Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7fqul5Zr8Y.exe

Overview

General Information

Sample name:7fqul5Zr8Y.exe
renamed because original name is a hash value
Original sample name:3eedbe2eb477c09502ef6f9b609248f8.exe
Analysis ID:1585774
MD5:3eedbe2eb477c09502ef6f9b609248f8
SHA1:1463b762d176f593fc098fb5e7433d02fd8afba1
SHA256:5fdd2c9b92870b41096efa398f9d5f5e4fbbcb0938704fe4370f40d10b6e1149
Tags:exeuser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7fqul5Zr8Y.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\7fqul5Zr8Y.exe" MD5: 3EEDBE2EB477C09502EF6F9B609248F8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 7fqul5Zr8Y.exeReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 7fqul5Zr8Y.exeJoe Sandbox ML: detected
Source: 7fqul5Zr8Y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: global trafficTCP traffic: 192.168.2.8:49705 -> 147.185.221.24:58068
Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: coprophile.bounceme.net
Source: global trafficDNS traffic detected: DNS query: board-proceeding.gl.at.ply.gg
Source: 7fqul5Zr8Y.exe, 00000000.00000002.2653812464.00000000036A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to capture screen (.Net source)
Source: 7fqul5Zr8Y.exe, Methods.cs.Net Code: CaptureResizeReduceQuality
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2578E0 NtProtectVirtualMemory,0_2_00007FFB4B2578E0
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25ACD9 NtProtectVirtualMemory,0_2_00007FFB4B25ACD9
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2505D00_2_00007FFB4B2505D0
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25A4500_2_00007FFB4B25A450
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2562A20_2_00007FFB4B2562A2
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2554F60_2_00007FFB4B2554F6
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2580E90_2_00007FFB4B2580E9
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2517500_2_00007FFB4B251750
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2589B60_2_00007FFB4B2589B6
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B253A140_2_00007FFB4B253A14
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25A43D0_2_00007FFB4B25A43D
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25B2480_2_00007FFB4B25B248
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2594EE0_2_00007FFB4B2594EE
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25953D0_2_00007FFB4B25953D
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2517390_2_00007FFB4B251739
Source: 7fqul5Zr8Y.exeStatic PE information: No import functions for PE file found
Source: 7fqul5Zr8Y.exe, 00000000.00000000.1405271512.0000000000358000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe. vs 7fqul5Zr8Y.exe
Source: 7fqul5Zr8Y.exeBinary or memory string: OriginalFilenameClient.exe. vs 7fqul5Zr8Y.exe
Source: 7fqul5Zr8Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7fqul5Zr8Y.exe, Config.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7fqul5Zr8Y.exe, Config.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7fqul5Zr8Y.exe, SecrityHidden.csSecurity API names: File.GetAccessControl
Source: 7fqul5Zr8Y.exe, SecrityHidden.csSecurity API names: File.SetAccessControl
Source: 7fqul5Zr8Y.exe, SecrityHidden.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engineClassification label: mal76.spyw.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeMutant created: NULL
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
Source: 7fqul5Zr8Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7fqul5Zr8Y.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 7fqul5Zr8Y.exeReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: 7fqul5Zr8Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 7fqul5Zr8Y.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 7fqul5Zr8Y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: 7fqul5Zr8Y.exe, PluginLoader.cs.Net Code: Load System.AppDomain.Load(byte[])
Source: 7fqul5Zr8Y.exe, PluginLoader.cs.Net Code: Load
Source: 7fqul5Zr8Y.exe, EncryptString.cs.Net Code: MoveNext System.Reflection.Assembly.Load(byte[])
Source: 7fqul5Zr8Y.exe, AsmiAndETW.cs.Net Code: AggresivAmsiActivate System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B2500BD pushad ; iretd 0_2_00007FFB4B2500C1
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25B4FD push eax; retn 0040h0_2_00007FFB4B25B4FE
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeCode function: 0_2_00007FFB4B25B505 push esp; retn 0040h0_2_00007FFB4B25B506
Source: 7fqul5Zr8Y.exeStatic PE information: section name: .text entropy: 7.41686521078192
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeMemory allocated: C80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeMemory allocated: 1B690000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWindow / User API: threadDelayed 391Jump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exe TID: 3568Thread sleep count: 391 > 30Jump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exe TID: 3568Thread sleep count: 91 > 30Jump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: 7fqul5Zr8Y.exe, 00000000.00000002.2653714619.0000000003180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll #
