Edit tour

Windows Analysis Report
relHAD3zcZ.exe

Overview

General Information

Sample name:	relHAD3zcZ.exe renamed because original name is a hash value
Original sample name:	5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226.exe
Analysis ID:	1579763
MD5:	a1907452a6e7e8748f91900a0383a602
SHA1:	5a59e8301a8175a0128b0da0aba8c2d4a9190764
SHA256:	5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226
Tags:	exeuser-NDA0E
Infos:

Detection

BlackMoon

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

AI detected suspicious sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

relHAD3zcZ.exe (PID: 1124 cmdline: "C:\Users\user\Desktop\relHAD3zcZ.exe" MD5: A1907452A6E7E8748F91900A0383A602)

WerFault.exe (PID: 2876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
relHAD3zcZ.exe	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
relHAD3zcZ.exe	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15c329:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
relHAD3zcZ.exe	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x34dae8:$s1: blackmoon 0x34db28:$s2: BlackMoon RunTime Error:

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x3329:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x3329:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
Process Memory Space: relHAD3zcZ.exe PID: 1124	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.relHAD3zcZ.exe.54db8f.2.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xdb9a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.0.relHAD3zcZ.exe.54db8f.1.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xdb9a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.0.relHAD3zcZ.exe.536def.4.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x23b3a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.2.relHAD3zcZ.exe.536def.5.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x23b3a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a11e:$s1: blackmoon 0x1a15e:$s2: BlackMoon RunTime Error:
0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1a11e:$s1: blackmoon 0x1a15e:$s2: BlackMoon RunTime Error:
0.2.relHAD3zcZ.exe.7381da.4.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.relHAD3zcZ.exe.7381da.4.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1590e:$s1: blackmoon 0x1594e:$s2: BlackMoon RunTime Error:
0.0.relHAD3zcZ.exe.7381da.5.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.relHAD3zcZ.exe.7381da.5.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1590e:$s1: blackmoon 0x1594e:$s2: BlackMoon RunTime Error:
0.0.relHAD3zcZ.exe.55d806.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.relHAD3zcZ.exe.55d806.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1f02e2:$s1: blackmoon 0x1f0322:$s2: BlackMoon RunTime Error:
0.2.relHAD3zcZ.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.relHAD3zcZ.exe.400000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15b729:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.2.relHAD3zcZ.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x34cee8:$s1: blackmoon 0x34cf28:$s2: BlackMoon RunTime Error:
0.2.relHAD3zcZ.exe.55d806.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.relHAD3zcZ.exe.55d806.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x1f02e2:$s1: blackmoon 0x1f0322:$s2: BlackMoon RunTime Error:
0.0.relHAD3zcZ.exe.400000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.relHAD3zcZ.exe.400000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x15b729:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.0.relHAD3zcZ.exe.400000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x34cee8:$s1: blackmoon 0x34cf28:$s2: BlackMoon RunTime Error:
Click to see the 17 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: relHAD3zcZ.exe	ReversingLabs: Detection: 36%
Source: relHAD3zcZ.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.5% probability

Machine Learning detection for sample

Source: relHAD3zcZ.exe

Joe Sandbox ML: detected

Source: relHAD3zcZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r465\r465_00\drivers\display\lddm\nvpciflt\_out\wddm2_amd64_release\nvpciflt.pdb source: relHAD3zcZ.exe
Source:	Binary string: \C++DEMO\Drv0608\x64\Release\Drv.pdb source: relHAD3zcZ.exe
Source:	Binary string: E:\driver_project\zqpj\R3Inject\Release\R3Inject.pdb source: relHAD3zcZ.exe
Source:	Binary string: E:\driver_project\zqpj\R3Inject\x64\Debug\Test.pdb source: relHAD3zcZ.exe

Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041044A
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0041545B
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041D06D
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0040F0E0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00406498
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_004014BD
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_00406544
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_00406544
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041010C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_004101D1
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041B5DC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041B5DC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0041D9E7
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_0041D9E7
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00417580
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0041B5A6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041C259
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0040F25E
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0040EA66
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_00408D8E
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041DA72
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp	0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp	0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00405EC8
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_00405EC9
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041B2DF
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041B2DF
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_004166EE
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp	0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp	0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_0040369A
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0040EAAD
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00403715
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00413FD5
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_00404F92
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_00404F93
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00406BA6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_00406BA6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_004063AC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_004063AC

Source: relHAD3zcZ.exe	String found in binary or memory: http://222.186.172.42:1000/D1.dll
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: relHAD3zcZ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: relHAD3zcZ.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: relHAD3zcZ.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: relHAD3zcZ.exe	String found in binary or memory: http://rb.symcb.com/rb.crl0W
Source: relHAD3zcZ.exe	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: relHAD3zcZ.exe	String found in binary or memory: http://rb.symcd.com0&
Source: relHAD3zcZ.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: relHAD3zcZ.exe	String found in binary or memory: http://s.symcd.com0
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: relHAD3zcZ.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: relHAD3zcZ.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: relHAD3zcZ.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: relHAD3zcZ.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: relHAD3zcZ.exe	String found in binary or memory: https://d.symcb.com/rpa06
Source: relHAD3zcZ.exe	String found in binary or memory: https://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: relHAD3zcZ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relHAD3zcZ.exe PID: 1124, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: relHAD3zcZ.exe, type: SAMPLE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: relHAD3zcZ.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.54db8f.2.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.54db8f.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.536def.4.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.536def.5.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown

Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_0041C124	0_2_0041C124
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_0040518C	0_2_0040518C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_00404F92	0_2_00404F92
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_00404F93	0_2_00404F93

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236

Source: relHAD3zcZ.exe

Static PE information: No import functions for PE file found

Source: relHAD3zcZ.exe	Binary or memory string: OriginalFilename vs relHAD3zcZ.exe
Source: relHAD3zcZ.exe, 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenvpciflt.sys vs relHAD3zcZ.exe
Source: relHAD3zcZ.exe	Binary or memory string: OriginalFilenamenvpciflt.sys vs relHAD3zcZ.exe

Source: relHAD3zcZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: relHAD3zcZ.exe, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: relHAD3zcZ.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.54db8f.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.54db8f.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.536def.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.536def.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13

Source: relHAD3zcZ.exe	Binary string: \device\physicalmemory
Source: relHAD3zcZ.exe	Binary string: \Device\^@&%@$#@$@%@*@$@%@%@$@$@%@*@$@%@@&&$@$#&&^@&%@$#@$@%@**@$@%@%@$@$@%@*@$@%
Source: relHAD3zcZ.exe	Binary string: \Device\\\.\
Source: relHAD3zcZ.exe	Binary string: \Device\nvpciflt
Source: relHAD3zcZ.exe	Binary string: \Device\
Source: relHAD3zcZ.exe	Binary string: \Device\NTPNP_PCI
Source: relHAD3zcZ.exe	Binary string: \Device\NvAdminDevice@

Source: classification engine

Classification label: mal76.rans.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1124

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d5207c3a-0486-484a-9d82-a426ac1d9bb1

Jump to behavior

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: relHAD3zcZ.exe	ReversingLabs: Detection: 36%
Source: relHAD3zcZ.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\relHAD3zcZ.exe "C:\Users\user\Desktop\relHAD3zcZ.exe"
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236

Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Section loaded: rasman.dll	Jump to behavior

Source: relHAD3zcZ.exe

Static file information: File size 3674112 > 1048576

Source: relHAD3zcZ.exe	Static PE information: Raw size of L_VhVy is bigger than: 0x100000 < 0x251000
Source: relHAD3zcZ.exe	Static PE information: Raw size of L_XwhY is bigger than: 0x100000 < 0x12e000

Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r465\r465_00\drivers\display\lddm\nvpciflt\_out\wddm2_amd64_release\nvpciflt.pdb source: relHAD3zcZ.exe
Source:	Binary string: \C++DEMO\Drv0608\x64\Release\Drv.pdb source: relHAD3zcZ.exe
Source:	Binary string: E:\driver_project\zqpj\R3Inject\Release\R3Inject.pdb source: relHAD3zcZ.exe
Source:	Binary string: E:\driver_project\zqpj\R3Inject\x64\Debug\Test.pdb source: relHAD3zcZ.exe

Source: initial sample

Static PE information: section where entry point is pointing to: L_XwhY

Source: relHAD3zcZ.exe	Static PE information: section name: L_VhVy
Source: relHAD3zcZ.exe	Static PE information: section name: L_XwhY

Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_004984A0 push eax; ret		0_2_004984CE
Source: C:\Users\user\Desktop\relHAD3zcZ.exe	Code function: 0_2_0040B6ED push es; iretd		0_2_0040B6EE

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Code function: 0_2_0041C124

0_2_0041C124

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Code function: 0_2_0041C124 rdtsc

0_2_0041C124

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Code function: 0_2_0041C124 rdtsc

0_2_0041C124

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Code function: 0_2_004175DB mov eax, dword ptr fs:[00000030h]

0_2_004175DB

Source: C:\Users\user\Desktop\relHAD3zcZ.exe

Code function: 0_2_0041C124 cpuid

0_2_0041C124

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	111 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
relHAD3zcZ.exe	37%	ReversingLabs
relHAD3zcZ.exe	42%	Virustotal	Browse
relHAD3zcZ.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://222.186.172.42:1000/D1.dll	relHAD3zcZ.exe	false	unknown
http://www.eyuyan.com)DVarFileInfo$	relHAD3zcZ.exe	false	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	high
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	relHAD3zcZ.exe	false	high
http://crl.thawte.com/ThawtePCA.crl0	relHAD3zcZ.exe	false	high
http://ocsp.thawte.com0	relHAD3zcZ.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579763
Start date and time:	2024-12-23 08:42:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	relHAD3zcZ.exe renamed because original name is a hash value
Original Sample Name:	5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226.exe
Detection:	MAL
Classification:	mal76.rans.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.53.15, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target relHAD3zcZ.exe, PID 1124 because there are no executed function

