.7	82.156.94.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 15:58:34.070763111 CET	63044	53	192.168.2.7	1.1.1.1
Dec 20, 2024 15:58:34.532609940 CET	53	63044	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 15:58:34.070763111 CET	192.168.2.7	1.1.1.1	0x481b	Standard query (0)	market-1304768263.cos.ap-beijing.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	market-1304768263.cos.ap-beijing.myqcloud.com	bj.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	bj.file.myqcloud.com		82.156.94.45	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	bj.file.myqcloud.com		82.156.94.47	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	bj.file.myqcloud.com		82.156.94.48	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	bj.file.myqcloud.com		82.156.94.13	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:58:34.532609940 CET	1.1.1.1	192.168.2.7	0x481b	No error (0)	bj.file.myqcloud.com		82.156.94.17	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

market-1304768263.cos.ap-beijing.myqcloud.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	82.156.94.45	443	6992	C:\Users\user\Desktop\Browser.Daemon.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 14:58:36 UTC	131	OUT	GET /download/cszs/BrowserDaemonConfigNew HTTP/1.1 Host: market-1304768263.cos.ap-beijing.myqcloud.com Connection: Keep-Alive
2024-12-20 14:58:37 UTC	418	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 359 Connection: close Accept-Ranges: bytes Date: Fri, 20 Dec 2024 14:58:37 GMT ETag: "5399118d6fd67d3c4380d350c68656bb" Last-Modified: Thu, 06 Apr 2023 11:23:18 GMT Server: tencent-cos x-cos-hash-crc64ecma: 16667297284639983086 x-cos-request-id: Njc2NTg2MWRfNWFiMzI0MDlfYzJkNF8yMGUyNDhm x-cos-version-id: MTg0NDUwNjMyOTM1MTA5NzA1Mjg
2024-12-20 14:58:37 UTC	359	IN	Data Raw: 23 e9 85 8d e7 bd ae e6 96 87 e4 bb b6 e7 89 88 e6 9c ac 28 e6 8c 89 e6 95 b0 e5 ad 97 e9 80 92 e5 a2 9e 29 0d 0a 33 0d 0a 23 e9 99 90 e5 88 b6 e7 89 88 e6 9c ac 28 e6 89 a7 e8 a1 8c e6 8c 87 e5 ae 9a e7 a8 8b e5 ba 8f e7 9a 84 e5 ae 88 e6 8a a4 e8 bf 9b e7 a8 8b e7 89 88 e6 9c ac 29 0d 0a 3c 3d 33 2e 31 2e 37 2e 37 36 36 35 32 34 0d 0a 23 e6 8c 87 e5 ae 9a e7 a8 8b e5 ba 8f e4 b8 8b e8 bd bd e5 9c b0 e5 9d 80 28 e4 bb 85 e6 94 af e6 8c 81 7a 69 70 29 0d 0a 68 74 74 70 73 3a 2f 2f 6d 61 72 6b 65 74 2d 31 33 30 34 37 36 38 32 36 33 2e 63 6f 73 2e 61 70 2d 62 65 69 6a 69 6e 67 2e 6d 79 71 63 6c 6f 75 64 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 44 61 65 6d 6f 6e 48 65 6c 70 65 72 2e 7a 69 70 0d 0a 23 e5 be 80 e4 b8 8b e9 83 bd e6 98 af e5 ae 88 e6 8a a4 e7 Data Ascii: #()3#()<=3.1.7.766524#(zip)https://market-1304768263.cos.ap-beijing.myqcloud.com/download/DaemonHelper.zip#

Target ID:	0
Start time:	09:58:32
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\Browser.Daemon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Browser.Daemon.exe"
Imagebase:	0x740000
File size:	35'232 bytes
MD5 hash:	294A647F4EFD42428DC119F961416B76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:58:45
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\Browser.Daemon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Browser.Daemon.exe"
Imagebase:	0x8d0000
File size:	35'232 bytes
MD5 hash:	294A647F4EFD42428DC119F961416B76
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 02972E45 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edce7b8d117ec042c48883c62c1c756b5bd0016d0dd6ba79658eacca057edb7
Instruction ID: e13ec2be12950a27ceff4b0dcef627388ab7af0ec03c64d7658fdd4fd56ab374
Opcode Fuzzy Hash: 8edce7b8d117ec042c48883c62c1c756b5bd0016d0dd6ba79658eacca057edb7
Instruction Fuzzy Hash: A402AB30B002148BCB19EB78C494BAE7BE6AFC9314F1485AAC41ADF795DB34DC46CB95

Function 02976898 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed116db829e3e33aa49996e0e707d0d5b72b8a501cf8d8f4f7b5582d685e0afd
Instruction ID: ea3e1c8a898ec1cac74977dbccb2a80a1d9f35c72502325c1612a9a4bcffbe02
Opcode Fuzzy Hash: ed116db829e3e33aa49996e0e707d0d5b72b8a501cf8d8f4f7b5582d685e0afd
Instruction Fuzzy Hash: 22B18D70E00609CFDB14CFA9C8817ADBBFABF89314F148529D815EB294EB759885CF81

