Edit tour

Windows Analysis Report
G6hxXf90i5.exe

Overview

General Information

Sample name:	G6hxXf90i5.exe renamed because original name is a hash value
Original sample name:	35c10546b56f0af9bd3d8c7ea9665965.exe
Analysis ID:	1585775
MD5:	35c10546b56f0af9bd3d8c7ea9665965
SHA1:	d85138c30500a3f01e4410daa8c1a46d6eb77b9a
SHA256:	d1a16a50def193b10f6d814cfa9fe859db8dc0f2451175647470c8f31e204b25
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Suspicious powershell command line found

Tries to harvest and steal Bitcoin Wallet information

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

G6hxXf90i5.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)

powershell.exe (PID: 7616 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

G6hxXf90i5.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)

G6hxXf90i5.exe (PID: 8024 cmdline: "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: G6hxXf90i5.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: G6hxXf90i5.exe PID: 7880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G6hxXf90i5

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\G6hxXf90i5.exe", ParentImage: C:\Users\user\Desktop\G6hxXf90i5.exe, ParentProcessId: 7508, ParentProcessName: G6hxXf90i5.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', ProcessId: 7616, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Source: Process started

Author: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\G6hxXf90i5.exe", ParentImage: C:\Users\user\Desktop\G6hxXf90i5.exe, ParentProcessId: 7508, ParentProcessName: G6hxXf90i5.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', ProcessId: 7616, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T08:49:10.515113+0100	2035595	1	Domain Observed Used for C2 Detected	185.157.162.103	56001	192.168.2.9	49742	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G6hxXf90i5.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Avira: detection malicious, Label: HEUR/AGEN.1323341

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for submitted file

Source: G6hxXf90i5.exe	ReversingLabs: Detection: 55%
Source: G6hxXf90i5.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: G6hxXf90i5.exe

Joe Sandbox ML: detected

Source: G6hxXf90i5.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: G6hxXf90i5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.157.162.103:56001 -> 192.168.2.9:49742

Source: global traffic

TCP traffic: 192.168.2.9:49742 -> 185.157.162.103:56001

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.103

Source: G6hxXf90i5.exe, 00000000.00000002.3774660239.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: G6hxXf90i5.exe, 00000000.00000002.3774660239.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1349211380.00000000043B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1349211380.00000000043B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000006.00000002.1689376315.00000000028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

System Summary

.NET source code contains very large array initializations

Source: G6hxXf90i5.exe, InstanceFilter.cs	Large array initialization: RateState: array initializer size 296976
Source: G6hxXf90i5.exe.0.dr, InstanceFilter.cs	Large array initialization: RateState: array initializer size 296976
Source: 0.2.G6hxXf90i5.exe.4053c28.0.raw.unpack, InstanceFilter.cs	Large array initialization: RateState: array initializer size 296976

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_013542F8	0_2_013542F8
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_013515B8	0_2_013515B8
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_013515A8	0_2_013515A8
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_01351BFE	0_2_01351BFE
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_01353D92	0_2_01353D92
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_01351C3D	0_2_01351C3D
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_01351C26	0_2_01351C26
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_01351C87	0_2_01351C87
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06024980	0_2_06024980
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0602BF50	0_2_0602BF50
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0602BF60	0_2_0602BF60
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06023488	0_2_06023488
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0602DCA8	0_2_0602DCA8
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06028580	0_2_06028580
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06028590	0_2_06028590
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0602A039	0_2_0602A039
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0602A048	0_2_0602A048
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_060248FB	0_2_060248FB
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06176691	0_2_06176691
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0617669A	0_2_0617669A
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06176755	0_2_06176755
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06173D75	0_2_06173D75
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0617623D	0_2_0617623D
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06176153	0_2_06176153
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_0617615C	0_2_0617615C
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_061743B2	0_2_061743B2
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_061743C0	0_2_061743C0
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A342F8	4_2_02A342F8
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A315A8	4_2_02A315A8
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A315B8	4_2_02A315B8
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A31BFE	4_2_02A31BFE
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A31C87	4_2_02A31C87
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A31C26	4_2_02A31C26
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A31C3D	4_2_02A31C3D
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 4_2_02A33D92	4_2_02A33D92
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 6_2_00DA42DB	6_2_00DA42DB
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 6_2_00DA42F8	6_2_00DA42F8
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 6_2_00DA15B8	6_2_00DA15B8
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Code function: 6_2_00DA15A8	6_2_00DA15A8

Source: G6hxXf90i5.exe, 00000000.00000000.1324125686.000000000094A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000000.00000002.3774660239.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000004.00000002.1607036567.0000000003C75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000004.00000002.1605197286.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000004.00000002.1608943328.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000006.00000002.1690052345.0000000003A63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe, 00000006.00000002.1687991636.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe	Binary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe
Source: G6hxXf90i5.exe.0.dr	Binary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe

Source: G6hxXf90i5.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: G6hxXf90i5.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: G6hxXf90i5.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: G6hxXf90i5.exe, InstanceFilter.cs	Cryptographic APIs: 'CreateDecryptor'
Source: G6hxXf90i5.exe, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'
Source: G6hxXf90i5.exe, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'
Source: G6hxXf90i5.exe.0.dr, InstanceFilter.cs	Cryptographic APIs: 'CreateDecryptor'
Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'
Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.G6hxXf90i5.exe.4053c28.0.raw.unpack, InstanceFilter.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.G6hxXf90i5.exe.4053c28.0.raw.unpack, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.G6hxXf90i5.exe.4053c28.0.raw.unpack, PrinterMerchantID.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@0/1

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

File created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Mutant created: \Sessions\1\BaseNamedObjects\cddaa2fed6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saskvzxt.g50.ps1

Jump to behavior

Source: G6hxXf90i5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: G6hxXf90i5.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G6hxXf90i5.exe	ReversingLabs: Detection: 55%
Source: G6hxXf90i5.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

File read: C:\Users\user\Desktop\G6hxXf90i5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G6hxXf90i5.exe "C:\Users\user\Desktop\G6hxXf90i5.exe"
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: G6hxXf90i5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: G6hxXf90i5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: G6hxXf90i5.exe, PrinterMerchantID.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.G6hxXf90i5.exe.4053c28.0.raw.unpack, PrinterMerchantID.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Suspicious powershell command line found

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'			Jump to behavior

Source: G6hxXf90i5.exe

Static PE information: 0xFFEF854D [Mon Jan 25 18:28:29 2106 UTC]

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Code function: 0_2_06170AB0 push eax; ret		0_2_06170AB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04258D43 push ds; iretd		2_2_04258D52

Source: G6hxXf90i5.exe	Static PE information: section name: .text entropy: 7.866241849121042
Source: G6hxXf90i5.exe.0.dr	Static PE information: section name: .text entropy: 7.866241849121042

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

File created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5			Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Memory allocated: 48A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Window / User API: threadDelayed 2578	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Window / User API: threadDelayed 7175	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2906	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1376	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 7788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 7816	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 7816	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 7832	Thread sleep count: 2578 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 7828	Thread sleep count: 7175 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep count: 2906 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 1376 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe TID: 8044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: G6hxXf90i5.exe, 00000000.00000002.3781978890.0000000005850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxg
Source: G6hxXf90i5.exe, 00000000.00000002.3782390034.000000000591A000.00000004.00000020.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.3782298914.0000000005900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5' -value '"c:\users\user\appdata\roaming\g6hxxf90i5.exe"' -propertytype 'string'
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5' -value '"c:\users\user\appdata\roaming\g6hxxf90i5.exe"' -propertytype 'string'			Jump to behavior

Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.000000000337B000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.3776495868.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.3776495868.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.00000000031ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.000000000337B000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.3776495868.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.3776495868.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager3F8"

Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Queries volume information: C:\Users\user\Desktop\G6hxXf90i5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G6hxXf90i5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Queries volume information: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Queries volume information: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q2C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q/C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\G6hxXf90i5.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G6hxXf90i5.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G6hxXf90i5.exe PID: 7880, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	341 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	341 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
G6hxXf90i5.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
G6hxXf90i5.exe	58%	Virustotal		Browse
G6hxXf90i5.exe	100%	Avira	HEUR/AGEN.1323341
G6hxXf90i5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	100%	Avira	HEUR/AGEN.1323341
C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
C:\Users\user\AppData\Roaming\G6hxXf90i5.exe	58%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000006.00000002.1689376315.00000000028F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1349211380.00000000043B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1351784654.000000000541B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	G6hxXf90i5.exe, 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1349211380.00000000043B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1349211380.0000000004506000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1352848261.0000000006C80000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.157.162.103	unknown	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585775
Start date and time:	2025-01-08 08:48:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	G6hxXf90i5.exe renamed because original name is a hash value
Original Sample Name:	35c10546b56f0af9bd3d8c7ea9665965.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/7@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 187 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.22.50.131, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target G6hxXf90i5.exe, PID 7508 because it is empty
Execution Graph export aborted for target G6hxXf90i5.exe, PID 7880 because it is empty
Execution Graph export aborted for target G6hxXf90i5.exe, PID 8024 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7616 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:49:04	API Interceptor	7x Sleep call for process: powershell.exe modified
02:49:10	API Interceptor	9967053x Sleep call for process: G6hxXf90i5.exe modified
07:49:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5 C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
07:49:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5 C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OBE-EUROPEObenetworkEuropeSE	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	185.157.162.216
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	193.187.91.218
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	193.187.91.218
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse	185.157.162.216
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse	185.157.162.216
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.157.162.216
	file.exe	Get hash	malicious	Xmrig	Browse	185.157.162.216
	file.exe	Get hash	malicious	Amadey, Credential Flusher, DarkVision Rat, LummaC Stealer, Stealc	Browse	185.157.162.216
	file.exe	Get hash	malicious	DarkVision Rat, Xmrig	Browse	185.157.162.216
	file.exe	Get hash	malicious	Amadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, Vidar	Browse	185.157.162.216

Process:	C:\Users\user\Desktop\G6hxXf90i5.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\G6hxXf90i5.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1363752421440023
Encrypted:	false
SSDEEP:	6:kK1Mi9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:t8DnLNkPlE99SNxAhUe/3
MD5:	EA0413421F0F2ED9A3AD6A3BDC5B55D5
SHA1:	B9E4885C803CC08C14FADA3DB163283C8979A929
SHA-256:	6ED58CA4F0866ED98E991F1CE0F0CF221C17D16B94BAFF75C2D2E16B773B05E8
SHA-512:	3B3A72CBF2E9521F5C4B86B378113E3D7719DDB2E76E08DF21B64F31A01DA8497565EDEB08FD1EA1FC758E61EB806FC8C8C55E7671388B1DFD5D18C8D6868D90
Malicious:	false
Reputation:	low
Preview:	p...... ........~...a..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\G6hxXf90i5.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	5.344873306377427
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzetfE4KnKIE4oKNzKo9E4KhZsXE4qdKm:MxHKlYHKh3oRAHKzetfHKntHo6lHKmHA
MD5:	8255A4767725CC323842B221CEAFCBEE
SHA1:	537C8C5384748F137B339E39BC0A7FA90DBBC112
SHA-256:	7B368AA23DA44F0789862A83A2FA7BD40B1E1FB3C19E69005FAEA382DD0252F5
SHA-512:	C9B2DB6E3059872EEBF2DDBF2CE19A76D794C01D50E6A178108F5DAF29BA3B93DCF048C72A4414FAB83026BBE062C6DB5BA91657EF4706853A26980342E2CDD8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=n

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1260
Entropy (8bit):	5.3840843615352725
Encrypted:	false
SSDEEP:	24:3qyt7WSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R8IHrIr:ayxWSU4xymI4RfoUeW+mZ9tlNWR8IHEr
MD5:	177B45C49525AE54D109BC48E9DBFCC9
SHA1:	86C6292F381BEF8FB726F1CFF3E8AE81D6020003
SHA-256:	14B45DA87B80A979D962103D916D9A3AA7AAD20BF4EAF140B817A9766202EC3F
SHA-512:	038A041AD45D136066E74C72DA47257723DF37DC3334A1D20D29BD8578AD88B0B5557280FD8AB6A5AE5F751115A8322EDC23FFA4661C03C34E0DB2364AA69A44
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpf54ar4.fl2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saskvzxt.g50.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Download File

Process:	C:\Users\user\Desktop\G6hxXf90i5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	7.85035122447071
Encrypted:	false
SSDEEP:	6144:9KtVzSYv+251My5wDx3aB9PZn3WQFZgrGiVhC9k1ZEiE84WrQVxpdV2ldP47Swl3:0Su+i1Al3E9PZRWBs9kDEiE84FHpv2l6
MD5:	35C10546B56F0AF9BD3D8C7EA9665965
SHA1:	D85138C30500A3F01E4410DAA8C1A46D6EB77B9A
SHA-256:	D1A16A50DEF193B10F6D814CFA9FE859DB8DC0F2451175647470C8F31E204B25
SHA-512:	1E911F400A4A38A1C10F5AF68F0C0282C6BA0C333857E1F28DCAFB5700AE2074888EFC6ABE7DA9676813DA9896B6E095F243DD89B501388358738EA029C5FABE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.................0..j............... ........@.. ....................................@.....................................K.......p............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...p............l..............@..@.reloc...............r..............@..B........................H............W..............................................................(......(......0..........8......(......8....... ....o....8T..... 0./ .:.[a~....{....a(....(....o....8........o......o....o......8....s......8,..... Nk.m v.%Ca~....{i...a(4...(....o....8..... .........%.....(....s......8..........s......8.........(....8....s......8.......o....s......8.............8..........o....&8.......(......8.......s......8.........o....8......o......8..........9....8......o.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.85035122447071
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	G6hxXf90i5.exe
File size:	357'376 bytes
MD5:	35c10546b56f0af9bd3d8c7ea9665965
SHA1:	d85138c30500a3f01e4410daa8c1a46d6eb77b9a
SHA256:	d1a16a50def193b10f6d814cfa9fe859db8dc0f2451175647470c8f31e204b25
SHA512:	1e911f400a4a38a1c10f5af68f0c0282c6ba0c333857e1f28dcafb5700ae2074888efc6abe7da9676813da9896b6e095f243dd89b501388358738ea029c5fabe
SSDEEP:	6144:9KtVzSYv+251My5wDx3aB9PZn3WQFZgrGiVhC9k1ZEiE84WrQVxpdV2ldP47Swl3:0Su+i1Al3E9PZRWBs9kDEiE84FHpv2l6
TLSH:	B174128175C793A4C96B15B8C8F7096106F9A32B2E33C98A3B6407E64E037C6DF64F59
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.................0..j............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4588fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFFEF854D [Mon Jan 25 18:28:29 2106 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x588b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x570	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x56904	0x56a00	c8af74ce57932c79a272750fe3495ccc	False	0.9193412923881674	data	7.866241849121042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x570	0x600	3a4ea315901a8a36784d4f4f5013e73a	False	0.4055989583333333	data	3.957653575609958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5c000	0xc	0x200	caef98ee0feca75c106030c426dc82ee	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5a0a0	0x2e4	data			0.4283783783783784
RT_MANIFEST	0x5a384	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T08:49:10.515113+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	185.157.162.103	56001	192.168.2.9	49742	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 08:49:09.817687988 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:09.822551966 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:09.822648048 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:09.824052095 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:09.828907967 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:09.841384888 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:09.846246958 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:10.499536991 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:10.499574900 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:10.499675035 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:10.509294033 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:10.515113115 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:10.757708073 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:10.802148104 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:12.393466949 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:12.398292065 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:12.398339987 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:12.403183937 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:32.633224964 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:32.677229881 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:32.794811964 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:32.849126101 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.037858963 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.042709112 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:35.043638945 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.048489094 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:35.398545027 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:35.442841053 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.560416937 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:35.565754890 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.570557117 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:35.570640087 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:35.575448036 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:54.646017075 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:54.692950010 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:54.811463118 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:54.864883900 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.037499905 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.043128967 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:58.043186903 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.057373047 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:58.403460979 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:58.458542109 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.927584887 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:58.929717064 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.934643030 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:49:58.934688091 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:49:58.939496994 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.038942099 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:21.043869019 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.043957949 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:21.048801899 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.758897066 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.802320004 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:21.937253952 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.942157984 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:21.947010994 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:21.947110891 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:21.951956987 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.050870895 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:44.055743933 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.055844069 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:44.060604095 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.406740904 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.458662033 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:44.677808046 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.681631088 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:44.686379910 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:44.686511993 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:44.691236973 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:54.521629095 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:54.526442051 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:54.526535988 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:54.531347990 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:54.890026093 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.046883106 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.046972036 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:55.050643921 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:55.055418968 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.055501938 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:55.060276031 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.540940046 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:55.545779943 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.549029112 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:55.553896904 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.909022093 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:55.958655119 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:56.062449932 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:56.065273046 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:56.070101976 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:50:56.070182085 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:50:56.074938059 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:02.740711927 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:02.745589972 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:02.745693922 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:02.750456095 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:03.102605104 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:03.266364098 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:03.266463995 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:03.272820950 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:03.277641058 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:03.277911901 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:03.282733917 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:11.771805048 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:11.776683092 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:11.776799917 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:11.781572104 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:12.133153915 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:12.208662033 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:12.297305107 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:12.301547050 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:12.306344986 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:12.306438923 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:12.311197996 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:27.601053953 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:27.607327938 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:27.608994007 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:27.615036011 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:27.961513042 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:28.005559921 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:28.125722885 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:28.129126072 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:28.134025097 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:28.134069920 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:28.138880968 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:36.568893909 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:36.573918104 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:36.573999882 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:36.578896999 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:37.263906956 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:37.411777020 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:37.422614098 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:37.424711943 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:37.429500103 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:37.429610014 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:37.434375048 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.365637064 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:45.370621920 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.370690107 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:45.375729084 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.815304995 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.966018915 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:45.970283031 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.973176003 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:45.978210926 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:45.978256941 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:45.983241081 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:48.740421057 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:48.745347023 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:48.745439053 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:48.750237942 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:49.288403988 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:49.288849115 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:49.288964987 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:49.294605017 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:49.299385071 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:49.300993919 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:49.305774927 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:59.818897009 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:59.825355053 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:51:59.825514078 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:51:59.831180096 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:00.200841904 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:00.255575895 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:00.360589981 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:00.363554955 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:00.368527889 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:00.368578911 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:00.373456955 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:22.824124098 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:22.831341028 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:22.831413031 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:22.837102890 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:23.184952974 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:23.271307945 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:23.345287085 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:23.348937988 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:23.353740931 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:23.353859901 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:23.358690023 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:40.552900076 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:40.557800055 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:40.557882071 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:40.569722891 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:40.921030998 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:40.974982023 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:41.095798016 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:41.101474047 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:41.106343031 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:41.111346960 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:41.116199970 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:42.927953959 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:42.933461905 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:42.933516979 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:42.938791037 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:43.284265041 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:43.380572081 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:43.439650059 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:43.444549084 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:43.449346066 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:43.449428082 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:43.454215050 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:51.443408966 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:51.479753017 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:51.480886936 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:51.485754013 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:51.841201067 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:51.880914927 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:52.002320051 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:52.004647970 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:52.009416103 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:52:52.009463072 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:52:52.014209986 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.124828100 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:53:10.133095026 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.134924889 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:53:10.139683008 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.342866898 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.420778036 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:53:10.502382994 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.503257036 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:53:10.508109093 CET	56001	49742	185.157.162.103	192.168.2.9
Jan 8, 2025 08:53:10.508198977 CET	49742	56001	192.168.2.9	185.157.162.103
Jan 8, 2025 08:53:10.513040066 CET	56001	49742	185.157.162.103	192.168.2.9