Simulations

Behavior and APIs

Time	Type	Description
02:43:42	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_relHAD3zcZ.exe_3f3a4de3cefcddd217d3b74e32a13259cf428_197426d3_1ecb25d3-56db-4679-b7b6-ef8678d66f11\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8581952166947989
Encrypted:	false
SSDEEP:	96:E0FLsMhmiGSsLgx1yDfxQXIDcQmc6NcEgcw3U+HbHg/opAnQu3q8PCFLnFTfEoD1:lBESz04JqhjqQZrFzuiFvZ24IO8E
MD5:	982A5B8D25C25A74410256B980DD9E08
SHA1:	1D30717A2DD86176A7638FA8C0D754C4F822AF3D
SHA-256:	970080D309ECE631B9745470D4C642ED72FE9738DFBC573D24ED6217387DB77D
SHA-512:	AC9965758F3F18314C791B8A2152099C902DA289A56326E14205D276C51B00021230B53C3AB3197C955136B658DCC22CEEC7FA4EFDA5A6FD58DE29552E4D5CF4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.1.3.3.8.4.3.1.9.3.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.1.3.3.8.4.8.9.7.5.0.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.c.b.2.5.d.3.-.5.6.d.b.-.4.6.7.9.-.b.7.b.6.-.e.f.8.6.7.8.d.6.6.f.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.4.d.c.6.e.b.-.9.6.d.8.-.4.4.a.d.-.8.2.2.e.-.8.f.c.8.9.9.a.7.7.9.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.l.H.A.D.3.z.c.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.6.4.-.0.0.0.1.-.0.0.1.4.-.5.0.9.8.-.6.e.4.c.0.e.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.e.4.c.c.0.0.4.d.f.2.4.3.6.2.7.5.7.d.8.1.5.5.4.e.0.3.b.b.8.e.0.0.0.0.0.4.0.8.!.0.0.0.0.5.a.5.9.e.8.3.0.1.a.8.1.7.5.a.0.1.2.8.b.0.d.a.0.a.b.a.8.c.2.d.4.a.9.1.9.0.7.6.4.!.r.e.l.H.A.D.3.z.c.Z...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA94.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 23 07:43:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	31580
Entropy (8bit):	2.105865848554537
Encrypted:	false
SSDEEP:	192:eekS7mXs7/OdwyWflc+emftN3ojtU/9/PJR:lD7d66y8lc+em1N3ojal3j
MD5:	6849EF68FBFE0ADC9AF05ECE63ED8776
SHA1:	9348320F08A9C16A00C398463D29E65701BB8D5C
SHA-256:	A241E519A7A10AC859CEBB28C696236270325D523FD465C1723C3DB3D7500472
SHA-512:	EA5C8EBE5D1A709095A622370D6CFA92E3989A2CD6A77867A2D69344140FE7E72842896798656FE02E7C0F08AEC737CC5B9D3F340CE20C4A3967C8E059D07741
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........ig........................\...............b'..........T.......8...........T................q......................................................................................................eJ......\|.......GenuineIntel............T.......d.....ig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB41.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.693793447202947
Encrypted:	false
SSDEEP:	192:R6l7wVeJJZ6eK6YEIUSU9l0gmfwJ4JpDB89bI/sfYBYm:R6lXJH676YELSU9l0gmfwJ4CIkfYL
MD5:	8196F315489CDD8DB091C7B588B32096
SHA1:	A2C76064E0EDBD02F0A276559A5CE888F65F0366
SHA-256:	B48750F36672824334819D62029A4B91FCA3D9201C87942A8429C0B145EC0CE7
SHA-512:	4256008350EFE8C9604EA54A6F91CD73E753E2E343C98D0708B2C0BCFC29BA4B81827EB230FB56BADDDAFE4BC53A5DE0A5EDB0D658D0B9EA69F0902C73E7A9BE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC1D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4585
Entropy (8bit):	4.453365985272373
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnOJg77aI9yNWpW8VYMYm8M4J9NFW+q8FnQYBk9Td:uIjfnEI7o87VYJonk4Td
MD5:	82D6EEB80DBA24AE1D5A82AABEFF08FB
SHA1:	8C09C63C40BC297232C877429BD9405B3232BC67
SHA-256:	BEEF95AB9A333B5DAC62B2C5E4175FBB43AF6186A6B31A0D870D6843C30CD088
SHA-512:	F87BA95F9FDA3F1C6078B1D8FF11B6ABC8873FF9A1B340E5C11F871FA69F41899492311DB7377A193557EB54AFFC5B73B79070D70A042C97F9CB5B4D18CBA086
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643605" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421595376491984
Encrypted:	false
SSDEEP:	6144:JSvfpi6ceLP/9skLmb0OTXWSPHaJG8nAgeMZMMhA2fX4WABlEnNq0uhiTw8:AvloTXW+EZMM6DFyQ03w8
MD5:	EA55818CDC1ABB7D263D2165FB2A1D84
SHA1:	FBC3640EB74238E05E3C501EB3DD6A6D47ABF319
SHA-256:	6B1540A1F51D1FE5611B372CB345F055567033793EC8E0FEEF98A659190EE708
SHA-512:	FED43D2B08978E95D50A3D117BBD771AFD6E120EB1E2D637FA402CEFD414D2B5373FC4F4AB7791EEEC62BD7E2624111D42DCEC7166385E42B684ECDF657760BE
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.^.L.U..............................................................................................................................................................................................................................................................................................................................................r..x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.61591521721015
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	relHAD3zcZ.exe
File size:	3'674'112 bytes
MD5:	a1907452a6e7e8748f91900a0383a602
SHA1:	5a59e8301a8175a0128b0da0aba8c2d4a9190764
SHA256:	5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226
SHA512:	99f4021c7d6262e9da5471d5e6062894d5c48db7245d808f308bf94fa4b64d4adc4c8bdad92e8728c570880fc31e46d2a08424af63fddfbb2ae61bb0a6e9dbad
SSDEEP:	49152:XmfO1+/gMtaL/lDTR0mCw/et56VRx4ZPXUHZ6:ftxLZTR0KetU+
TLSH:	CF062C017D7AC142F25458BC737553A6E870B1600A76C6F3ABFDCBA12B31AE05A79339
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.3z2.])2.])2.])I.Q)0.])...)5.])..S)..])..W)..])..W)0.])..Y)0.])...)..])2.\)..])..V)..])2.])3.])..V)8.])Rich2.])........PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x77eec0
Entrypoint Section:	L_XwhY
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6768EB50 [Mon Dec 23 04:47:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
pushad
mov esi, 00652000h
lea edi, dword ptr [esi-00251000h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007FFB54BE871Dh
inc esi
inc esi
push ebx
push 0037C235h
push edi
add ebx, 04h
push ebx
push 0012CEB7h
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h
mov dword ptr [esp+50h], 00000001h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38029c	0x408	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x380000	0x29c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
L_VhVy	0x1000	0x251000	0x251000	f6c178e6e3fc1c7dbda3da0606364352	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
L_XwhY	0x252000	0x12e000	0x12e000	82a4f58178bee52223fa314e2a9bb95a	False	0.2804060171771523	data	5.842026972391027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x380000	0x1000	0x1000	36b251234a8ee2e00737abcd88edd73f	False	0.21826171875	data	2.118107409132698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x38005c	0x240	data	Chinese	China	0.5642361111111112