Function 02975C80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4453ba9551cac17e5e6f164168dbb0db1823e2b0d0b45fe40fc06df696f77366
Instruction ID: d478962f33c9fd665f689eeaae0ef83c16ea0a442fec7d620d5a5c67eb1aef5b
Opcode Fuzzy Hash: 4453ba9551cac17e5e6f164168dbb0db1823e2b0d0b45fe40fc06df696f77366
Instruction Fuzzy Hash: C2917D70E002099FDB54CFA9C9857EDBBF6EF88304F558529E805EB294EB349846CF81

Function 0297688C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492799045c82a66a86544948b5f8a8816f9eec64d980a38ca68bb53d9c869f58
Instruction ID: fc7c7760f16bebe06c3bfdc4e0709f58dee777c21eeff0b05e052cfb4bafecf0
Opcode Fuzzy Hash: 492799045c82a66a86544948b5f8a8816f9eec64d980a38ca68bb53d9c869f58
Instruction Fuzzy Hash: 63B16C70E00609CFDB24CFA9C8857EDBBF9BF89314F148129D814AB294EB759885CB81

Function 02971E48 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00014b1d0c331c7adee2d0ca39b574bf7bd13ac6b54b1f8c2a25580c3211dd1e
Instruction ID: c5e080a7688b7039fcc8e757aff36a5e848ac383970e183710e22f98945e2a3f
Opcode Fuzzy Hash: 00014b1d0c331c7adee2d0ca39b574bf7bd13ac6b54b1f8c2a25580c3211dd1e
Instruction Fuzzy Hash: 4F919C70B002018FD719EB38C554B6EBBE6BF89304F248569C91A9B795DB35DC82CB91

Function 02975C74 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cf715c93b6acb6e3ea4e9cf7fd3e65242e50feed382749c469c235ca6feb30
Instruction ID: ab448d7f899329c231f7825311ed095784a59f0b175288b0fd722826e4396b92
Opcode Fuzzy Hash: b1cf715c93b6acb6e3ea4e9cf7fd3e65242e50feed382749c469c235ca6feb30
Instruction Fuzzy Hash: 0D917C70E002099FDB50CFA9C9857EDBBF6EF48304F558529E809AB254EB349846CF81

Function 02971E38 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ba2b11188dad80cc8f9cd71baed012bace331f1512afc8da2da3f3fa9dabfa
Instruction ID: 0bd0fcb45027eb11cd681f9b1dd0132294dd6d0662424a7b9398b79d548ade44
Opcode Fuzzy Hash: 14ba2b11188dad80cc8f9cd71baed012bace331f1512afc8da2da3f3fa9dabfa
Instruction Fuzzy Hash: BC818B70B012018FD729EB38C56476EBBE6BF89304F248569C81A9B795DB35DC82CB90

Function 02971CE8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9211a8aa2138f0aed0f5350979920e83811c3f8263ed3072d153c2cec2e44d3c
Instruction ID: d9db0bdf1d7da29ada0d75656cd5390905800866188d5c1bf4da34e6ca7f4796
Opcode Fuzzy Hash: 9211a8aa2138f0aed0f5350979920e83811c3f8263ed3072d153c2cec2e44d3c
Instruction Fuzzy Hash: 39F06D3090A388AFCB42DFB8DD20668BFF4DE4A20471581EAD448DB663DB315E06C751

Function 029721B9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd32dc35b0864985ddf25c2edb1b9b2c993fffdfc91ea4e3e73a049603f2768
Instruction ID: 032922ef78e0f93205d0ae212929b55f0afa29b05cdc5ac828b3a615de118e17
Opcode Fuzzy Hash: 9cd32dc35b0864985ddf25c2edb1b9b2c993fffdfc91ea4e3e73a049603f2768
Instruction Fuzzy Hash: A8419D31B012449FCB19EB78D954BAE7BB2EF88304F108479E906AB259DF31AD46CB50

Function 02971440 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3375c00dd1ddb8e1f663a46edf683c882295e59dbf87b4a02d33d8a4a5b2de26
Instruction ID: e1cbfff3952e7814e77f6fa072da0fcffedaf7dc93bd74d0b57c5231d4eaf385
Opcode Fuzzy Hash: 3375c00dd1ddb8e1f663a46edf683c882295e59dbf87b4a02d33d8a4a5b2de26
Instruction Fuzzy Hash: 7B419F74B002149FEB14DB69D854BAD7BFAEF88310F104069E50AE77A0DF759C428B94