Target ID:	0
Start time:	02:49:03
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\G6hxXf90i5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G6hxXf90i5.exe"
Imagebase:	0x8f0000
File size:	357'376 bytes
MD5 hash:	35C10546B56F0AF9BD3D8C7EA9665965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3776495868.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3776495868.0000000003092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:49:03
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
Imagebase:	0xd30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:49:03
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:49:15
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
Imagebase:	0x900000
File size:	357'376 bytes
MD5 hash:	35C10546B56F0AF9BD3D8C7EA9665965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1606582612.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:49:24
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
Imagebase:	0x520000
File size:	357'376 bytes
MD5 hash:	35C10546B56F0AF9BD3D8C7EA9665965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 061743B2 Relevance: 1.5, Instructions: 1495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a17e01b7d999333d72a1633af37609050da4afcdd554bae0dcb5b1975d71038
Instruction ID: 1d686e286dcb0f289309ae91a87f36bbc245c033168f40f81d38f6c0eaad6284
Opcode Fuzzy Hash: 7a17e01b7d999333d72a1633af37609050da4afcdd554bae0dcb5b1975d71038
Instruction Fuzzy Hash: 86E2CC347011248FC744EB25EDA4B9BB7E2BF4C300B558A9AD816AF399DB306D52CF94

Function 061743C0 Relevance: 1.5, Instructions: 1493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123dd88e0175042e4752453e8f026eaa892642dbc6a023ed6da045e24abcc279
Instruction ID: d9d29ffc560bbef138b9e8f8be4a9600ae99ab4a9c689ba3c4cb5c0efe88e9ac
Opcode Fuzzy Hash: 123dd88e0175042e4752453e8f026eaa892642dbc6a023ed6da045e24abcc279
Instruction Fuzzy Hash: 79E2CC347011248FC744EB25EDA4B9BB7E2BF4C300B558A9AD816AF399DB306D52CF84

Function 060248FB Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0dc72b4ccb4e2aab54ed8c27f9f0cef449ce68894afa103aca2677b59cc7b
Instruction ID: 4411c2e36af5fca1f6cdfa940a175b195aee6b4083678b05c3f875913d13ec55
Opcode Fuzzy Hash: 47d0dc72b4ccb4e2aab54ed8c27f9f0cef449ce68894afa103aca2677b59cc7b
Instruction Fuzzy Hash: 1AE1B334B012249FCB45FB75E8585BEB7B3EFC9200B108619D8065B398DF346D66CB91

Function 06024980 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716b0ea27586ea4c0a2dc66bff4d9c4c2682ef5bde939628926e9eff5ae7d65e
Instruction ID: 8b068e531addcd968de0ba281442a8062a619805805467180fe135dc5167dc68
Opcode Fuzzy Hash: 716b0ea27586ea4c0a2dc66bff4d9c4c2682ef5bde939628926e9eff5ae7d65e
Instruction Fuzzy Hash: DFD1A334B012249FDB45FB65E8989BEB7B3EFC9300B108619D8065B398DF346C66CB95

Function 06176691 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415caed068f4ed9deb6c8c1a7adbf9a228cf17c9658b65f47ad63172b77acf34
Instruction ID: 5c67006fd99037e5ab93325d03f8cd0889798068aec02b2011e6030efd0c765e
Opcode Fuzzy Hash: 415caed068f4ed9deb6c8c1a7adbf9a228cf17c9658b65f47ad63172b77acf34
Instruction Fuzzy Hash: CAD1FF34B011158FD754EB69E899A6F77F2FF88300F1585A9D809AB399DB309D42CF81

Function 0617669A Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b66628a72646eb360f0d44379df1c96927612ba86a5d44435b36a2e6f8091c1
Instruction ID: 2db2306df684a018aba9def8e412939a8c0c590c7121b4e0e7aa227f35559c70
Opcode Fuzzy Hash: 6b66628a72646eb360f0d44379df1c96927612ba86a5d44435b36a2e6f8091c1
Instruction Fuzzy Hash: C8C1FF34B011158FD754EB69E8A9A6F77F2FF88300F1585A9D809AB399DB309D42CF80

Function 06176755 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d796cb47827eaf00ab81e020722b6d87b6ac05bd499cd414dc7213270b5a6
Instruction ID: 855ca8aeaed69c36f0e4dd72e55331bab9ab62b5b4ec30be4d5cf5bbd5bc6b97
Opcode Fuzzy Hash: 1d3d796cb47827eaf00ab81e020722b6d87b6ac05bd499cd414dc7213270b5a6
Instruction Fuzzy Hash: BDA10E34B011558FD754EB69E8A9A6F77F2FF88300F1585A9D809AB399DB309D42CF80

Function 06176BE0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

;s, xrefs: 06176BE6

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID: ;s
API String ID: 0-294607650
Opcode ID: 423b236deb96314e640be4afe9fb4c5cd75a685d9c935a6fbef706cfdcf916c8
Instruction ID: c67a5fcefe61f4fb2f5d3ec21b881e0adb79b1ceae7b823731f04a9445aba927
Opcode Fuzzy Hash: 423b236deb96314e640be4afe9fb4c5cd75a685d9c935a6fbef706cfdcf916c8
Instruction Fuzzy Hash: 7A216A31B086049FEB599B68841476E3BE2FBCA271F55805AE809DB384CE358D06C792

Function 0617935A Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

;s, xrefs: 0617942A

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID: ;s
API String ID: 0-294607650
Opcode ID: 7b6964be13747625af5313c5b604d54ad95b7f59fb284650f99ea0387f9c29c8
Instruction ID: f50805c73c29beecc911efde00240b746e17ff8de135c9ea31405299f3707e74
Opcode Fuzzy Hash: 7b6964be13747625af5313c5b604d54ad95b7f59fb284650f99ea0387f9c29c8
Instruction Fuzzy Hash: 4C21B530600209AFC744EF65D8919AFB7F6FF95310750C529D419AB354EB31AD0ACF90

Function 06179368 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

;s, xrefs: 0617942A

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID: ;s
API String ID: 0-294607650
Opcode ID: 1063ff282d3eff9c7e6fb16a77fa8f724a24c5db1aea4feaa38ce3b87fa95b68
Instruction ID: 5cd10bf4af1ebca1705edb56a27db34983c7ee03038776fe97ac3273ed3b1615
Opcode Fuzzy Hash: 1063ff282d3eff9c7e6fb16a77fa8f724a24c5db1aea4feaa38ce3b87fa95b68
Instruction Fuzzy Hash: 2221A730600209AFC744EF65D891DAEB7F6FF85314750C529D4199B254EB31AD0ACF90