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeQueries volume information: C:\Users\user\Desktop\7fqul5Zr8Y.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 7fqul5Zr8Y.exe, 00000000.00000002.2653357165.0000000000C54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\7fqul5Zr8Y.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		33
Virtualization/Sandbox Evasion		OS Credential Dumping331
Security Software Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory33
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS213
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7fqul5Zr8Y.exe55%ReversingLabsByteCode-MSIL.Backdoor.Crysan
7fqul5Zr8Y.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
board-proceeding.gl.at.ply.gg
147.185.221.24
truefalse
    		unknown
    coprophile.bounceme.net
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7fqul5Zr8Y.exe, 00000000.00000002.2653812464.00000000036A6000.00000004.00000800.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        147.185.221.24
        		board-proceeding.gl.at.ply.ggUnited States
        		12087SALSGIVERUSfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1585774
        Start date and time:2025-01-08 08:48:08 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 13s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:7fqul5Zr8Y.exe
        renamed because original name is a hash value
        Original Sample Name:3eedbe2eb477c09502ef6f9b609248f8.exe
        Detection:MAL
        Classification:mal76.spyw.evad.winEXE@1/0@2/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 95%
        • Number of executed functions: 11
        • Number of non-executed functions: 4
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded IPs from analysis (whitelisted): 20.12.23.50
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: 7fqul5Zr8Y.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        147.185.221.24loader.exeGet hashmaliciousUnknownBrowse
          loader.exeGet hashmaliciousUnknownBrowse
            P3A946MOFP.exeGet hashmaliciousXWormBrowse
              BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                SharkHack.exeGet hashmaliciousXWormBrowse
                  avaydna.exeGet hashmaliciousNjratBrowse
                    ddos tool.exeGet hashmaliciousXWormBrowse
                      L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                        ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                          p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SALSGIVERUSmiori.arm.elfGet hashmaliciousUnknownBrowse
                            • 147.168.252.34
                            miori.m68k.elfGet hashmaliciousUnknownBrowse
                            • 147.184.86.253
                            loader.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.24
                            loader.exeGet hashmaliciousUnknownBrowse
                            • 147.185.221.24
                            My33xbeYIX.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.16
                            YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.21
                            sela.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.17
                            P3A946MOFP.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.24
                            BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.24
                            SharkHack.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.24

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.396305667741602
                            TrID:
                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                            • Win64 Executable GUI (202006/5) 46.43%
                            • Win64 Executable (generic) (12005/4) 2.76%
                            • Generic Win/DOS Executable (2004/3) 0.46%
                            • DOS Executable Generic (2002/1) 0.46%
                            File name:7fqul5Zr8Y.exe
                            File size:218'112 bytes
                            MD5:3eedbe2eb477c09502ef6f9b609248f8
                            SHA1:1463b762d176f593fc098fb5e7433d02fd8afba1
                            SHA256:5fdd2c9b92870b41096efa398f9d5f5e4fbbcb0938704fe4370f40d10b6e1149
                            SHA512:615f4b5c5d265d50f8231086e7d0b3999e34ba5a4c45268d1ce4d3e5f34e1c57164ede5cbe69859fe6458520ffca8c32acdc308a316bcb70ff70e337389cfcad
                            SSDEEP:6144:N/zEiqKNsqA+sPn1TOuXnzJwwgdiK1OG85G6b:hjX+173trgdiKq5G
                            TLSH:16248D0A7E41E714C84A3E7783DF190147B2A5E31671D2443F8EDFE097452AB6E2AB6C
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0..L............... .....@..... ....................................@...@......@............... .....