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: relHAD3zcZ.exePID: 1124, Parent PID: 1028

General

Target ID:	0
Start time:	02:43:03
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\relHAD3zcZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\relHAD3zcZ.exe"
Imagebase:	0x400000
File size:	3'674'112 bytes
MD5 hash:	A1907452A6E7E8748F91900A0383A602
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2876, Parent PID: 1124

General

Target ID:	3
Start time:	02:43:04
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236
Imagebase:	0x890000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: relHAD3zcZ.exePID: 1124, Parent PID: 1028COMMON

Non-executed Functions

Function 004014BD Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

74275E00.WSOCK32(00000101,?,00000000), ref: 0040159B

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID: 74275
String ID:
API String ID: 1261545876-0
Opcode ID: 0ac812d6b99fa4943fa342e97fb6fbbf61a8e0afa0129a927afbefa3d267c5e6
Instruction ID: 7e59d1cdd8d3525cc6ab6edc0aa83adb09888951e410cbd8099f39686a1aebeb
Opcode Fuzzy Hash: 0ac812d6b99fa4943fa342e97fb6fbbf61a8e0afa0129a927afbefa3d267c5e6
Instruction Fuzzy Hash: 5C4176F1F40204B7FB10AA95CC86B9E7669EB05704F14447AFA05BB3C2DABF9A04871D

Function 0041545B Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

/TA, xrefs: 00415467

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID: /TA
API String ID: 0-324809113
Opcode ID: b0b0be24c4b633d186ed113a13b6d306fb0af2c5c58a47359fe0eb666398b77c
Instruction ID: 9644b69743e4b293fbcf88b3ef1695a2a485e04720a6aab5d5b0339bfca6c7d2
Opcode Fuzzy Hash: b0b0be24c4b633d186ed113a13b6d306fb0af2c5c58a47359fe0eb666398b77c
Instruction Fuzzy Hash: ADD05E71C45208FBC611AE90A9066BDFA349B53302F4091ABE84526141DA368AA597DF

Function 00406544 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2911d95670db5c1ec1b5e50319c091ee338d2c9a00ab8a37a3495bf0390350
Instruction ID: cabe265cfed8e8ad0014d89e5f7561aef1166114ce4eb433d6463682fe1ee1ba
Opcode Fuzzy Hash: 1b2911d95670db5c1ec1b5e50319c091ee338d2c9a00ab8a37a3495bf0390350
Instruction Fuzzy Hash: 2A124FB2E002159FEB00EF95DCC2BAEB7B4EB18314F55003AE906F7342E6799951CB65

Function 00404F92 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3491cf661e9a923706b2b6b0e5a54a54df338b23ec50bb0d03071555be11ae
Instruction ID: 05745340090e28d6e98d72ca1503d09c171830692645fe0c81eec1fe7249e2a6
Opcode Fuzzy Hash: ad3491cf661e9a923706b2b6b0e5a54a54df338b23ec50bb0d03071555be11ae
Instruction Fuzzy Hash: CF124D7398560B4BEB1CCD26CCC19D673A3B7D42A871BD27C9829C7644EE7CE60B8640