Function 029734B1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c37df430dd628340e0cbb6c6f6eddb78774894c3b92638b4b570c032f610d1
Instruction ID: ad2c29489006ab6837192a68bb3f72f70381a85fe5e5081febc73573a85f94ea
Opcode Fuzzy Hash: 90c37df430dd628340e0cbb6c6f6eddb78774894c3b92638b4b570c032f610d1
Instruction Fuzzy Hash: 2831E4B1B403109FE711AB78C844BAEBBF1EB88754F1444A9E50EAB245DB318C128B95

Function 029735F0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d4773df91da53f2c8123dd85eac6aa5e5559ff662257660b1486041844990d
Instruction ID: e2942e6c63c2cfe3780272f7faf7f0a39dda8ec534e42d3d520053a612389d63
Opcode Fuzzy Hash: c6d4773df91da53f2c8123dd85eac6aa5e5559ff662257660b1486041844990d
Instruction Fuzzy Hash: 37318D74A143148FDB29AF38C954B6EB7B6FFC9305F104569C906AB7A0DF399801CB91

Function 02973608 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7daf84a1d5228fa3e4a56d9db664689642ea1bc9bbd83a188a03b092eabe67
Instruction ID: 50d9b5d4522ef54ba9d81a0d2a7ce9388d0fff584321c4f44e384fc78bf23afc
Opcode Fuzzy Hash: ef7daf84a1d5228fa3e4a56d9db664689642ea1bc9bbd83a188a03b092eabe67
Instruction Fuzzy Hash: 16315934B102188FDB29AF38C954A6EB3B6BFC9305F104569C906AB7A4DF399801CB95

Function 029740D5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45d0577698b902225e46945c312a583b886a93fd0f2b494aa0f5ee617ab8317
Instruction ID: f7fea5eb0622a2b1172bb32f237a144a931a94af2d11fa3113ac2e3367450272
Opcode Fuzzy Hash: f45d0577698b902225e46945c312a583b886a93fd0f2b494aa0f5ee617ab8317
Instruction Fuzzy Hash: 2F41DFB0D003489FDB14DFA9C884ADEBBF5EF48314F24842EE819AB250DB759946CB94

Function 029724F8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b06b55a3c86e2955ecf6a3d1fa624bb372124927d0aab8d7725d4a3b29f9f66
Instruction ID: f6a37d995a1e0b7da66ce7744ecc0abd49a139cea4de6bb3a608577ca631b9c0
Opcode Fuzzy Hash: 0b06b55a3c86e2955ecf6a3d1fa624bb372124927d0aab8d7725d4a3b29f9f66
Instruction Fuzzy Hash: A5314E74B101048FDB14DB69C568B6977F6AF88B10F258069E906EB3A1DB71EC41CB90

Function 029740E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fdfbca327e5651e02ee49f22f2cbd23b85b5956bfb283676f6f59f75bad3a1
Instruction ID: 49aee71773e22d2199cd4453731c873f92322727505d3b084a7c2fab702a59d4
Opcode Fuzzy Hash: 65fdfbca327e5651e02ee49f22f2cbd23b85b5956bfb283676f6f59f75bad3a1
Instruction Fuzzy Hash: 0341FEB0D00348DFDB14DFA9C884ADEBBF5FF48314F10842AE819AB250DB75A945CB90

Function 02971889 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87531bf6a69ccabd59f856a653bb6e24c5625ff37be31264f2fa4b8cbae223b4
Instruction ID: d484af306cbfe41b48406fc3a6c51b1d7d9da57cb435f93f72d1f17b177a3ced
Opcode Fuzzy Hash: 87531bf6a69ccabd59f856a653bb6e24c5625ff37be31264f2fa4b8cbae223b4
Instruction Fuzzy Hash: B6318B31B013458FCB25EB79D440A9EBBF7AFC9314B244479C449AB351DB369D46CB90

Function 02976D88 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3304b5f235cbd85062078f27f861dbf6445058f8eccf3d2900aadb3359a5afb6
Instruction ID: 133e2f5162cc86f9b45c7a2ba7781fd58593d3c71cdef34dfe79dc7d675968a9
Opcode Fuzzy Hash: 3304b5f235cbd85062078f27f861dbf6445058f8eccf3d2900aadb3359a5afb6
Instruction Fuzzy Hash: 5E317130A007148FEB25AB78C9547AE7BBAEF88315F140469D901AB3A0DF35DC52CBB1

Function 02970D78 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed75e71166425039e798918d74a5bd914c638a73b34dede12487c21d75297510
Instruction ID: 5213abb0c040a252721d7112781787984ad0e7e04754e8c94bab46a93f76cb0c
Opcode Fuzzy Hash: ed75e71166425039e798918d74a5bd914c638a73b34dede12487c21d75297510
Instruction Fuzzy Hash: 61314F397003008FC718AB75E958A2E7BA6EF88315710896DE507DBB65DF31DD428F90