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x140000000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66CCF161 [Mon Aug 26 21:19:29 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:

                            Entrypoint Preview

                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x596.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x34ae80x34c00355fd9474dc51238d24ce3082a66731dFalse0.7980366928317536data7.41686521078192IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x380000x5960x600f6b3b3ee59efb2408068efe50f586eddFalse0.4134114583333333data4.028240003183883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x380a00x30cdata0.4269230769230769
                            RT_MANIFEST0x383ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 08:49:07.164968014 CET4970558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:07.169846058 CET5806849705147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:07.169960976 CET4970558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:07.195135117 CET4970558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:07.199933052 CET5806849705147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:28.511873960 CET5806849705147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:28.512131929 CET4970558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:28.734189987 CET4970558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:28.739010096 CET5806849705147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:28.739192963 CET4970858068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:28.744019032 CET5806849708147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:28.744143963 CET4970858068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:28.748745918 CET4970858068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:28.753643036 CET5806849708147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:50.124375105 CET5806849708147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:50.124516964 CET4970858068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:50.327557087 CET4970858068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:50.328876019 CET4970958068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:50.332366943 CET5806849708147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:50.333729982 CET5806849709147.185.221.24192.168.2.8
                            Jan 8, 2025 08:49:50.333842993 CET4970958068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:50.334232092 CET4970958068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:49:50.339063883 CET5806849709147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:11.716499090 CET5806849709147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:11.716624022 CET4970958068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:11.921246052 CET4970958068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:11.922180891 CET4971158068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:11.926079035 CET5806849709147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:11.927001953 CET5806849711147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:11.927076101 CET4971158068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:11.927361012 CET4971158068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:11.932116985 CET5806849711147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:33.277769089 CET5806849711147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:33.277923107 CET4971158068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:33.483798027 CET4971158068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:33.484945059 CET4971458068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:33.488540888 CET5806849711147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:33.489762068 CET5806849714147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:33.489835978 CET4971458068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:33.490195036 CET4971458068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:33.495153904 CET5806849714147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:54.888149023 CET5806849714147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:54.888263941 CET4971458068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:55.093413115 CET4971458068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:55.094448090 CET4971558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:55.098210096 CET5806849714147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:55.099267960 CET5806849715147.185.221.24192.168.2.8