Function 061777C0 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae9616293a0126a7aba141eec5bff8115e0b3bcc4dfb6ea83906fe885ee89aa
Instruction ID: 3705c01f6339b596b42135ae907d261d2db1a2da9de18b990306e2d4f4b87216
Opcode Fuzzy Hash: 0ae9616293a0126a7aba141eec5bff8115e0b3bcc4dfb6ea83906fe885ee89aa
Instruction Fuzzy Hash: E5123C30A00709CFDB65DF78C450AAEB7F2BF88714F248A69D4069B295DB75E885CB90

Function 06021548 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ccc2e95c2fd2a4fe69556722f149661e320af70bc3450644559de71bfa952b
Instruction ID: 93e424245febc2c1171762e0d53383015de2dbd7f197fc66eb56e93f718e144e
Opcode Fuzzy Hash: 58ccc2e95c2fd2a4fe69556722f149661e320af70bc3450644559de71bfa952b
Instruction Fuzzy Hash: 08024334B01214CFCB45EFA5E8949AEB7F6FFC9300B108669D906AB359DB30AD55CB90

Function 01351830 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95070af10415d6fe46e9118399e40aad3619b872445f50cff3f89898816bb630
Instruction ID: 9fb0efcee5288d8d82a015e3ce91cab1505f946f00e2b1adf11cde7bdab88bc4
Opcode Fuzzy Hash: 95070af10415d6fe46e9118399e40aad3619b872445f50cff3f89898816bb630
Instruction Fuzzy Hash: BAA1DF34A002149FDB15EF69D554EAABBF2FF88714F1581AAD805EB3A5DB30EC01CB90

Function 06024510 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0aa0bd442d252957a3e5f3f4a6828961c8ede8f5b135322a29ea9743ba200a3
Instruction ID: d97427959e4526fb21da0c8bef1037da0a668a82196ca8f08004324444a69c7d
Opcode Fuzzy Hash: e0aa0bd442d252957a3e5f3f4a6828961c8ede8f5b135322a29ea9743ba200a3
Instruction Fuzzy Hash: 1591C034B11225DBDB85FF65E4886ADBBF6EFC8200F108229D4056B398DF74A856CBD1

Function 06178632 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd8234fa7b0c24d26ef82823b1b53d76c734c9728d0c781b561da5a06f738b2
Instruction ID: fceb3445cc550b591f96d3262ac9e43f8a47ea483d2b4cbe9bc67d63cb8aac71
Opcode Fuzzy Hash: 3cd8234fa7b0c24d26ef82823b1b53d76c734c9728d0c781b561da5a06f738b2
Instruction Fuzzy Hash: B2910A34A10204DFDB94DFA9C598AADBBB2BF88304F248569D406AB361DB31ED42CF50

Function 06024500 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738f5435c3e9fcf322490ca2617b69c0d4a11bcdc3aa7a2213f569c8e2f3891f
Instruction ID: 8f15fd6249f07a2bb20d9a9065aef292663ac40231089cf5f5c985837c18e6d8
Opcode Fuzzy Hash: 738f5435c3e9fcf322490ca2617b69c0d4a11bcdc3aa7a2213f569c8e2f3891f
Instruction Fuzzy Hash: 3871D234B11125DBCB85FB65E4885ADBBF6EFC8300F108219D4056B398EF74A866CBD1

Function 060244C2 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bab9a5360880af91cc2d7a6ab23a11a551ff5236d796bd4b8e6d4999226bfa1
Instruction ID: 4710e11deebf65a8a23875b36c41517224bfe1d376520dad3eb64a587f6ed930
Opcode Fuzzy Hash: 3bab9a5360880af91cc2d7a6ab23a11a551ff5236d796bd4b8e6d4999226bfa1
Instruction Fuzzy Hash: 2E71AF34B11125CBCB85FB65E4986ADBBF6EFC8200F108219D4056B398EF74A966CBD1

Function 061770C8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fff5b3dbb5bb9e2c8296e48807aa864ee53b702b3f0220e4c0ad05b3c1c228
Instruction ID: c6ab03efe212baf2edd13d6d066834d9242cd4c6afe6a623c8f80d5487a83cb6
Opcode Fuzzy Hash: a0fff5b3dbb5bb9e2c8296e48807aa864ee53b702b3f0220e4c0ad05b3c1c228
Instruction Fuzzy Hash: 44513632B1020A9FCF05CFA8D8449EEBBF6FF88210B15812AF905E7254DB35D921DB90

Function 06027CA2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9be68104bf40333bcd2fa573972ffdcc32d5e9bcfeb7044159aa107ea5104b
Instruction ID: 4e2c6ec1f904345a26f2c088bec175a5a7ec292f855c2c103f9428a72ff12b85
Opcode Fuzzy Hash: bc9be68104bf40333bcd2fa573972ffdcc32d5e9bcfeb7044159aa107ea5104b
Instruction Fuzzy Hash: CB716D3A244121EFDB469F84E944C55BFB2FF4C22430A82C5E24A4B636C772D8A2EF55

Function 01351281 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5df557bada09a8e7979aa6fcee5b5af018d5604cfa04e59701b3501408694eb
Instruction ID: f71ac6f5aa9ca9280493a2d184641aaf716cb11e9d899c728786fe928d1721c8
Opcode Fuzzy Hash: a5df557bada09a8e7979aa6fcee5b5af018d5604cfa04e59701b3501408694eb
Instruction Fuzzy Hash: 03515C74B001148FCB44EFB9C498AAEBBF2BF89714F254069E906EB3A5CA719C01CB50

Function 01351290 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d753e6005b0807adf7d00f7ecc8f675565ef7e1af0da89722df44b7933b064
Instruction ID: 76b3a005b04c31442a81b1deef47d15ce20be36295e3918fda5c7b44b82228c9
Opcode Fuzzy Hash: 50d753e6005b0807adf7d00f7ecc8f675565ef7e1af0da89722df44b7933b064
Instruction Fuzzy Hash: 6A513D74B00114CFCB44EFA9C498AAEBBF2BF89710F254069E906EB3A5CE759C01CB55

Function 061706D0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0bfac6c1d6d07225b07e75ae3bb040700585fd293d67955761b86d96477520
Instruction ID: 176811eb0cd9559854b7667012371702181beeda3d3432a5beb5f7880885df9a
Opcode Fuzzy Hash: bd0bfac6c1d6d07225b07e75ae3bb040700585fd293d67955761b86d96477520
Instruction Fuzzy Hash: 094150743011149BE705EB69F869B6B77ABEBC8710F108129D80A9F3D9CE349C12CBD5

Function 061706E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1451f292a62f93c71947429f61709c9d3a1bc2d5b506d92a0f44ff30aad4dd91
Instruction ID: f92f71186695c9ab870a69e7cb2561f8213183bcf81bb324661d79e3a3a7a635
Opcode Fuzzy Hash: 1451f292a62f93c71947429f61709c9d3a1bc2d5b506d92a0f44ff30aad4dd91
Instruction Fuzzy Hash: 33412E743011149BE705EB69F869B6B67ABEBC8710F108129D90A9F3D9CE349C12CBE5

Function 06172550 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca6444d75e3f417e65d15ec008ceda3c5947e4f0275cfe96f1aa57d2bf14f8
Instruction ID: 2e0081f48222411c8e399c36331faa11b7b014305c642586c52979869167bc2f
Opcode Fuzzy Hash: a7ca6444d75e3f417e65d15ec008ceda3c5947e4f0275cfe96f1aa57d2bf14f8
Instruction Fuzzy Hash: 57416174B112248FC744FB66F994AAF77F6BF88250B10862ADC059B348DF309D12CB95

Function 06172540 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a1acabf71add7abaf2cc7d34ae1137e2fd66e105c6d5c6e6b6d0d7e1a5600
Instruction ID: d139330995ff451a5f8a2359029cc4dfacb0d8743178a137797ccdcc7513b369
Opcode Fuzzy Hash: b14a1acabf71add7abaf2cc7d34ae1137e2fd66e105c6d5c6e6b6d0d7e1a5600
Instruction Fuzzy Hash: 4A414F74B112248BC754EB66EDA4BAB77F6EF88250B108629DC019B388DF309952CB95

Function 06176994 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a07a8da7f6e925871ddeb0a2d446dac82f7b7652301f29080382c04906ef4a8
Instruction ID: bf4fe872a85aaf4ab7d7a123ade858102843dce80dfca76247aa1f0d58aa365b
Opcode Fuzzy Hash: 5a07a8da7f6e925871ddeb0a2d446dac82f7b7652301f29080382c04906ef4a8
Instruction Fuzzy Hash: 75513374B011158FD754EB69E899AAE77F2FF88300F1485A6D409DB398DB309D42CF80