Function 02970D68 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8684fbaeda85d8aefcf0fb7af5f734b8c63409ca5f04f409917c8966f9dd1c
Instruction ID: 386568b065945c3b94b904ed5612ff7b04586ffd2c1b7edc69f526a2db1d8da7
Opcode Fuzzy Hash: ad8684fbaeda85d8aefcf0fb7af5f734b8c63409ca5f04f409917c8966f9dd1c
Instruction Fuzzy Hash: BB316D393013008FC718AB75D958A2E7BA6EF89215710896DE406DB765EF31EC06CF90

Function 02976D98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4dc4c3edcfa3c5394110a895e58d518c4531af575d097648f5793ea30bbb8e
Instruction ID: 9509d99c6a2b791a9a3356a91eb829ca29caf8642d134047393365437a769836
Opcode Fuzzy Hash: 3c4dc4c3edcfa3c5394110a895e58d518c4531af575d097648f5793ea30bbb8e
Instruction Fuzzy Hash: 6E214130A006148FEB24AB64C9147AE77BAAFC8315F140469D905BB394DF75DC51CBB5

Function 02970F39 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5ee33aa3f3f2506a5e8a102c4f221592d995f2e887e2086413e1285a4a60f4
Instruction ID: b59a2d4e8b57e5523e8ecfb84cc1727ff6513f909afd898ad619b2178603f32b
Opcode Fuzzy Hash: 0d5ee33aa3f3f2506a5e8a102c4f221592d995f2e887e2086413e1285a4a60f4
Instruction Fuzzy Hash: 1021F234B002509FDB22EB28DC60B6E7BBAAF89744F104069D9059F395EA74AD0687D1

Function 00BFD06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115459715.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa85e33e092c71e3d4644abf51cc2ab9b653ff4d635d3ec215ae0264842d8bcb
Instruction ID: bc5a1a7969317a93ecd51135358d30b6d711ccc3fade4b9a321778ddf200db95
Opcode Fuzzy Hash: fa85e33e092c71e3d4644abf51cc2ab9b653ff4d635d3ec215ae0264842d8bcb
Instruction Fuzzy Hash: 53213871500208DFDF15DF50D9C0F26BBA6FB88314F2085A9EA091B255C33AC81ACB62

Function 02971730 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a63f5cca78d2f76ff23a3253da2ad5d6f9ba21ecb0d60d41149aa05af813b0e
Instruction ID: 10ff8d2f568fdfd366876b251cab8ffdb5969c83e3354271da749775bf1031c9
Opcode Fuzzy Hash: 6a63f5cca78d2f76ff23a3253da2ad5d6f9ba21ecb0d60d41149aa05af813b0e
Instruction Fuzzy Hash: 4D214F757006109FD7189B39D854B2A7BFAEFCDB10B1180ADE10ACB771CD25DC028BA4

Function 029707FF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8533ed66e6f312e7a0bc8abc661c408d9f96fad8962376eb7482d69149dff772
Instruction ID: f7782455437a119a0c0653529e66151595a799a4b6bca0621c4e43b2694a7f8a
Opcode Fuzzy Hash: 8533ed66e6f312e7a0bc8abc661c408d9f96fad8962376eb7482d69149dff772
Instruction Fuzzy Hash: 76216670D093489FCB12DF78C9586987FB4EF46308F1482EAC418DB6A6EB34DA46CB41

Function 00C5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115779931.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fc1291e62c66497f6a9928327747d2b8842a2bfae5b71f73a7e638f6a412d8
Instruction ID: 771ce53419e9b873d7ed0e9df15428ac10322d150c170c448f38b6f5ab4ed5c9
Opcode Fuzzy Hash: a3fc1291e62c66497f6a9928327747d2b8842a2bfae5b71f73a7e638f6a412d8
Instruction Fuzzy Hash: 0E21D079604304DFDB24DF14D9C0B16BB65EB84315F20C569EC0A4B296C33AD88BCA66

Function 02971740 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5bdb5cf3b2b89c1869e5abef7b4aca1757250bd3ef71aa6cc6d23744ad6b80
Instruction ID: 74da947a0dcc8751f35688298c59c38e3e489b191f1cacba9a3c93dce52cc180
Opcode Fuzzy Hash: 5c5bdb5cf3b2b89c1869e5abef7b4aca1757250bd3ef71aa6cc6d23744ad6b80
Instruction Fuzzy Hash: 2A212EB57006149FD7189B3AD854F2A77EAEFCCB10B1180A9E50ACB771CE65DC428B94

Function 02976EC4 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d0b82aa148d0756bc4bdc4517a8e3acc584fda15fe62a0b1f375b30d5907f7
Instruction ID: 06534cebee846cb92e57dd5a9df84eae2a5341406ac8d6f52bfb848a74e24419
Opcode Fuzzy Hash: 55d0b82aa148d0756bc4bdc4517a8e3acc584fda15fe62a0b1f375b30d5907f7
Instruction Fuzzy Hash: 18119E75B002048BDB58EB7984597AF7BA7ABC4355F10883AD90ADB384EF34D9438BC1