Function 00404F93 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bca41a9c3e84dfce352011b39aaaaf0931ea8f8139a0de10e6b2ef93c451e2
Instruction ID: d1de1f7a3fa20b2a4dc14f35ea425e9e9654ef0833aea187191a52bb6237ec58
Opcode Fuzzy Hash: c3bca41a9c3e84dfce352011b39aaaaf0931ea8f8139a0de10e6b2ef93c451e2
Instruction Fuzzy Hash: D1124E7398560B4BEB1CCD26CCC19D673A3B7D42A871BD27C9829C7644EE7CE60B8650

Function 00406D56 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4903814049e1b242251b905829b18f88cd7bb40e33f2816b4f9d7930ccac0fc1
Instruction ID: 78b6db656b31ae8c7ca40684f619bfd096487e2895ab42f11769b3f8941a3200
Opcode Fuzzy Hash: 4903814049e1b242251b905829b18f88cd7bb40e33f2816b4f9d7930ccac0fc1
Instruction Fuzzy Hash: FFF190F1A812929BFB00CF58DCC0745B7E1EF69324B291475E84AAB345D379F861DB22

Function 0040518C Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21c6c952ea1d8bb240efe63d7e2aacfed76bdd68fcca321ce4856bcde52f5e6
Instruction ID: c14e962c586ef25adb960e8883d062411061d178db027b3d5d9c71ef6808cb05
Opcode Fuzzy Hash: c21c6c952ea1d8bb240efe63d7e2aacfed76bdd68fcca321ce4856bcde52f5e6
Instruction Fuzzy Hash: 69C12E7398560B4BEB1CCD26CCC0AD57393B7D42A875BD23DD829C7684EE7CA64B8640

Function 0041FB04 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64244d8879f78ab6b92f0900b01a645f23728cbdb58ef0295ba3f6ea8cfe6654
Instruction ID: 05420a73b4f4109863d64eb068e7a12b6000aa15d2aff673e4bb7882081f6ada
Opcode Fuzzy Hash: 64244d8879f78ab6b92f0900b01a645f23728cbdb58ef0295ba3f6ea8cfe6654
Instruction Fuzzy Hash: E391C9B0E00304BBEB10AF959C87BAE7674DB05704F14447EFA057A2C3E67E9A94875E

Function 00403715 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1448603bb514f6798103ee79b9361ae12dc3f182769bd9b5d80f04e897fb358
Instruction ID: 5b2474a58eb6ecf5e8ee7689b901e5cb5194060f5039812c91dd22467b88b469
Opcode Fuzzy Hash: e1448603bb514f6798103ee79b9361ae12dc3f182769bd9b5d80f04e897fb358
Instruction Fuzzy Hash: CA91C4F1A812968BEF00CF98DCC0788B7F1EF69324B291475D446AB305D378B961DB26

Function 004101D1 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01d52b3f5a2c2a3cd8f778ca885323816f5a6ee4f92dd33149609aa59ee486f
Instruction ID: b88e2bd6fd1ca1628144a601794cae4bf05a4ad8f682a500d3043fdec322f454
Opcode Fuzzy Hash: e01d52b3f5a2c2a3cd8f778ca885323816f5a6ee4f92dd33149609aa59ee486f
Instruction Fuzzy Hash: 665124B1E40309BBFB10EFD5DC82BEF76789B08704F14046AFA0576283D6BA5A548769

Function 004043C4 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e775395cf43e6964219725530f3648fd6b132392004b227a739a1259a15021
Instruction ID: 6401024d46b81d90f8346c78a797377b66766c4a9de7d8e6d9f1c005efbae3e7
Opcode Fuzzy Hash: a0e775395cf43e6964219725530f3648fd6b132392004b227a739a1259a15021
Instruction Fuzzy Hash: 4A5184B0E40204BBEB10DF54CC46BAF76B5EB45705F204069FA04BB2C1D7BA9A509B99

Function 00416214 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d16117458dde9d9cadd79bcdc7b513f57b893506d9d79d67e6249db3d5d431
Instruction ID: d242e82cd6c2e03d38c6ecd5e3e0467240955d1badc62eb8e8bc0c122857bea4
Opcode Fuzzy Hash: a4d16117458dde9d9cadd79bcdc7b513f57b893506d9d79d67e6249db3d5d431
Instruction Fuzzy Hash: 0B5162B1E00248ABEB10EFD19C82BAEB774AF15304F04506EED056A246EB39D954CB5E

Function 00408D8E Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7e317af2fee2d3cdd2a96a3b7e6aa87ea88462c862f9b9610d139e1ed6a783
Instruction ID: 926ac24c032c15440cbe1984d9cdebc81a29634592fe583ab1b32ea767d7874e
Opcode Fuzzy Hash: 3e7e317af2fee2d3cdd2a96a3b7e6aa87ea88462c862f9b9610d139e1ed6a783
Instruction Fuzzy Hash: 225136B1E00209BBEF10EED59CC2BEF77789F18704F14046EFA0576243EABA59508769