                            Jan 8, 2025 08:50:55.099345922 CET4971558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:55.099729061 CET4971558068192.168.2.8147.185.221.24
                            Jan 8, 2025 08:50:55.104543924 CET5806849715147.185.221.24192.168.2.8

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 08:49:07.044029951 CET6353853192.168.2.81.1.1.1
                            Jan 8, 2025 08:49:07.052315950 CET53635381.1.1.1192.168.2.8
                            Jan 8, 2025 08:49:07.147067070 CET6193253192.168.2.81.1.1.1
                            Jan 8, 2025 08:49:07.160196066 CET53619321.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 8, 2025 08:49:07.044029951 CET192.168.2.81.1.1.10x90b7Standard query (0)coprophile.bounceme.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 08:49:07.147067070 CET192.168.2.81.1.1.10xeadStandard query (0)board-proceeding.gl.at.ply.ggA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 8, 2025 08:49:07.160196066 CET1.1.1.1192.168.2.80xeadNo error (0)board-proceeding.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:02:49:05
                            Start date:08/01/2025
                            Path:C:\Users\user\Desktop\7fqul5Zr8Y.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\7fqul5Zr8Y.exe"
                            Imagebase:0x320000
                            File size:218'112 bytes
                            MD5 hash:3EEDBE2EB477C09502EF6F9B609248F8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:18.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:33.3%
                              Total number of Nodes:24
                              Total number of Limit Nodes:2
                              execution_graph 7036 7ffb4b25a36a 7039 7ffb4b257920 7036->7039 7038 7ffb4b25a375 7040 7ffb4b25a6e0 7039->7040 7040->7038 7043 7ffb4b25a8ca 7040->7043 7044 7ffb4b2578e0 7040->7044 7042 7ffb4b25a979 7042->7038 7043->7038 7045 7ffb4b25ac60 7044->7045 7046 7ffb4b25ac90 7045->7046 7047 7ffb4b25ad74 NtProtectVirtualMemory 7045->7047 7046->7042 7048 7ffb4b25adb5 7047->7048 7048->7042 7049 7ffb4b25acd9 7050 7ffb4b25acdf NtProtectVirtualMemory 7049->7050 7052 7ffb4b25adb5 7050->7052 7058 7ffb4b257935 7059 7ffb4b25793f 7058->7059 7060 7ffb4b25790e 7059->7060 7061 7ffb4b2578e0 NtProtectVirtualMemory 7059->7061 7062 7ffb4b25a979 7061->7062 7063 7ffb4b25ac26 7064 7ffb4b25ac69 7063->7064 7065 7ffb4b25ac90 7064->7065 7066 7ffb4b25ad74 NtProtectVirtualMemory 7064->7066 7067 7ffb4b25adb5 7066->7067

                              Executed Functions

                              Function 00007FFB4B2578E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID: @$@
                              • API String ID: 2706961497-149943524
                              • Opcode ID: ffb124adb3070e80d7dc16ca247306ae7d8c86d0cca1c59a027e87ce6ed0d10b
                              • Instruction ID: 08a5c659f2b65116fe55d6844a6d04d8cdd225329942261d9d1d0661677128b6
                              • Opcode Fuzzy Hash: ffb124adb3070e80d7dc16ca247306ae7d8c86d0cca1c59a027e87ce6ed0d10b
                              • Instruction Fuzzy Hash: 32712971D0D7494FDB25BB38D8466B97FE0EF56311F0442BBD549C32A2DA386C468782
                              Function 00007FFB4B25ACD9 Relevance: 1.7, APIs: 1, Instructions: 156nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: cbf505c8d49ff4076800b85ca2c7de294aedbc6c1211b51797fa2bf54ea34401
                              • Instruction ID: 705d6d57ccdf5bbc56bc23b269ddf634555e1a18f55b57e697ebf8f6f475c804