Function 061769A1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151db221060966cd5e0cd19181daffa0c9dc800c526b5b8f450d1e75c6afc255
Instruction ID: 4a7109d8790b23b4f2b7a44adca5f81e3639f88febe01fad14b12ca366fec255
Opcode Fuzzy Hash: 151db221060966cd5e0cd19181daffa0c9dc800c526b5b8f450d1e75c6afc255
Instruction Fuzzy Hash: 35512374B011558FD754EB69E899A9E77F2FF88300F1485A5D809DB398DB309D42CF80

Function 0617D8A0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05344fb3208194baa09776a4fbabbba10e35413bc8673b1eecbcf4d2b0f9953
Instruction ID: ef03345b32d00fe51aeff32e8a1e5efaecb781525b4a85bc4aeef0f08465717c
Opcode Fuzzy Hash: f05344fb3208194baa09776a4fbabbba10e35413bc8673b1eecbcf4d2b0f9953
Instruction Fuzzy Hash: 62310934E1A248AFCB46DB75EC116EF3FB5EF8A300B11419BD485DB282DB345906C7A1

Function 060220F8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc4fb72fe7974e6899a8288694f85224cbed01a8779d8316990d77d294bc720
Instruction ID: a1c605e276368328e68fa091700b0c551efb37372ef1a565ab29d930dc898761
Opcode Fuzzy Hash: 4fc4fb72fe7974e6899a8288694f85224cbed01a8779d8316990d77d294bc720
Instruction Fuzzy Hash: 363139327002655FC741EBF5AC106EE7BEAEFC9121B1445A7FA08D7240CD35CD159B50

Function 061787A2 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e2bc1e4dbb6a645c74d94cd037004df53bb851e49a7137fcb601adb96b15ed
Instruction ID: f8979e4ef2bb7d2a286073f9a76731d3640133caba4a5e372d5fdfc1fd53546d
Opcode Fuzzy Hash: 53e2bc1e4dbb6a645c74d94cd037004df53bb851e49a7137fcb601adb96b15ed
Instruction Fuzzy Hash: D0413030E10208CFDBA4DFA9C458BADBBB2BF88314F648578D006AB2A5CB359D41CF50

Function 061782BF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bcfec9654713cf88aead4887276e0af104dfa1909441f0eda9d14fc5387e6f
Instruction ID: e109951974f05a1d313c97bd05c615b1e8404533d9533fa42e21df542b35f509
Opcode Fuzzy Hash: 54bcfec9654713cf88aead4887276e0af104dfa1909441f0eda9d14fc5387e6f
Instruction Fuzzy Hash: E431E9347003459FD355DB29D844AAABBF2BFD5230B19C66DD086CF396DB30E90A8B91

Function 06022240 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0394522e4742f3823e7dd762bef77bec26fbdf7364124dd8cc7ca1be7cd8600
Instruction ID: 48c617fe5dd04ffd2762b08ea93e767c30d623a1dbc44849ba3d26773fa498cc
Opcode Fuzzy Hash: d0394522e4742f3823e7dd762bef77bec26fbdf7364124dd8cc7ca1be7cd8600
Instruction Fuzzy Hash: 75311C72A000596B8F12CED59C50CFFBFFEEF4D211B04406AFA55E2151DA36DA25ABB0

Function 0602F9C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5988ea0cb9c0efca12012403281358ad50ce6045c7550360903fc77928386398
Instruction ID: 08a05b1fe9ec74f3c53457695727d27500299fdba07581d34823c15bf305f99a
Opcode Fuzzy Hash: 5988ea0cb9c0efca12012403281358ad50ce6045c7550360903fc77928386398
Instruction Fuzzy Hash: BF317239B511158FC745EBA9E8A966F7BB3EFC8310B108129D905DB389DF344C12C791

Function 0602F9D0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3050356438521d0da46f036bcda81914917927c30491f30e8a3be0e98e91a26d
Instruction ID: fd59e543df8f1d089544165beeac4240ce245805b7666cf5494636f9423c55ef
Opcode Fuzzy Hash: 3050356438521d0da46f036bcda81914917927c30491f30e8a3be0e98e91a26d
Instruction Fuzzy Hash: 52314D38B510158FC745EBA9E8A966F7BB3EBC8310B108169D909EB389DF344C12CB91

Function 06172C80 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc30b3e6ecafae18a96ec2cf266d8f25e746ac6079b4c9376359b88c33ff72e
Instruction ID: 64e9b506f67c5baad1c8b79c1b919494d4e631ce07b064750f5a91fb67cb5049
Opcode Fuzzy Hash: 4dc30b3e6ecafae18a96ec2cf266d8f25e746ac6079b4c9376359b88c33ff72e
Instruction Fuzzy Hash: 26318F74F10224DFDB58EB66E854AAE77B2BF8C340F10452ADC01AB358DB349D06CB99

Function 01351138 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf40f38e84b2dbe185583198c55082aadb7bc7b53903c264829253348dc9555c
Instruction ID: 930ed9b28c12a3422ffeb26baa394412c58a21f234d9e50fa96ff498d6cc360d
Opcode Fuzzy Hash: bf40f38e84b2dbe185583198c55082aadb7bc7b53903c264829253348dc9555c
Instruction Fuzzy Hash: F5217E347002089FD764DF69E959FAEBBF5AB88754F104469E8029B394DB709E018BA0

Function 0135111F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b518589f7778f7fbed1187034596469be6bcfd2e620ad98bec0922fecb862
Instruction ID: cffb30fee6d1ddc0e456eb27c9f714b4927ead96ebda1e1760551400f6428ac8
Opcode Fuzzy Hash: 7c3b518589f7778f7fbed1187034596469be6bcfd2e620ad98bec0922fecb862
Instruction Fuzzy Hash: BF21DE747002049FC754EB79D858B9ABBE5AF88760B0005A9E802DB3A5DB20DD018BA0

Function 06172C70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c981dcba6a5f74e47fd012b19715368e5e6474b80280c4b86c3ce3789f12ac
Instruction ID: c5fbc860020daacff96fa347b9cf1639b0e05cc6caacf43410f48598779063f8
Opcode Fuzzy Hash: f7c981dcba6a5f74e47fd012b19715368e5e6474b80280c4b86c3ce3789f12ac
Instruction Fuzzy Hash: D1219F70F01224DFDB58EB65E854AAD77B2EF8C340F10462ADC01AB394DB749906CB99

Function 0617D4A9 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88d26aabc9e16422e395bcb2363852fd66c4453140d67bd7b11b84bd09ba3dd
Instruction ID: 941a2e8d84ddc87a0bfeb45f99d13aee0361f277fc46612908cb2283e7914174
Opcode Fuzzy Hash: c88d26aabc9e16422e395bcb2363852fd66c4453140d67bd7b11b84bd09ba3dd
Instruction Fuzzy Hash: 8221C430E402188FD784EB79E8563EF7BF2EF84710F008669D906AB388DB3059468BD5

Function 0617A570 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04f9d63853167b3d171b6d08090e171925accf4c723397fbcfded85308bdd0d
Instruction ID: f36815cb74624e7a188bd5baea341c557d02189bc5162ec6b029df950dfdccff
Opcode Fuzzy Hash: c04f9d63853167b3d171b6d08090e171925accf4c723397fbcfded85308bdd0d
Instruction Fuzzy Hash: 762138343022944FCB05A769D824BEF7FB6EB8A700F15415AE842AF3C5CA380D0787D5

Function 06178CD0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c62676cdf78bca0362f8aa39d971f726c0cdaaeaffd07ed724abe03a28659e9
Instruction ID: 0774699f645ab6a2fcccc254360892b5e2056aba2f114d3cbcbea4da919d12f0
Opcode Fuzzy Hash: 5c62676cdf78bca0362f8aa39d971f726c0cdaaeaffd07ed724abe03a28659e9
Instruction Fuzzy Hash: 25212430600A058FD364DF19E548A52FBF5FF94324F19CAAAD49E8BA62D770F845CB84

Function 0617A7C9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f04278718ea14009d38c77387d5a0b92ca63919172ed455e731144e1c9aafb
Instruction ID: e0af7435933155138d09182fe0aee2a3a066c1f2fc7a1b76e30e2bdcc31e88f6
Opcode Fuzzy Hash: 08f04278718ea14009d38c77387d5a0b92ca63919172ed455e731144e1c9aafb
Instruction Fuzzy Hash: 6321C3797510489FCB04EF98D55AAAF77F6EB8C310F108169E406AB389CE309D02CBA1

Function 06178DA0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c742f03de724880161957616232736810969fab69c902c0e0c4ecbc9a74b35d
Instruction ID: b3e96a3ca0bb69c376a2f7c912e4c6df38d4336e410e6473d6be79ec14291170
Opcode Fuzzy Hash: 8c742f03de724880161957616232736810969fab69c902c0e0c4ecbc9a74b35d
Instruction Fuzzy Hash: 1C1182747042449FD7A4CB39D888E53BBF9EF89224B1585A9E44ACB252DB30E846CB50