Function 004175DB Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf46e189f5465f85100945c5eed0fe79f89f462e253993eb95487846dc238c13
Instruction ID: 3c6168271248dae951a11ad56e0276ac5708e7fc9e6063bc9bdb6b949a150bd5
Opcode Fuzzy Hash: bf46e189f5465f85100945c5eed0fe79f89f462e253993eb95487846dc238c13
Instruction Fuzzy Hash: 742165BBE0D1049EF72C89599D41777E279D393355F21B23EF809A7380E56ADD044298

Function 00406BA6 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc585dc7234f6fdf23e9a36d6242ab7acf3c4a2738eb3e94627964d73ccfaa7
Instruction ID: 8bfe080a1399834e691433c6d4488b6924b072f0c3336af115c738aeaf0bd758
Opcode Fuzzy Hash: cfc585dc7234f6fdf23e9a36d6242ab7acf3c4a2738eb3e94627964d73ccfaa7
Instruction Fuzzy Hash: F8517AB1E00208EBDF10EF94CC81B9DBBB1EF09301F15806AE915BB381E7799A60CB55

Function 0041B3D0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44c547742c94f4b1569999ad98df017118bdc67c2271eca46a9cb05b73d83fd
Instruction ID: 2a69bc5233e9f3735eb1ab5c3fff0efb647c49a8ed2c5c19a6f86c84073de4a5
Opcode Fuzzy Hash: a44c547742c94f4b1569999ad98df017118bdc67c2271eca46a9cb05b73d83fd
Instruction Fuzzy Hash: 97513070D00309EBDF10DF91D986BADBB70FF09704F1081AAE5043A296D7795B64DB9A

Function 00416287 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7da42f71fa4bbd20913e883035befd50b656fef4c86f0554de2f6f87197ba0
Instruction ID: 43490568caae57eb563070e61fb3b66f6cd0bf92174836ea117702554d226c17
Opcode Fuzzy Hash: 1d7da42f71fa4bbd20913e883035befd50b656fef4c86f0554de2f6f87197ba0
Instruction Fuzzy Hash: D7315EB0D00288ABDF10EFD1DC86BAEFB74AF06301F44502AE9097A246D739D954CB5E

Function 0040F0E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d0b8277c57361a8a64d46cd33f4a42cf3d91bd99ebf2bdabe953b67774724
Instruction ID: 97507e5ba1265d151a079db44ecdec2e8cb32075d47ce780c16f6b9bf176a1cc
Opcode Fuzzy Hash: 2f3d0b8277c57361a8a64d46cd33f4a42cf3d91bd99ebf2bdabe953b67774724
Instruction Fuzzy Hash: FE3151B1E00608EBEB00DF98D88579EBB75FB48300F1140B5E644BB786D77A9E21CB55

Function 0040779C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ee42f64ba33388468c90fc0c0651894ca576feaabdb50975f340da54fb0bc5
Instruction ID: 90b6c74fac9375f3d7f751043d072d04a17209f0280da37cb46e3236d58fa9f3
Opcode Fuzzy Hash: 23ee42f64ba33388468c90fc0c0651894ca576feaabdb50975f340da54fb0bc5
Instruction Fuzzy Hash: 263186F1D4030567EB00EF909C42BBF7274AB06711F54153AFA057A1C2E7B59A00C7AB

Function 0041DA72 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c5798122a819af679a51882e9018e4b5c90e29fe3fc4b0a50e4ed72f5f0723
Instruction ID: 7377222a322fce43068a1ecf4ef6f62a0519461588d272c96a18b811bb95c126
Opcode Fuzzy Hash: 35c5798122a819af679a51882e9018e4b5c90e29fe3fc4b0a50e4ed72f5f0723
Instruction Fuzzy Hash: 11210BF1F00200B7FB10AA94DC42B5E7668DB05304F10047AFA05EB382DABF9E50831D

Function 0041D06D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81e033b83d17a81b7d34c4cef752730fd6ab389a6556d4e7e5376d98a30a707
Instruction ID: 6d9f206851a2ebe7234f815d6b0eb9d4f55abc57e9b53a0c6966c7980bd8d7d7
Opcode Fuzzy Hash: c81e033b83d17a81b7d34c4cef752730fd6ab389a6556d4e7e5376d98a30a707
Instruction Fuzzy Hash: 3F311CB0E00609EBEB109F95D8893EEBB70FB04305F5140B6E6446B3C6C77A4EA5CB49

Function 0041C124 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b1e0664baca1a557c6f0b1f0337c0675aa1a16c2312898e552a8fe33e31489
Instruction ID: 09eb35e4ef591c61aa3c3f3a2f8fe05635ae949ace8cc2eb37de184a2055b208
Opcode Fuzzy Hash: a9b1e0664baca1a557c6f0b1f0337c0675aa1a16c2312898e552a8fe33e31489
Instruction Fuzzy Hash: FC1108ABB4852143F728887D8C467935056D395315F06D338EE5DAB387E6AFDC0197C8