Function 00C5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115779931.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c5d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fe3b0b4b036dd7ef2990e2b5614116378a1c13bfc4e5e0153c1a753cf5b34f
Instruction ID: 5d66114dae09cad9359aa20bd59d72709b56ed263092e85f2c273c37d0864ffc
Opcode Fuzzy Hash: 23fe3b0b4b036dd7ef2990e2b5614116378a1c13bfc4e5e0153c1a753cf5b34f
Instruction Fuzzy Hash: AE218E755093808FCB12CF20D990715BF71EB86314F28C5EAD8498F6A7C33A984ACB62

Function 02972378 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93db11c9b8fde6b13c40614b19b8e10ef9195ee12583fe49fe9920f31bd6b317
Instruction ID: bb387c107cae47ec64a2ef79e44a026f09307706d1c7f17d38474c4098a3a5c3
Opcode Fuzzy Hash: 93db11c9b8fde6b13c40614b19b8e10ef9195ee12583fe49fe9920f31bd6b317
Instruction Fuzzy Hash: 9921AF72E006599BCB15DFA4CC105DDFBB2EF9A310F19811AD8457B310DB716A46CBA0

Function 00BFD067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115459715.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a36057949d666c87806d9bdfbde1415de587814fe5d04d2efaf389bb549fa8
Instruction ID: 13ff36e7f296d9fcdc899b610421b9a55657633dbc174dcc1e914c65ec4b9e2e
Opcode Fuzzy Hash: 81a36057949d666c87806d9bdfbde1415de587814fe5d04d2efaf389bb549fa8
Instruction Fuzzy Hash: D921C076404284DFCB06CF00D9C0B16BFB2FB88314F2486A9D9481B656C33AD52ACB91

Function 02972388 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8aacc2d5b2acd52bd2e22983dee0110d04065b0feffd6fc289e4a139952a
Instruction ID: c3e01275a624df5a74ed06ba58a9293bfd92ee0bc5e16b1840c9e4843afb4393
Opcode Fuzzy Hash: c03d8aacc2d5b2acd52bd2e22983dee0110d04065b0feffd6fc289e4a139952a
Instruction Fuzzy Hash: 71115B72E006199BCB15DFA8CC105DDBB76EF99310F25812AD9097B350EB716A46CB90

Function 02970848 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db14193a33dfe79b54e5f77308cf9334be7a4904619736cb40690991d6a2377
Instruction ID: 31e2e0caa6e01fc3712225344f614b307508d298aa3366ebb0e6f85e0caad4a8
Opcode Fuzzy Hash: 9db14193a33dfe79b54e5f77308cf9334be7a4904619736cb40690991d6a2377
Instruction Fuzzy Hash: 89112930E05308EFCB15DF68D558B9DBBF5AF45304F1481A6C418AB666E735DA46CB40

Function 00BFD7C9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115459715.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1640395688ce64e3e57c5e104017012608bfe1d17bbc75fa138ae0409354847
Instruction ID: e6d747d03809eb597fb163b53b7b468885278c2ddeb2b235fdd25b152e346600
Opcode Fuzzy Hash: c1640395688ce64e3e57c5e104017012608bfe1d17bbc75fa138ae0409354847
Instruction Fuzzy Hash: 3D01F7314043489AE7205B16CDC4B76BBE9DF41364F18C59AEE094F582C3399C48CAB2

Function 02972460 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a952747c987507b1f7d1a4386e469e593405ded263066e92f7e5b613f5067d8
Instruction ID: 81177873fdb35e1d12df93097ae4e9a4b8b9b126705e94819f7c545e852200df
Opcode Fuzzy Hash: 9a952747c987507b1f7d1a4386e469e593405ded263066e92f7e5b613f5067d8
Instruction Fuzzy Hash: E501F531D01244AFCB00EFB4C9509EEBFB0EF15310B24865AD816E72D0DB315A09CB90

Function 02970EA7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea71bab39cf930a6d87c066516b7b01c85589ee391bb6aa3d4c27d82a25695a8
Instruction ID: 0b13c2c6bbfb9a0d1f38b0457d9864487a662b07d04d71e12e5e4490169db269
Opcode Fuzzy Hash: ea71bab39cf930a6d87c066516b7b01c85589ee391bb6aa3d4c27d82a25695a8
Instruction Fuzzy Hash: F001B170D053089FCB05EFA8D950AAEBFF5EF55300B1045EAC45497654EB301A06CB81

Function 02972470 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd85c989de2211b563a4ed306db9d9cb0390bf094f1587089d4e898c7063879
Instruction ID: 9df16877a458139ed9719c2ded8c79b3b53c348ac5942057c8fb8ea3486570f9
Opcode Fuzzy Hash: 6dd85c989de2211b563a4ed306db9d9cb0390bf094f1587089d4e898c7063879
Instruction Fuzzy Hash: DB016272D00109AFCB44EF74C9449EEBBB5EF54310B20825AD826E72D4EB315A15CB91