                              • Opcode Fuzzy Hash: cbf505c8d49ff4076800b85ca2c7de294aedbc6c1211b51797fa2bf54ea34401
                              • Instruction Fuzzy Hash: 87410B7190DB484FDB19AF6CD8466F97BE1EB95320F0442BFD449D3292CA746846C7C2
                              Function 00007FFB4B2580E9 Relevance: .8, Instructions: 770COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 419 7ffb4b2580e9-7ffb4b2580ed 420 7ffb4b2580ef-7ffb4b2580f0 419->420 421 7ffb4b2580f2-7ffb4b258101 419->421 420->421 422 7ffb4b258104-7ffb4b258111 421->422 423 7ffb4b258103 421->423 424 7ffb4b258114-7ffb4b258128 422->424 425 7ffb4b258113 422->425 423->422 427 7ffb4b258172-7ffb4b258176 424->427 428 7ffb4b25812a-7ffb4b25813c 424->428 425->424 430 7ffb4b25817c-7ffb4b258182 427->430 429 7ffb4b25815a-7ffb4b258160 428->429 429->430 431 7ffb4b258162-7ffb4b25816b 429->431 432 7ffb4b258191-7ffb4b258197 430->432 433 7ffb4b258184-7ffb4b25818c 430->433 434 7ffb4b25816d-7ffb4b258170 431->434 435 7ffb4b2581c4-7ffb4b2581dc 431->435 436 7ffb4b25819e-7ffb4b2581a4 432->436 437 7ffb4b258199 432->437 433->432 434->427 440 7ffb4b2581f1-7ffb4b258209 434->440 438 7ffb4b2581de-7ffb4b2581ec 435->438 439 7ffb4b258226-7ffb4b25822b 435->439 441 7ffb4b25813e-7ffb4b258144 436->441 442 7ffb4b2581a6-7ffb4b2581b7 436->442 437->436 438->440 449 7ffb4b2582ac-7ffb4b2582ad 439->449 450 7ffb4b25822d-7ffb4b258241 439->450 445 7ffb4b258262-7ffb4b25826b 440->445 446 7ffb4b25820b-7ffb4b25820e 440->446 441->429 443 7ffb4b258146-7ffb4b258155 call 7ffb4b257718 441->443 443->429 453 7ffb4b25826d-7ffb4b25828d 445->453 454 7ffb4b2582b5-7ffb4b2582e9 445->454 451 7ffb4b258210-7ffb4b258212 446->451 452 7ffb4b25828f-7ffb4b258292 446->452 455 7ffb4b2582b0-7ffb4b2582b3 449->455 456 7ffb4b2582af 449->456 490 7ffb4b258248-7ffb4b25824b call 7ffb4b2576f8 450->490 459 7ffb4b25828e 451->459 460 7ffb4b258214 451->460 461 7ffb4b258294-7ffb4b258299 452->461 462 7ffb4b2582eb-7ffb4b2582f2 454->462 463 7ffb4b258313-7ffb4b258317 454->463 455->454 456->455 459->452 465 7ffb4b258256-7ffb4b25825b 460->465 466 7ffb4b258216-7ffb4b258218 460->466 467 7ffb4b25829a-7ffb4b25829b 461->467 469 7ffb4b2582f4-7ffb4b2582fe 462->469 471 7ffb4b2583bc-7ffb4b2583dd 463->471 472 7ffb4b25831d-7ffb4b258325 463->472 470 7ffb4b25825c-7ffb4b258261 465->470 466->461 473 7ffb4b25821a 466->473 474 7ffb4b25829e 467->474 475 7ffb4b25829d 467->475 485 7ffb4b258306-7ffb4b258312 469->485 470->445 478 7ffb4b2583e4-7ffb4b2583f5 471->478 479 7ffb4b25841c-7ffb4b258424 472->479 480 7ffb4b25832b-7ffb4b25834d 472->480 473->470 481 7ffb4b25821c-7ffb4b25821e 473->481 476 7ffb4b2582a0-7ffb4b2582aa 474->476 475->474 476->449 486 7ffb4b2583fc-7ffb4b25841b 478->486 487 7ffb4b2583f7 478->487 483 7ffb4b258464-7ffb4b25846c 479->483 484 7ffb4b258426-7ffb4b258463 call 7ffb4b256e48 479->484 505 7ffb4b258357-7ffb4b258360 480->505 481->467 482 7ffb4b258220 481->482 482->445 488 7ffb4b258222-7ffb4b258224 482->488 491 7ffb4b25846e-7ffb4b2584b8 call 7ffb4b256e58 483->491 492 7ffb4b2584b9-7ffb4b2584bd 483->492 484->483 485->463 486->479 487->486 488->439 488->476 504 7ffb4b258250-7ffb4b258261 call 7ffb4b258262 490->504 491->492 494 7ffb4b25853f-7ffb4b258560 492->494 495 7ffb4b2584c3-7ffb4b2584c7 492->495 500 7ffb4b258567-7ffb4b258578 494->500 502 7ffb4b2584cd-7ffb4b2584fa 495->502 503 7ffb4b2585aa-7ffb4b2585ae 495->503 507 7ffb4b25857f-7ffb4b2585a9 call 7ffb4b256e68 500->507 508 7ffb4b25857a 500->508 502->500 527 7ffb4b2584fc-7ffb4b2587b6 call 7ffb4b257738 call 7ffb4b25885a call 7ffb4b25889e call 7ffb4b2588e2 call 7ffb4b258926 502->527 510 7ffb4b2585b0-7ffb4b2585da call 7ffb4b256e78 503->510 511 7ffb4b25861f-7ffb4b258640 503->511 514 7ffb4b258368-7ffb4b25837b 505->514 507->503 508->507 515 7ffb4b258647-7ffb4b258658 510->515 531 7ffb4b2585dc-7ffb4b2587c0 call 7ffb4b257738 call 7ffb4b258816 call 7ffb4b25885a call 7ffb4b25889e call 7ffb4b2588e2 call 7ffb4b258926 510->531 511->515 514->478 523 7ffb4b25837d-7ffb4b258394 514->523 524 7ffb4b25865f-7ffb4b258695 515->524 525 7ffb4b25865a 515->525 533 7ffb4b25839c-7ffb4b2583b2 call 7ffb4b257738 523->533 561 7ffb4b258710-7ffb4b2587a2 call 7ffb4b258816 call 7ffb4b25885a call 7ffb4b25889e call 7ffb4b2588e2 524->561 562 7ffb4b258697-7ffb4b2586a8 524->562 525->524 556 7ffb4b25880c-7ffb4b258814 527->556 531->556 542 7ffb4b2583b7 533->542 546 7ffb4b2587a4-7ffb4b2587ac call 7ffb4b258926 542->546 546->556 561->546 601 7ffb4b2587c2-7ffb4b258805 call 7ffb4b258926 561->601 570 7ffb4b2586e1 562->570 571 7ffb4b2586aa-7ffb4b2586df 562->571 578 7ffb4b2586e3-7ffb4b258704 570->578 571->578 578->561 601->556