Function 0617A7D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948d224c1f1821a106079fa26d27ff9c0001132b7e16e602cf9eb118e1eccbd8
Instruction ID: 8651c51efd2bceff3b63694dd1ac86e51e8f8b11b9aec5b8c65b0af51f137d32
Opcode Fuzzy Hash: 948d224c1f1821a106079fa26d27ff9c0001132b7e16e602cf9eb118e1eccbd8
Instruction Fuzzy Hash: 621181757550489FDB04EB99D459AAF7BFAEB8D310F208168E505A7389CE305D02CBE1

Function 0617DA11 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad6aa4df1d905ac0e42d0fe5926cda33f04d4095e07711c1a594054f16ed941
Instruction ID: bd3451bb27c31f7c789527ce27f575f992eabfa50020c9a064afd3c015c9723b
Opcode Fuzzy Hash: 7ad6aa4df1d905ac0e42d0fe5926cda33f04d4095e07711c1a594054f16ed941
Instruction Fuzzy Hash: 741189B1C043498FCB20CFAAD845BDEBBF4FF48210F20845AE458A7250D375A941CFA0

Function 0617D4B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c71effd8ca3bae18fa47f9513a947aa95eb5192d072e4df4696215e8f9d7f6
Instruction ID: 252890fab73fe22248d401ee50fd0788ab41225fecc36050ba750f898d7f21ed
Opcode Fuzzy Hash: 38c71effd8ca3bae18fa47f9513a947aa95eb5192d072e4df4696215e8f9d7f6
Instruction Fuzzy Hash: B8119070B413288BD744EB7AA8516AF77F2EFC4720F018629D905AB388DB3059468BD5

Function 06179841 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6fb66204dfaa762fbb8c253713db3b74a440ef9b92a45a43afee4cfce20a33
Instruction ID: 38b0d0ba9597ca7062eec675850e5d7c5893b5d6aaa6e24dc6d462067cc5bee6
Opcode Fuzzy Hash: 8e6fb66204dfaa762fbb8c253713db3b74a440ef9b92a45a43afee4cfce20a33
Instruction Fuzzy Hash: 69110A7190A3849FC742CBA0D9115D9BFB0EF8B21075848EBD889CB253D5358D0BD751

Function 06178241 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bfba0523beb5da14839dceda4c771477696a78ab5b0015b8b34b88d0e7d429
Instruction ID: d9a5e139449896545fdd23593387e25e2aae087e0867e83c991bf1041f1bfc3d
Opcode Fuzzy Hash: 28bfba0523beb5da14839dceda4c771477696a78ab5b0015b8b34b88d0e7d429
Instruction Fuzzy Hash: 5C019A357002049FD750CF6AD898A2ABBF6EF89265B18446CE949DB325DB31EC01CB90

Function 0617A5A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a55c3f2df9ccee5a013df5682faa3e9c1459a2838ab2b3675cf5339d14c9bb
Instruction ID: 8a38d27c256d8847b0e19ab50ca80b7d7b2a2dbb0b733fa5f612c60263f652ac
Opcode Fuzzy Hash: c0a55c3f2df9ccee5a013df5682faa3e9c1459a2838ab2b3675cf5339d14c9bb
Instruction Fuzzy Hash: E00161347411648BDB05AB69D8597AEBBB6AB89B00F10411AE8067B3C4CF744E158BD5

Function 06171B50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f9fcb3c4afddf399431d48c2e703375aeb612c531ba1837bcc77b05f6214a5
Instruction ID: 254be522a6385123e8c7d19c66900514e3529dbcc9ecfe2edffee30b35c80fac
Opcode Fuzzy Hash: 41f9fcb3c4afddf399431d48c2e703375aeb612c531ba1837bcc77b05f6214a5
Instruction Fuzzy Hash: 0E01C4756001259FD740EBA8E8437A77BF5EB88710F10C264EA0AEB3C9DA319951C7E1

Function 0617DA39 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11217800c39a36d4bc9afc9c8382e49a2e80b898380135fd4bf924ff2fbc19c3
Instruction ID: f8cd9fdf9c5dbf60e0b5b34934888c9d90ab5a61c1a3c57a2a4e6767732d1fda
Opcode Fuzzy Hash: 11217800c39a36d4bc9afc9c8382e49a2e80b898380135fd4bf924ff2fbc19c3
Instruction Fuzzy Hash: AB1113B58043498FDB20CF9AC844BDEBBF4EF48220F208459E459A7250D374A945CFA5

Function 06178250 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948a8c2e9e7dbe48b8a783caa94df09b7fdfdf22a13520d4d6acacc31dd1aca7
Instruction ID: d18680fa865822ea7dfe5ef310e0d71ef2915abdefbbae63c9b907f064a74e74
Opcode Fuzzy Hash: 948a8c2e9e7dbe48b8a783caa94df09b7fdfdf22a13520d4d6acacc31dd1aca7
Instruction Fuzzy Hash: 55018B397002009FD750CB6AD888A2AB7FAEFCD261718446CE949DB725DB31EC01CB50

Function 0121D7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775602828.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a8142a25a5056d5bf50f0fe04a21697ef8495ead19d08df20c571ebd2ee77
Instruction ID: c74f7bf85eb32745b7410cada76e2a1e502a60c3d37add6b879fb465ce7aa583
Opcode Fuzzy Hash: 552a8142a25a5056d5bf50f0fe04a21697ef8495ead19d08df20c571ebd2ee77
Instruction Fuzzy Hash: 4501F771118308EFE720CA96CC88767BBD8EF50234F05C019EE0C0A187C3749841CAB1

Function 0617DA40 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f37b82cd21a8f56b851b94bf79411a768b200a9dcb356560ec56ee27d85d585
Instruction ID: d0541d672af47db082cd653d5958e3067595bb14c129759b2c053a62d027e0df
Opcode Fuzzy Hash: 7f37b82cd21a8f56b851b94bf79411a768b200a9dcb356560ec56ee27d85d585
Instruction Fuzzy Hash: 5311FEB58043498FDB20DFAAD884BDEBBF4AF48224F20845AD419A7650D374A944CFA5

Function 06171B60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec0c1692da9fdd3707e32c8b362a935e23fc1745f4e575dde0c3aee7adbf671
Instruction ID: 9b43cda4c4ee3096bef272d31125ac83aeb54f0e909e9b18e9c598f614f04489
Opcode Fuzzy Hash: 3ec0c1692da9fdd3707e32c8b362a935e23fc1745f4e575dde0c3aee7adbf671
Instruction Fuzzy Hash: 8E0192746001149FD740EFA8E84676B77FAEB88710F008265EA09EB3C9DA725951CBD1

Function 06029F20 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52e04fa7eb29ac72a447460d41ca1dd9a732c2e6eff1156c36261441dc3f54
Instruction ID: 54bfa7858ae5d54e7c6ec5c86c92b33d516d326c7951d675e2f6903e63954b56
Opcode Fuzzy Hash: de52e04fa7eb29ac72a447460d41ca1dd9a732c2e6eff1156c36261441dc3f54
Instruction Fuzzy Hash: DF0162772844119FCB069F89E805C677BA7EB8C32170581A5F2099B275CB21D8629B91

Function 0617D4FF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e65583b5dce162aa4d86c669cca799db4d57751899b04237689f445a7f7b84
Instruction ID: cd6c54b5417e39ef8275ef81d71db1b011b3530691d6074b268a70923b32399a
Opcode Fuzzy Hash: 30e65583b5dce162aa4d86c669cca799db4d57751899b04237689f445a7f7b84
Instruction Fuzzy Hash: A7F0DC307403288BE244BA65A8507AE73E3ABC0620F008A19D9026B388DF71690A4BCA

Function 06023318 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd311c14e465ff9c6c7837fa4b6ac54e8c36b0a69b75075060612ffc5430717a
Instruction ID: 18c4afd6423053886f72a5511bfe4381cf520e19d1e917662eaaf73651e72002
Opcode Fuzzy Hash: fd311c14e465ff9c6c7837fa4b6ac54e8c36b0a69b75075060612ffc5430717a
Instruction Fuzzy Hash: BBF089363011145BC704E659FC45A6BB79AE7CC660F54C535F509C7349CD34AD1287E1

Function 0121D7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775602828.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4627cfd3a52cb925b8a53c7d8e1167923fd306b9bc6f72c89e6b75da9e79cc0
Instruction ID: ccd3a68a58a4d5feda877964be87fe06b6d3cdcef05e60c2cd38e4ad8239b5f1
Opcode Fuzzy Hash: d4627cfd3a52cb925b8a53c7d8e1167923fd306b9bc6f72c89e6b75da9e79cc0
Instruction Fuzzy Hash: CAF04F714082489FE7208A1AD9C8B62FBD8EB51634F18C55AEE4C5A287C3799845CAB1