Function 00BFD7C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3115459715.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca5372a7ed90cbc0a94eefe169761b9703371b6baba18037d4213347e8b394b
Instruction ID: c092cf3bf1bddc56e3dad6b8e83dc9159d7ca9f45480e13213007be78293e579
Opcode Fuzzy Hash: cca5372a7ed90cbc0a94eefe169761b9703371b6baba18037d4213347e8b394b
Instruction Fuzzy Hash: 09F0C231404344AEE7208A06DD84B62FFE8EB41374F18C45AED084B682C2799C44CAB5

Function 02970EB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f0fbc9241861e41491a59990a5cb5936a43d5a4df0d0d2401127842ee01ed
Instruction ID: 6b58fe1ccd8379c4a38e524ab5e3983f7e5005e07622ee24b00fa17cb1df5195
Opcode Fuzzy Hash: 998f0fbc9241861e41491a59990a5cb5936a43d5a4df0d0d2401127842ee01ed
Instruction Fuzzy Hash: 44013174D01308AFDB44EFA8D940AADBBF5FB54344B1046AAC815A7714EB705A068B91

Function 02970920 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57c7114b5a9cd0c53ee09bbc9638b489e9ae9aeb2859270e97cdb3c271e9b88
Instruction ID: 41b8202414668b86efe6f05c27a94dbd710b9aae78da3fe06a98f47fdc59a83e
Opcode Fuzzy Hash: b57c7114b5a9cd0c53ee09bbc9638b489e9ae9aeb2859270e97cdb3c271e9b88
Instruction Fuzzy Hash: 42E07D327083545FCB06677488643683B66CFC326070940EFDA05C7383CD298C0983D6

Function 02970930 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9e4e32ad2ad661d49e883df3c4ef549652a44a080c3d763530b3e0098f62d0
Instruction ID: a9fa2d26814dbf4e15592d03b870ce8ce2a02fc013cacd6c76c379d74e3fee3d
Opcode Fuzzy Hash: fb9e4e32ad2ad661d49e883df3c4ef549652a44a080c3d763530b3e0098f62d0
Instruction Fuzzy Hash: 74D0A73570021447CF497279501427D328ACBC7761B404069DA06C3380CE258C0043D5

Function 02971DE0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17a00c8193e9109a9d0e3430d0e18e33ebf745246b72cad40745779f6423c5d
Instruction ID: 93f333bbb2d0685c63b03d7c427773a71c745d088c4049bb14c99f92d1255b0e
Opcode Fuzzy Hash: d17a00c8193e9109a9d0e3430d0e18e33ebf745246b72cad40745779f6423c5d
Instruction Fuzzy Hash: 76D0127490020CEB8B01DFA4E901A6DB7F9EB44215B1041A9D408D7601DB316F449B45

Function 029708F8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5102564128307d02d24c1af381ea377ba376e29f680644d27c56b5ab85d72af0
Instruction ID: 4b256e0272d4eb9d07d82fc0a4b14ad6076c77a7ea4ed657428e30aabb4c347c
Opcode Fuzzy Hash: 5102564128307d02d24c1af381ea377ba376e29f680644d27c56b5ab85d72af0
Instruction Fuzzy Hash: EAD01231609304CFCB083B72801C22C3BAAABC970AB2008BD900B8B391EE3AC8008F04

Non-executed Functions

Function 02975FC8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3117036002.0000000002970000.00000040.00000800.00020000.00000000.sdmp, Offset: 02970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2970000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301a460954d092897d46fbbbc9e26673d9d7055b303b9d031ccc6a81ccbe887a
Instruction ID: c7ddc84222367b4ac7218832a0f54b8017231bc95134b3d2ae4db248f07f5cd0
Opcode Fuzzy Hash: 301a460954d092897d46fbbbc9e26673d9d7055b303b9d031ccc6a81ccbe887a
Instruction Fuzzy Hash: 7CB16D70E00609CFDB14CFA9C885BEEBBFAAF88714F148529D815E7294EB359845CF85

Analysis Process: Browser.Daemon.exePID: 7616, Parent PID: 4056COMMON

Executed Functions

Function 02BE143B Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e537adbe67360438f8cd97761025a59f78b7eae770d7bdb69ee2fc9027f10e
Instruction ID: 586e4d322713c6236a04fe5e7745fe71a17effebbbe569e8ef8bbdbdb967d34f
Opcode Fuzzy Hash: f3e537adbe67360438f8cd97761025a59f78b7eae770d7bdb69ee2fc9027f10e
Instruction Fuzzy Hash: 19418E74B102149FEB14DB69D494BADBBFAEF88300F244069E506E7794CF359C028B94