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95e325c447dd0f84c9784137d22629996520957c4a684e4a082efb092e2e1ec8
                              • Instruction ID: c76f0ee7d6c830dd75e37befef7b51a7f354270577f9ebaf328d99209f70b19b
                              • Opcode Fuzzy Hash: 95e325c447dd0f84c9784137d22629996520957c4a684e4a082efb092e2e1ec8
                              • Instruction Fuzzy Hash: 8542B470A1C94A8FDB95FF28C455ABA7BE1FF58310F108579D51DCB2A2CE78A842C781
                              Function 00007FFB4B251750 Relevance: .6, Instructions: 550COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe3218bcb44e830d3c5368ecef7586aab87d025bb516df7321deb9ad5700fcc2
                              • Instruction ID: 33ff63eea723484400ac3ef79b8a813793e869cce68cbdaa3cbe4674bf4a70d5
                              • Opcode Fuzzy Hash: fe3218bcb44e830d3c5368ecef7586aab87d025bb516df7321deb9ad5700fcc2
                              • Instruction Fuzzy Hash: 9B02EAA1D0D2860EF76ABA34C9159B53FA0DF1231AF0585FAC68CD70F3ED1C686A8351
                              Function 00007FFB4B2554F6 Relevance: .5, Instructions: 472COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1266 7ffb4b2554f6-7ffb4b255503 1267 7ffb4b25550e-7ffb4b2555d7 1266->1267 1268 7ffb4b255505-7ffb4b25550d 1266->1268 1272 7ffb4b2555d9-7ffb4b2555e2 1267->1272 1273 7ffb4b255643 1267->1273 1268->1267 1272->1273 1274 7ffb4b2555e4-7ffb4b2555f0 1272->1274 1275 7ffb4b255645-7ffb4b25566a 1273->1275 1276 7ffb4b2555f2-7ffb4b255604 1274->1276 1277 7ffb4b255629-7ffb4b255641 1274->1277 1282 7ffb4b25566c-7ffb4b255675 1275->1282 1283 7ffb4b2556d6 1275->1283 1278 7ffb4b255608-7ffb4b25561b 1276->1278 1279 7ffb4b255606 1276->1279 1277->1275 1278->1278 1281 7ffb4b25561d-7ffb4b255625 1278->1281 1279->1278 1281->1277 1282->1283 1285 7ffb4b255677-7ffb4b255683 1282->1285 1284 7ffb4b2556d8-7ffb4b255780 1283->1284 1296 7ffb4b255782-7ffb4b25578c 1284->1296 1297 7ffb4b2557ee 1284->1297 1286 7ffb4b2556bc-7ffb4b2556d4 1285->1286 1287 7ffb4b255685-7ffb4b255697 1285->1287 1286->1284 1289 7ffb4b25569b-7ffb4b2556ae 1287->1289 1290 7ffb4b255699 1287->1290 1289->1289 1291 7ffb4b2556b0-7ffb4b2556b8 1289->1291 1290->1289 1291->1286 1296->1297 1299 7ffb4b25578e-7ffb4b25579b 1296->1299 1298 7ffb4b2557f0-7ffb4b255819 1297->1298 1306 7ffb4b25581b-7ffb4b255826 1298->1306 1307 7ffb4b255883 1298->1307 1300 7ffb4b25579d-7ffb4b2557af 1299->1300 1301 7ffb4b2557d4-7ffb4b2557ec 1299->1301 1302 7ffb4b2557b1 1300->1302 1303 7ffb4b2557b3-7ffb4b2557c6 1300->1303 1301->1298 1302->1303 1303->1303 1305 7ffb4b2557c8-7ffb4b2557d0 1303->1305 1305->1301 1306->1307 1309 7ffb4b255828-7ffb4b255836 1306->1309 1308 7ffb4b255885-7ffb4b255916 1307->1308 1317 7ffb4b25591c-7ffb4b25592b 1308->1317 1310 7ffb4b25586f-7ffb4b255881 1309->1310 1311 7ffb4b255838-7ffb4b25584a 1309->1311 1310->1308 1313 7ffb4b25584c 1311->1313 1314 7ffb4b25584e-7ffb4b255861 1311->1314 1313->1314 1314->1314 1315 7ffb4b255863-7ffb4b25586b 1314->1315 1315->1310 1318 7ffb4b25592d 1317->1318 1319 7ffb4b255933-7ffb4b255998 call 7ffb4b2559b4 1317->1319 1318->1319 1327 7ffb4b25599f-7ffb4b2559b2 1319->1327 1328 7ffb4b25599a 1319->1328 1328->1327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89be24bd7421b9a5792e95d645c47ce97387e7d796daf0e07d7024ad63b3510e
                              • Instruction ID: a065c951954dcc627b8ec542ea8ff1d220300a26c432639e4b4b72dbc7661d3f
                              • Opcode Fuzzy Hash: 89be24bd7421b9a5792e95d645c47ce97387e7d796daf0e07d7024ad63b3510e