Function 06172520 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d095efae1d0452dce1799e282873e2961bea95f6810e43e16627e32759607c
Instruction ID: 694f77ceb24bd7c68483ce0d492dfb1bb9d3860e10e4c95e5958977dfb068d4e
Opcode Fuzzy Hash: 40d095efae1d0452dce1799e282873e2961bea95f6810e43e16627e32759607c
Instruction Fuzzy Hash: 3AE02BB7E01018D7CA50EA45EC41BE9B378DB81221F6400AFA80ED7350EF229E0397D4

Function 0602D802 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dd054f5d8bc6323653b90ab1dbc32c11201661c5cf689e4e3c689f02669d03
Instruction ID: 350235e15e3b0984ea187c67e449fe6c961191af7d36059aebb76c51845bc1d0
Opcode Fuzzy Hash: 01dd054f5d8bc6323653b90ab1dbc32c11201661c5cf689e4e3c689f02669d03
Instruction Fuzzy Hash: 88F0A0762051119FD240EA58F856E6FBBA6EFE8B10F04C56EF50587388CE319C02C7B1

Function 06023328 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873005edbdc73f799ea67f8cc1dbb0293aa1199c90e0f44286b9800fa640df2a
Instruction ID: 3c6fc8c81a2ea6fb35cdd4e35a73e27b09a4071857fb6d3381162e6736f5e6b0
Opcode Fuzzy Hash: 873005edbdc73f799ea67f8cc1dbb0293aa1199c90e0f44286b9800fa640df2a
Instruction Fuzzy Hash: 0DF06535301114AB8705FA5EF889C6BB79FF7CC660754C129F90987349CE30AC1697E1

Function 01350898 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc06c389574c762947d2f3bec0656736e0fef7cc4878ff0d92cd7f46753aa939
Instruction ID: 32b777085ebcba97db8b90649f5067d382404c83d9875a203207110972c5d3fd
Opcode Fuzzy Hash: fc06c389574c762947d2f3bec0656736e0fef7cc4878ff0d92cd7f46753aa939
Instruction Fuzzy Hash: 20F0EC7250838CFFC702CBB0A825CFC7FB8EA0A21830045CAE886C7102CA320F0487A1

Function 060221E1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3597fe1a9efab27ec7ce2cb268eaeacbfe8ebe8e6567b4a213fe5427c6fc5fb5
Instruction ID: 04840bb9ca1f44b2ce348f7913d1e98ac7c0c83288540623a6837c896ec05f2c
Opcode Fuzzy Hash: 3597fe1a9efab27ec7ce2cb268eaeacbfe8ebe8e6567b4a213fe5427c6fc5fb5
Instruction Fuzzy Hash: E4F08CB20000986FDB81CE94CC01AFA3FA9EB48215F088086FDA8D6151C57AC922DBA0

Function 060221F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b153383e6de520665622cd19abb3d691de445f4deecf93faaa50dfd1b24b64
Instruction ID: 704a75d8dcbbdfedf44427af84db028faf61110e9c107736e094e3b967943e86
Opcode Fuzzy Hash: 40b153383e6de520665622cd19abb3d691de445f4deecf93faaa50dfd1b24b64
Instruction Fuzzy Hash: 81E0ED721041987F8B41CE95CC10CFA7FEDEB4D265B088046FE98D2151C576DD21EBB0

Function 01350861 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11be59e7f40a516df2def6f1701f93b137fdbd153ff7d6dd254b62264b7f0071
Instruction ID: bbd36220fa9c669458eeb9980f5af3ead47ae3f9a84927bd81e65bc19339c391
Opcode Fuzzy Hash: 11be59e7f40a516df2def6f1701f93b137fdbd153ff7d6dd254b62264b7f0071
Instruction Fuzzy Hash: 40E0425256E7D12EC31703780C768917F709C5B10839E09CBC0C4CE5A3D05A656AD36A

Function 06021B94 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511f538ab01aac8d97fe65f17d32712ff17ffac9b2b0a15283095548d5bb40ea
Instruction ID: f94cfa7eb6deb741939eab47ad84f444d1f30e440c135b2ceea9e7c60455251d
Opcode Fuzzy Hash: 511f538ab01aac8d97fe65f17d32712ff17ffac9b2b0a15283095548d5bb40ea
Instruction Fuzzy Hash: 30E0DF31909348AFCB42CBB0AC523CE7FF48F43100F0844EF9948C7291FA208A05C756

Function 06171E29 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64677bbe87aa0402606f6507fd898faeed4add053e7380866ae4ffc8aef8820
Instruction ID: 87725a440d9c82953c7b07fe04a42567761b2ed76b6ec522c44549db7e3e6033
Opcode Fuzzy Hash: f64677bbe87aa0402606f6507fd898faeed4add053e7380866ae4ffc8aef8820
Instruction Fuzzy Hash: 06E08C361002186BC7008E84DC41AA77BADEB88620F44C026BC0987281DA72DD2297B0

Function 06171D00 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8d288f1c6f07398f0bcbef1f948372fa48c937ae9400830a5bc0b6838dd4bc
Instruction ID: 225853f0466a57931c205e0d986d4d73f56e47955c1492a0256627591402afa3
Opcode Fuzzy Hash: 9a8d288f1c6f07398f0bcbef1f948372fa48c937ae9400830a5bc0b6838dd4bc
Instruction Fuzzy Hash: C9E08C371001086FCB01CE84DC41EA6BB2AEB98260F04841ABC0596300DAB3DD229794

Function 060233B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecb4ed10b07125d3d634fd41b19238bdb67de2d31bdac93cc179af23d120ddd
Instruction ID: f2a0a0871a86129a540c91020b3c16bfe747834da55b2abc7a71672dd4fb19a5
Opcode Fuzzy Hash: aecb4ed10b07125d3d634fd41b19238bdb67de2d31bdac93cc179af23d120ddd
Instruction Fuzzy Hash: 6DE0E6361041186BD701DE54DC52E96BB79DB89620F14C46AFD0487351C6B3ED12D7E0

Function 06024F79 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ade4d86cba49d2c1a30e884684dadc3c2839a391e8dd2fa7d359cdfaf501c62
Instruction ID: d8a338ec59c0849da2d293a231cdc2483c1adaac1dff50596f7379fbcccb4c8e
Opcode Fuzzy Hash: 2ade4d86cba49d2c1a30e884684dadc3c2839a391e8dd2fa7d359cdfaf501c62
Instruction Fuzzy Hash: 52E026321042845FD702CFA0CD01A663F60DF85721F0884CFF8948B292C6B2CC12DB50

Function 0602F960 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e325d33eb438822390025b026b467f6c684be2ef9edf5924256a4c83c1c59a5
Instruction ID: 6c22862fce723d3955b99bd97aff0d604165553bcd63c7e49d8a644d940e5793
Opcode Fuzzy Hash: 4e325d33eb438822390025b026b467f6c684be2ef9edf5924256a4c83c1c59a5
Instruction Fuzzy Hash: B5D01232905208ABCB51DBA0DD137DDB7F8D749510F4089A69904D7220FA354B155B51

Function 0135124F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aa950527205e9bd0095458fa058168bf066bbe5b4e5ea4dbe068b53a2faf3f
Instruction ID: fd9a0b663fadd149fcc951cfb102a9773a4ab24dd27c8f9b7db819f4339ae846
Opcode Fuzzy Hash: a9aa950527205e9bd0095458fa058168bf066bbe5b4e5ea4dbe068b53a2faf3f
Instruction Fuzzy Hash: 0AE01776B54310AFC761AFA9D48D8893BF5EF7A26030100A6E406CB231EA388D428B91

Function 013508A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c83a3c53722982459637c6f773bdbbfb2ea987604b4c528d7d7b45275d0df0
Instruction ID: 70dc45bbacf6a39445b056a8eb2f54613802fb88c565d74c77fb4d6259ae1e1e
Opcode Fuzzy Hash: 01c83a3c53722982459637c6f773bdbbfb2ea987604b4c528d7d7b45275d0df0
Instruction Fuzzy Hash: A2E04F7190430DFFD754DFA0E914DAC7BF9FB187147404199E80693604DA311F009BD1

Function 0617A798 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4f9fb521dddcf05a5affc83b330a93a43086af8e8c4a2c156671a732fa01fc
Instruction ID: 3b87c4bf0fab04a01df8006a928de919764229b519b266d1aa3ac232c0f498b4
Opcode Fuzzy Hash: 7c4f9fb521dddcf05a5affc83b330a93a43086af8e8c4a2c156671a732fa01fc
Instruction Fuzzy Hash: 8DE0C2741082009FC702CF40E941C96BFA2EF86604B25884AF884D7212C336DD27DB32