Function 02BE0D78 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625a77e577e70320a1e6dbc77ce577ca66101857cdd04d0ba4a93d2a1c633ea7
Instruction ID: ad6217f7c98206a38c32ad882e5b70c97b43743d02e774e07e6ad0ac317369c2
Opcode Fuzzy Hash: 625a77e577e70320a1e6dbc77ce577ca66101857cdd04d0ba4a93d2a1c633ea7
Instruction Fuzzy Hash: B93121357012008FD728BB75E45892AB7AAEF883157108D6DE407CBB59DF75EC068F90

Function 02BE0D6B Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17109083082a3b6f6e87399cac8598020b067077bb7a46f239b958915e29c4a
Instruction ID: eda9e1c6b7d92c47d3080cfea906998c21ee4ebee0b8cf1e08c3ef072d7a2f00
Opcode Fuzzy Hash: c17109083082a3b6f6e87399cac8598020b067077bb7a46f239b958915e29c4a
Instruction Fuzzy Hash: 26212F357012008FD728BB79D89892A7BAAEF893117108D6DE407CB759DF75EC068F90

Function 02BE07FF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95d4034abda1d46f0d9e9a29af7d45a6d304adada12928debda43609c675203
Instruction ID: 8644bfc822f5bea7e995ba71c11d80300094e8264447ff7c80681abc256211ce
Opcode Fuzzy Hash: d95d4034abda1d46f0d9e9a29af7d45a6d304adada12928debda43609c675203
Instruction Fuzzy Hash: 77217C70D05348AFCB12EB78C4546987FB4EB42304F1586EAC065EB566E738ED46CB51

Function 0133D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373060406.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_133d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b74d8079afcdbeb6690a7d8137085a11e2a28ecaf0e7a9f6cd50bd0096dfe28
Instruction ID: ea1958f05e0507d6375bf9c77fe354fa7771e556afb60982934aa07a24ee54e1
Opcode Fuzzy Hash: 8b74d8079afcdbeb6690a7d8137085a11e2a28ecaf0e7a9f6cd50bd0096dfe28
Instruction Fuzzy Hash: 16213372900204EFDF15DF94D9C0F16BBA6FBC8718F608269E9090F656C33AC416CBA6

Function 02BE1733 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67992c232b819ec9824d87d43afadf143eab550d7d88dbee3a0092f6a1e22519
Instruction ID: 3b425136dcf84e4800653f78eb8ed5599b85cb8bef14b1ace02785a040b14080
Opcode Fuzzy Hash: 67992c232b819ec9824d87d43afadf143eab550d7d88dbee3a0092f6a1e22519
Instruction Fuzzy Hash: 75213E757006109FD719AB3ED854A2A7BFAEFC9610B1180ADE50ACB771CE75DC028BA4

Function 0134D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373173681.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_134d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e46f709a385b1e2b0e2d81ad2c4ce6851eb35e38733736b8ffd1dad414bf84a
Instruction ID: da18144bfd6ed5a93b33ec7f7a49e6cb1f724aa2fc7d41f58290cd84891d3aba
Opcode Fuzzy Hash: 0e46f709a385b1e2b0e2d81ad2c4ce6851eb35e38733736b8ffd1dad414bf84a
Instruction Fuzzy Hash: 12212271604304DFDB25DF94D9C0B16BBA5FB94318F20C56DD80A0B696C33AE447CA62

Function 02BE1740 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ad3779a457eff8307520b1b8ae7489296ff77308279e81430a4ef5a89819ce
Instruction ID: 3278cdd255ed053b9b4501d400fb23fb038737b1a67a5d11dbf635fc25b65a4f
Opcode Fuzzy Hash: a1ad3779a457eff8307520b1b8ae7489296ff77308279e81430a4ef5a89819ce
Instruction Fuzzy Hash: EB212CB57006109FD718AB2ED854B2A77EAEFCCB11B118069E50ACB771CE75DC428BA4

Function 0134D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373173681.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_134d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbafcc7ad018abae8d8108ddaad318d23ffd0fffa5ca8fdd52fb6b13c41bbff4
Instruction ID: 9be1ebae2c827b72dce54c0353c80239c632dc6c61a0a89c081c8483f5a980e1
Opcode Fuzzy Hash: cbafcc7ad018abae8d8108ddaad318d23ffd0fffa5ca8fdd52fb6b13c41bbff4
Instruction Fuzzy Hash: 932192755083809FCB03CF54D994711BFB1EB46318F28C5DAD8498F2A7C33A9806CB62

Function 0133D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373060406.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_133d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a36057949d666c87806d9bdfbde1415de587814fe5d04d2efaf389bb549fa8
Instruction ID: e10f2edfab7ebd9a005091ae9643dd578f2f98d18b1f71b8eec87a14add0d17f
Opcode Fuzzy Hash: 81a36057949d666c87806d9bdfbde1415de587814fe5d04d2efaf389bb549fa8
Instruction Fuzzy Hash: 7921CD76804280DFCB16CF54D9C0B16BF72FB88318F2486A9D9480B656C33AD426CBA1