                              • Instruction Fuzzy Hash: 5BF1A67091CA8E8FEBA9EF28C855BE97BD1FF54310F04826AD84DC7291DF3899458781
                              Function 00007FFB4B2562A2 Relevance: .5, Instructions: 458COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1329 7ffb4b2562a2-7ffb4b2562af 1330 7ffb4b2562b1-7ffb4b2562b9 1329->1330 1331 7ffb4b2562ba-7ffb4b256387 1329->1331 1330->1331 1335 7ffb4b256389-7ffb4b256392 1331->1335 1336 7ffb4b2563f3 1331->1336 1335->1336 1337 7ffb4b256394-7ffb4b2563a0 1335->1337 1338 7ffb4b2563f5-7ffb4b25641a 1336->1338 1339 7ffb4b2563a2-7ffb4b2563b4 1337->1339 1340 7ffb4b2563d9-7ffb4b2563f1 1337->1340 1345 7ffb4b25641c-7ffb4b256425 1338->1345 1346 7ffb4b256486 1338->1346 1341 7ffb4b2563b8-7ffb4b2563cb 1339->1341 1342 7ffb4b2563b6 1339->1342 1340->1338 1341->1341 1344 7ffb4b2563cd-7ffb4b2563d5 1341->1344 1342->1341 1344->1340 1345->1346 1347 7ffb4b256427-7ffb4b256433 1345->1347 1348 7ffb4b256488-7ffb4b2564ad 1346->1348 1349 7ffb4b25646c-7ffb4b256484 1347->1349 1350 7ffb4b256435-7ffb4b256447 1347->1350 1355 7ffb4b2564af-7ffb4b2564b9 1348->1355 1356 7ffb4b25651b 1348->1356 1349->1348 1351 7ffb4b25644b-7ffb4b25645e 1350->1351 1352 7ffb4b256449 1350->1352 1351->1351 1354 7ffb4b256460-7ffb4b256468 1351->1354 1352->1351 1354->1349 1355->1356 1358 7ffb4b2564bb-7ffb4b2564c8 1355->1358 1357 7ffb4b25651d-7ffb4b25654b 1356->1357 1364 7ffb4b2565bb 1357->1364 1365 7ffb4b25654d-7ffb4b256558 1357->1365 1359 7ffb4b256501-7ffb4b256519 1358->1359 1360 7ffb4b2564ca-7ffb4b2564dc 1358->1360 1359->1357 1362 7ffb4b2564e0-7ffb4b2564f3 1360->1362 1363 7ffb4b2564de 1360->1363 1362->1362 1366 7ffb4b2564f5-7ffb4b2564fd 1362->1366 1363->1362 1368 7ffb4b2565bd-7ffb4b256695 1364->1368 1365->1364 1367 7ffb4b25655a-7ffb4b256568 1365->1367 1366->1359 1369 7ffb4b2565a1-7ffb4b2565b9 1367->1369 1370 7ffb4b25656a-7ffb4b25657c 1367->1370 1378 7ffb4b25669b-7ffb4b2566aa 1368->1378 1369->1368 1371 7ffb4b256580-7ffb4b256593 1370->1371 1372 7ffb4b25657e 1370->1372 1371->1371 1375 7ffb4b256595-7ffb4b25659d 1371->1375 1372->1371 1375->1369 1379 7ffb4b2566b2-7ffb4b256714 call 7ffb4b256730 1378->1379 1380 7ffb4b2566ac 1378->1380 1388 7ffb4b25671b-7ffb4b25672e 1379->1388 1389 7ffb4b256716 1379->1389 1380->1379 1389->1388
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 973707485c943df5e06001f933f00dcb3386fb14ab9cdd8bd0858e426cac27f1
                              • Instruction ID: bab321dff5fc05670e8d6316b5a8980e6f03c52875b0fa085cd9c2728833cc1f
                              • Opcode Fuzzy Hash: 973707485c943df5e06001f933f00dcb3386fb14ab9cdd8bd0858e426cac27f1
                              • Instruction Fuzzy Hash: 77E1E77090CA4E8FEBA9EF28C855BE97BD1EF54350F04826ED84DC72A5CE7499418781
                              Function 00007FFB4B2505D0 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a337ea542b68ec4d86880986aae41821a41227d325f0fc92427e73eb8409951
                              • Instruction ID: 95ec7f38f9ac79be3a173e6a49bec0afafdf7618e874051fbd486a129ae4e545
                              • Opcode Fuzzy Hash: 7a337ea542b68ec4d86880986aae41821a41227d325f0fc92427e73eb8409951
                              • Instruction Fuzzy Hash: 4CA163B0C1D2C68EF76ABE34C919A753F605F12305F5485BAC68CD64F3EA5C641A8363
                              Function 00007FFB4B25A450 Relevance: .2, Instructions: 219COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02f4c1c108b6bc2de2862b3b3c0033d64e1cfea829df59f5bafc27e1a1445610
                              • Instruction ID: df2bbe1ec14b0d0d82bea3636fac946d7387635a328d4eb88a5cb1efe6f0e268
                              • Opcode Fuzzy Hash: 02f4c1c108b6bc2de2862b3b3c0033d64e1cfea829df59f5bafc27e1a1445610
                              • Instruction Fuzzy Hash: D85124B1D2A90A4AF71DBA74C4925FAB2D1EF95310F44847DD88B838D6EC2CB8074680
                              Function 00007FFB4B251739 Relevance: .2, Instructions: 204COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 503e9150f702281fe71baeeb90447d776770ffce6276bbf30b17263339083ac7