Function 0041B5DC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b62bc35893a65d55b9fda1bf1c39353afcf1ece532b3f6e3b688fc119953681
Instruction ID: 6348cde7c1577683ab1a0485c995ffef3a20a10bf46cea120faebe73028598a8
Opcode Fuzzy Hash: 0b62bc35893a65d55b9fda1bf1c39353afcf1ece532b3f6e3b688fc119953681
Instruction Fuzzy Hash: F92168B1E00208BBEB00EF95DC42B9EB7B8DB15710F14846AF904B7291D7799650DB9E

Function 004063AC Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f74b43ad871bc4398d9b73d035cdb2b548b9704b5160dbde7b90fe33cd95c6
Instruction ID: 06b9ce842731fdd99acfe749e270a9144e3ac017c84252b1e77696f020920af7
Opcode Fuzzy Hash: e2f74b43ad871bc4398d9b73d035cdb2b548b9704b5160dbde7b90fe33cd95c6
Instruction Fuzzy Hash: D3215871D00208BBDB00EF91D8857AEBBB4EF09310F54847AE905B6292DA3A9660DB5D

Function 0041B2DF Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0423bc3dc47d69bffaa693880723e561cb3a921a1b92a83c3facbe6f66e4c44
Instruction ID: 3d6e2089af3d1dab0794be3441907f119da8893632661a64f839bb9062788d2d
Opcode Fuzzy Hash: b0423bc3dc47d69bffaa693880723e561cb3a921a1b92a83c3facbe6f66e4c44
Instruction Fuzzy Hash: 9E116670E40208BBFB10AE41CC46BAEB674DB05700F10506AFE147A2C1E3769A71979E

Function 0040EAAD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2820b30d4c565fb937195bf46edb0f41498c800b8950ea4d3644e65a7c3886f
Instruction ID: a2fb784504f8a8a3902b33b6d60ec60f0d23d91dda01478ab6a38b7716d48026
Opcode Fuzzy Hash: a2820b30d4c565fb937195bf46edb0f41498c800b8950ea4d3644e65a7c3886f
Instruction Fuzzy Hash: 7A1136B1E00204BBDB10EF95DC81F5E7BB89B08700F14446AF909F7242D675EA20D769

Function 0041010C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f0fa4ca8198e1efc03b422a63e1ea1aa6145761f2eb0f63016bb09ca330a9d
Instruction ID: b67b96ce003100dc246c1c464901e81ce154fe7abf1213b5af5851881dea14bb
Opcode Fuzzy Hash: e4f0fa4ca8198e1efc03b422a63e1ea1aa6145761f2eb0f63016bb09ca330a9d
Instruction Fuzzy Hash: 5A118971E00308BBEB10EE94D8817DF77F89B08700F14446FA905F7242DABE9B80975A

Function 0041044A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93a7e77e59c8d5da8744749874c6411d18a362ba298b69d7434560a9ee9b2b8
Instruction ID: 257104642ca7af708f08e94d95703c5f6a02fdeafaa74c8d66262e73c466a285
Opcode Fuzzy Hash: a93a7e77e59c8d5da8744749874c6411d18a362ba298b69d7434560a9ee9b2b8
Instruction Fuzzy Hash: F21116B1D00208FBEF40EF95DCC27ADBB75EB0D304F5404A9EA09B7242D6765A60D75A

Function 00406498 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e556a272593e2d59c1519359d837019610b919754e3338ef1be60c63e911b5
Instruction ID: 65a96fcf9b82fe8f7e8061fe9d5a7e250d0600133360beac7e64152158ff10b7
Opcode Fuzzy Hash: 69e556a272593e2d59c1519359d837019610b919754e3338ef1be60c63e911b5
Instruction Fuzzy Hash: 6C11E9B1E00305BBEB10EEA59C82B6E7AB89F08710F10047EB905B7282D97A9B109759

Function 0040F25E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485136267ac59f216d3d764f11821a28f9a0b7710580cc97e570fd1be8c548b2
Instruction ID: dc57686a0403f1bd6d68866cf213408c5da5965c117cd3a002c856ba0298d7b7
Opcode Fuzzy Hash: 485136267ac59f216d3d764f11821a28f9a0b7710580cc97e570fd1be8c548b2
Instruction Fuzzy Hash: 9A014CB5E00304BBDB20EF95D88275E77B89B04704F1404BEE904F7682E67A9A549759

Function 0041D9E7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa76675918d928f55cf30fa9180074ba2cbc3fe0bc0853a68ac1afef536715b
Instruction ID: 7df0963e5d91a3745cf66061944a6108ed27309680b74e65e98d7c96ea61830a
Opcode Fuzzy Hash: 0fa76675918d928f55cf30fa9180074ba2cbc3fe0bc0853a68ac1afef536715b
Instruction Fuzzy Hash: F2013CB4C0420DEBDB00AF91E90A6BEFF35EF0A301F4090A6E94836155DB358974CB9E