Function 02BE0848 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c64a14e28fe12c74bc9ce69dc0a1ff6f14f59924db1227fe62d41b565367bf2
Instruction ID: b2f6ba7176290a62bfde6a98f49f252a203852fe4fe5f33a7115512ff2b55630
Opcode Fuzzy Hash: 7c64a14e28fe12c74bc9ce69dc0a1ff6f14f59924db1227fe62d41b565367bf2
Instruction Fuzzy Hash: 86112930E05248AFCB11EF78D558B9DBBB5EF45304F1085E6D415EB665EB34AE42CB40

Function 0133D7C9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373060406.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_133d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35982a1336e79be9b4a3a79d53ff3d3242e2c461b4f8f2c63d515d3b22533f9d
Instruction ID: a5c8f693c0415d3641465c9f4941872a1cd2d6b886efe9bc1c523845d99cc40c
Opcode Fuzzy Hash: 35982a1336e79be9b4a3a79d53ff3d3242e2c461b4f8f2c63d515d3b22533f9d
Instruction Fuzzy Hash: FC01F771404344AEF7214E55CD84B66BFECDF81228F58C51AED1D0E682C339A840CABA

Function 02BE0EA7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1d4206c7320923c0806aecd6aa3d21a9728ed747fcd3af33c6a907fc9d9dbd
Instruction ID: d4c918630003844cf3c826f476ce75b15ddab14a83d07d7783d6293aab1b406b
Opcode Fuzzy Hash: aa1d4206c7320923c0806aecd6aa3d21a9728ed747fcd3af33c6a907fc9d9dbd
Instruction Fuzzy Hash: 96017C74D06248AFCB05EFA8D8905ADBFB5EF85300F108AAAD455E7654EB301E16CB52

Function 0133D7C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373060406.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_133d000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c568be20252bbf2d8f9195afe870fd517ec7538de7fd963ff1fd40a4536b3ca7
Instruction ID: 4e65e5f0435272a73d3fac1a3920c3c982f9c721e55a24dff98913b3a38a753a
Opcode Fuzzy Hash: c568be20252bbf2d8f9195afe870fd517ec7538de7fd963ff1fd40a4536b3ca7
Instruction Fuzzy Hash: C1F0C272404344AEE7208E0ADD84B66FFA8EF81624F18C05AED0C0F682C279A840CBB5

Function 02BE0EB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4e7b7313a15d140fe8bcfde4a9561a05eedd98bfc07b35ae9bd8135fca4da7
Instruction ID: ba9ef7f753aad758ed183a8657658afbf1453aaa21d927b9c6a5d00ede697b93
Opcode Fuzzy Hash: 9e4e7b7313a15d140fe8bcfde4a9561a05eedd98bfc07b35ae9bd8135fca4da7
Instruction Fuzzy Hash: 0D013C74D01209AFCB04FFA8D880AADBBB9FF44300B0086A9D815E7214EB706E128B91

Function 02BE0920 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a729bb70b2051bcf6b405124bdad1b42cbd1fa844e5ef903109ff1334622950
Instruction ID: e9d506e9d6f8bb4b2cf2239c103c50fd8dcdb52fc4f09f8a8263a16d40c85616
Opcode Fuzzy Hash: 6a729bb70b2051bcf6b405124bdad1b42cbd1fa844e5ef903109ff1334622950
Instruction Fuzzy Hash: 50E07D367083205FCF46677844102AA37BAEF8732471140E9D902DB382CE279C02C3D6

Function 02BE0930 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bdc9164515789dd5d0172bad5b8071d8f3269e694f7221fd7bcd7adea7fca8
Instruction ID: 18429462c489038836cc2997b6e5f17a830b53c07a164bdcb9f29554281566c3
Opcode Fuzzy Hash: 59bdc9164515789dd5d0172bad5b8071d8f3269e694f7221fd7bcd7adea7fca8
Instruction Fuzzy Hash: 53D0A73570021447CB48727D501426E725ADBC7625B004028DA06C7380CE259C0043D5

Function 02BE08F8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1373530907.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2be0000_Browser.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5102564128307d02d24c1af381ea377ba376e29f680644d27c56b5ab85d72af0
Instruction ID: fcdede1555e053e1c26c966ad44d8edd523889e5c58e9b28c6b346e6e4dcc66f
Opcode Fuzzy Hash: 5102564128307d02d24c1af381ea377ba376e29f680644d27c56b5ab85d72af0
Instruction Fuzzy Hash: F5D01231605304CFCF083771501C12C3BE69B493053100CBD90079B352DF76C4008F04

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
Tactics:	Persistence
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Browser.Daemon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Browser.Daemon.exe.log

C:\Users\user\Desktop\BrowserDaemonConfigNew

C:\Users\user\Desktop\LocalVersion

C:\Users\user\Desktop\Logger\Browser.Daemon_2024-12-20.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
Browser.Daemon.exe