                              • Instruction ID: 0fef70d70428c67cbf601eef11f72477bef0584053d5786175f029d906266ba5
                              • Opcode Fuzzy Hash: 503e9150f702281fe71baeeb90447d776770ffce6276bbf30b17263339083ac7
                              • Instruction Fuzzy Hash: 16612AB1D1C01705FB7DB938CA4AABA39449F5135FF54DA38C748E20F1AE2DB87A4191
                              Function 00007FFB4B25A43D Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52e4210dbaa09755e586e52642fb9501c1b77ff5d6b69b530617daf0dd16b2f3
                              • Instruction ID: 394d264064e3baad92f8b4ecfd274d6dea91717ba9b8b137b7fb6ea725aab7e5
                              • Opcode Fuzzy Hash: 52e4210dbaa09755e586e52642fb9501c1b77ff5d6b69b530617daf0dd16b2f3
                              • Instruction Fuzzy Hash: 635114B1D2EA094AF71DBA34C4965FAB6D1EF55310F4584BDD98B838D2ED28B8078680
                              Function 00007FFB4B25B248 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70b84fa336aef720437fffc5f0061df291d2be96d1fcbc04aaa28cb4cf8e222c
                              • Instruction ID: 7b4f07b522b01c0b3455ad22972299ec7d2face5bf60efc799bb5f05b5f7ba43
                              • Opcode Fuzzy Hash: 70b84fa336aef720437fffc5f0061df291d2be96d1fcbc04aaa28cb4cf8e222c
                              • Instruction Fuzzy Hash: 215159B0D1C5079AFBBDFD34C61EA7A3A80AF10315F509538C64CD24F1EA1DB41A42A2

                              Non-executed Functions

                              Function 00007FFB4B2589B6 Relevance: 5.2, Strings: 4, Instructions: 244COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID: K_^$K_^$K_^$K_^
                              • API String ID: 0-4267328068
                              • Opcode ID: 44fd8c4286c49499147198ee262fbe54befbd5b209d58b68ef37945b39a3316d
                              • Instruction ID: eec00bde62654c8ad01b453c8911896ad8d1a8313c6f7ece26cd178baf469956
                              • Opcode Fuzzy Hash: 44fd8c4286c49499147198ee262fbe54befbd5b209d58b68ef37945b39a3316d
                              • Instruction Fuzzy Hash: 0281B6E280E7C21FE74767788CA55957FA5EF5326870E41EBC5C4CE0A7E949580BC322
                              Function 00007FFB4B2594EE Relevance: .9, Instructions: 879COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 080bb032303c1eee17571ed6797017580df2ae52383dbb1b31a1d84a2649063b
                              • Instruction ID: f116b65497b5f4aa914f26d81bb2688cdb66cb21ad76e4c752c38eecb9368190
                              • Opcode Fuzzy Hash: 080bb032303c1eee17571ed6797017580df2ae52383dbb1b31a1d84a2649063b
                              • Instruction Fuzzy Hash: B45218B092C7454FE719FF28C585679BBE1FFA9300F54867DD6CE83196DA38A8028742
                              Function 00007FFB4B25953D Relevance: .6, Instructions: 647COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78567bf2c2967c293fe7e1f1240c7b9799df3857e59728aee48e8527b912c269
                              • Instruction ID: 0be0fa82149af32ac05a330e2fad96bcb5e98337f226e60ad44869c441b7b2ae
                              • Opcode Fuzzy Hash: 78567bf2c2967c293fe7e1f1240c7b9799df3857e59728aee48e8527b912c269
                              • Instruction Fuzzy Hash: 8622F97092C3514FE319EF28C5C5639BBE1FB99300F54867DDADE83196DA3CA8428643
                              Function 00007FFB4B253A14 Relevance: .3, Instructions: 297COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2658099884.00007FFB4B250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B250000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b250000_7fqul5Zr8Y.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d6111d6084acbdcd183820e8f32c61df8986b6011bff7ff77a10a78297e93b0
                              • Instruction ID: 115c41c1e56f80110ee3a39df8b2e5bc02f1695704912977a74af1a807809c85
                              • Opcode Fuzzy Hash: 1d6111d6084acbdcd183820e8f32c61df8986b6011bff7ff77a10a78297e93b0
                              • Instruction Fuzzy Hash: C991D57190C74C8FDB59EFA8D8496E9BBE1EB95321F0482AFD049D3252CA749845CB81