Function 00413FD5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad21abe67bfa5ebfda72366619c41eb7e567264fe68654d6c45afd00b8512549
Instruction ID: 1538fd334fd8d5b18938912fe112f442cb5fe39bd35c3718097a4c62dd4999a0
Opcode Fuzzy Hash: ad21abe67bfa5ebfda72366619c41eb7e567264fe68654d6c45afd00b8512549
Instruction Fuzzy Hash: 28F01D70D00208EBDB209F96D5097ADBF70AB55315F10916AFA042B241D3798AD4DB8A

Function 0040369A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e3a9dac4e8533a66affaa22897ecb6a1633d42ce5b71db74a77a860bf9714e
Instruction ID: 1510fd9594b03980dcdb4ecaa90162de18fe4dc17c319eaab77e648cb377c62c
Opcode Fuzzy Hash: 37e3a9dac4e8533a66affaa22897ecb6a1633d42ce5b71db74a77a860bf9714e
Instruction Fuzzy Hash: 11F082F4D04204EBDB206F559805369BF68970231AF50847BE8157B3C1EA7E9E909B5F

Function 0041C259 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f2ef88f37add05fe51f35fd8835769468560016835b54fa2f889d03140e1d6
Instruction ID: b5c8622eba6a1d4c62218ab3e2fb2c8cfc6d879a5b06f785ed8c1b495571e31e
Opcode Fuzzy Hash: 91f2ef88f37add05fe51f35fd8835769468560016835b54fa2f889d03140e1d6
Instruction Fuzzy Hash: 01F01C75D40208FBDF01DFC0D986BADBB70EB0A301F108096FE042B255D7369A60EB9A

Function 00417580 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85797b068f4bb6610bd9594c05105076659b06d7cbe832c6209baaf97dc7f351
Instruction ID: 3fb6875babefb6dc2a17b00c699a479ccefe0f3ec2d17ae3e3bffb0cfbd206bc
Opcode Fuzzy Hash: 85797b068f4bb6610bd9594c05105076659b06d7cbe832c6209baaf97dc7f351
Instruction Fuzzy Hash: 17F06DB0C0530CEFDB10EF94D5497ADBBF4EB05304F1040EAE90867641D6399B84DB8A

Function 004166EE Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8558af8c775f9acc3bf976d44ec584bfc36636add3116415d92e98b4e2ad770c
Instruction ID: f5e87a5835ed8c76691636080be98a9a213418e973ce79ee1ae72dec0f2374e0
Opcode Fuzzy Hash: 8558af8c775f9acc3bf976d44ec584bfc36636add3116415d92e98b4e2ad770c
Instruction Fuzzy Hash: E0E09270C00208EBDB00EF80D881BADFBB8EB05300F1040A6EC1467240D7319B54DB9A

Function 0040EA66 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3740684328f3c2b5b73884e3dcd3e207f3cfb860b9725d0531b8cfca243250b1
Instruction ID: 02eee16681c1e37ab96b23d47917697cc95c6141cfce2dcdec786d99f834db96
Opcode Fuzzy Hash: 3740684328f3c2b5b73884e3dcd3e207f3cfb860b9725d0531b8cfca243250b1
Instruction Fuzzy Hash: ACE04871D04308E7CB10EF95D40676DF775AB0A311F008576A915271C1D6395A64DF9A

Function 00405EC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f16cbbb4f22355c05b6942daafa1a6575a64162e7079f04447e16a831f4ebb
Instruction ID: 0e1755613dae52a8bc33d119d43c5049f300ceb8ed486969c1a1106ee44bab6a
Opcode Fuzzy Hash: 03f16cbbb4f22355c05b6942daafa1a6575a64162e7079f04447e16a831f4ebb
Instruction Fuzzy Hash: 02D01270C45144EACB10AF51E90666EBE30D717311F10517BE94536592D9374A25AB8B

Function 00405EC9 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ad83fba080f8fbaa571dc007115a5d4f1ab2afece6bb0d989b83be7ded60e5
Instruction ID: c261a3ae1bc98468f8ac1d31002f17127329c5d8380d1be64c22c0b4c0f9962a
Opcode Fuzzy Hash: a2ad83fba080f8fbaa571dc007115a5d4f1ab2afece6bb0d989b83be7ded60e5
Instruction Fuzzy Hash: F2D05E70C05208E7C600AF91E90663FBE38E713301F40907BA94536182DE378A25ABDF

Function 0041B5A6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2435336357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2435314147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000554000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000753000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000775000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.0000000000777000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435336357.000000000077A000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2435747810.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_relHAD3zcZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b0be24c4b633d186ed113a13b6d306fb0af2c5c58a47359fe0eb666398b77c
Instruction ID: 052b092b731a9ccad65a39be84a1aca9cbb92350381547c8f1eb005729e75213
Opcode Fuzzy Hash: b0b0be24c4b633d186ed113a13b6d306fb0af2c5c58a47359fe0eb666398b77c
Instruction Fuzzy Hash: 70D05E71C05208F7C611AF51A90667DFB35EB13301F4091ABB84426141EB368A6597DF

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report relHAD3zcZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_relHAD3zcZ.exe_3f3a4de3cefcddd217d3b74e32a13259cf428_197426d3_1ecb25d3-56db-4679-b7b6-ef8678d66f11\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA94.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB41.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC1D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
relHAD3zcZ.exe