Function 0617BDE1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b500b2fdcb46a4e43c1c9a83170e3e29aca40c04b4edb15a6131f4e09e2dc979
Instruction ID: 9cb97d027bd1c99dcf451906dd3bd33c2076f217f2ea90dd26058d13746f3c29
Opcode Fuzzy Hash: b500b2fdcb46a4e43c1c9a83170e3e29aca40c04b4edb15a6131f4e09e2dc979
Instruction Fuzzy Hash: 5CE017B110D2915FC342CE54EA50C96BBB59F9AA00B19898BF580E7252C526CE17CB76

Function 0602CF78 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55effad5a61bf2c76734147c9d2e64328e427963b898856f9a891c4e2a0e2d0f
Instruction ID: 6a075ff09aaf20f04bd31e40a3eb5f845c6decc201b3b0383d83949276a280f9
Opcode Fuzzy Hash: 55effad5a61bf2c76734147c9d2e64328e427963b898856f9a891c4e2a0e2d0f
Instruction Fuzzy Hash: 91D0A7361043206FE350C954CC42A53BBA5FBD4704F14C92EA80083340CA63DC1787A0

Function 06024938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebac8ec49f20aec4903b284b96d5b95046768b6dc0308b3aeb92d15514a15c38
Instruction ID: 34d7b1eab21a00a92fd8fe98919673af4d277725d35988e8fffb2a1e18250f5b
Opcode Fuzzy Hash: ebac8ec49f20aec4903b284b96d5b95046768b6dc0308b3aeb92d15514a15c38
Instruction Fuzzy Hash: B3E08636508288AFDF42CF94DD51CE67F75DF452107088087F99887262CA72CD32EBA0

Function 0617B618 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2636b9c8923f903f9a417146ad357e99e4dcaa40de95e54cb42ccc42425aaead
Instruction ID: 3b0b3eb09e6e7193e90887a0b26d4044f74c3a8680044ba79e151c5bdcacca2c
Opcode Fuzzy Hash: 2636b9c8923f903f9a417146ad357e99e4dcaa40de95e54cb42ccc42425aaead
Instruction Fuzzy Hash: 13E01735109381AFC341DF58DC11886BBB6FF8A204B298C8BE8D197252D626D847CBA2

Function 061705B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba6a0a909398aa38c8a090ec7d1d5555f882608e85a7d6b14e902604d7d7b11
Instruction ID: af3da37defeb20ef29743081efd51262eff6755c3d56a9cf3972116c77088b85
Opcode Fuzzy Hash: 8ba6a0a909398aa38c8a090ec7d1d5555f882608e85a7d6b14e902604d7d7b11
Instruction Fuzzy Hash: CAD01732E05108AFCB41CFE09D026EEB7E59B45211F6045F69C04D7250F9318E159B81

Function 060232E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91e1ba24219cadde9f431a1a44883cec9b82582f6683cefa91010492ba2d740
Instruction ID: 26c7c3b999bccdc8d132e868c4d7c51661eb73aded3dbf265ba3f1d3b469d0b7
Opcode Fuzzy Hash: b91e1ba24219cadde9f431a1a44883cec9b82582f6683cefa91010492ba2d740
Instruction Fuzzy Hash: ECD05E362041109BD244CE04ED42E5ABBE5DBC8A10F24C82EB84093380CAA2DC038672

Function 06024948 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e6a07dc12e02ad3e5ed504a5308a9fd4191ff32c073443818bcad8348e5d37
Instruction ID: 74bd5e682b91a2d78f462f720d40d5774850364329bd47b2e62bddd07364fa43
Opcode Fuzzy Hash: a8e6a07dc12e02ad3e5ed504a5308a9fd4191ff32c073443818bcad8348e5d37
Instruction Fuzzy Hash: B2D012321001187F8B01CE84DC01CA67B6DEB89260704C056FD1487211C672DD22DBE0

Function 06171E38 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0

Function 06179769 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da44620640a27584b0bfdf12cda4144a374a1819d59902558766be8c4af48d6
Instruction ID: 7faf8cd80d975b22241ab4b1fe5680fd9d235b59e78fc00c86b4513c6ab91dbd
Opcode Fuzzy Hash: 8da44620640a27584b0bfdf12cda4144a374a1819d59902558766be8c4af48d6
Instruction Fuzzy Hash: 3AE017341093909FC346DF64D850886BBB5FF86664B25C88FE4A5CB252CB36CD1BCB61

Function 0617B538 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30018365992fddc72408107b811d05d0b8444cc33f6249f18bf2c1e88d44d41f
Instruction ID: 3888f78611842f7ffa536c73694a22b3013d67da6c2971975c4624d44be384af
Opcode Fuzzy Hash: 30018365992fddc72408107b811d05d0b8444cc33f6249f18bf2c1e88d44d41f
Instruction Fuzzy Hash: 4CE0EC752082919FC342CF54E950956BBA29F96A00B15888EA4819B252C6269D1AC772

Function 0617D0F1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3946befb64a4689c276b85cbb107eff171d6fa4167e6cbb881af68057c2f5e60
Instruction ID: f473f3c7dfe8e352e18cf6e49f38b2dd6ccebcf46fe9e35dc6d24ebf74a9837a
Opcode Fuzzy Hash: 3946befb64a4689c276b85cbb107eff171d6fa4167e6cbb881af68057c2f5e60
Instruction Fuzzy Hash: 91D05E2420A2811FD306C625CC61852FF74CB87144315C1AAE0D5C7262CB229C13C721

Function 06024F88 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0

Function 01350C66 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063978a8c49b2298e56896f3fe384f0f6eb2de898e8e7bfdbb477f4646447c2a
Instruction ID: 2865a3d4165029564e2ee369abd9150a2ec6d3f03dc3e6f2ef32d41bd841d8ef
Opcode Fuzzy Hash: 063978a8c49b2298e56896f3fe384f0f6eb2de898e8e7bfdbb477f4646447c2a
Instruction Fuzzy Hash: B4E02031508615CEC3559F149404FAB37BCFB05B1DF4602B9ECDA67A57D3319801D782

Function 06179490 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd13a8d8d2180712df87b6e87017222f0300c348958039dc02ed2b356580931
Instruction ID: 5bf4aa30b92d6799d501238b0e5edb2448ac96580393ebbbe78d1e02e2b13151
Opcode Fuzzy Hash: 4dd13a8d8d2180712df87b6e87017222f0300c348958039dc02ed2b356580931
Instruction Fuzzy Hash: 14D01735508750AFC244DB64C846AA7BBA5EFD8200B08C89FE45583251CA62EC0AC6A1

Function 06171D10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90

Function 06171A68 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a475b7a4be0182bc0c4f8d15a68b2120c85142cd4d9270557b34e86ae22102e
Instruction ID: 12c2aabb511646d5f08bc89bb9fed8cdf9d0502b6449273c96d9a149d24d1671
Opcode Fuzzy Hash: 3a475b7a4be0182bc0c4f8d15a68b2120c85142cd4d9270557b34e86ae22102e
Instruction Fuzzy Hash: C2D05EB5109360AFC245CA14CC52957FBB5EFC8210B04CC9EE89583341CAA1DC07CB61

Function 0617099A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae31945bf43a0e6bd4b745a919801ebe8c9ce880f72b6a107c40eac14366317
Instruction ID: fcb01910827f937f25465ee3963135318edbf9e03d060aab4925dab289443112
Opcode Fuzzy Hash: 7ae31945bf43a0e6bd4b745a919801ebe8c9ce880f72b6a107c40eac14366317
Instruction Fuzzy Hash: 17D05E76901208AB8B40DBA0AD415CDF7FDDA45510F9041A69848D3200FA315B105BA5

Function 06027A52 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca87f32209969afeb7f1578bf114b9b8eb8ff124179234345a37879a5e5c1ea8
Instruction ID: 42c1790335698b5ef3f9db4c98ce64be4386f283c7a9e6883abc086b95eb0cc9
Opcode Fuzzy Hash: ca87f32209969afeb7f1578bf114b9b8eb8ff124179234345a37879a5e5c1ea8
Instruction Fuzzy Hash: C1D01771208151ABE320CA44DD01F16B7E5EBC8B00F18889EB88062245DA629C028BA2

Function 060233C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90

Function 0602DC70 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cb5562838bbb173013d0a2984a8d8fb86de5175ba92d09e31c466482f876df
Instruction ID: 88500a7fb54321be9dbfdd943e9ab6e0fe38ed296c35d88271f379e59d749166
Opcode Fuzzy Hash: 87cb5562838bbb173013d0a2984a8d8fb86de5175ba92d09e31c466482f876df
Instruction Fuzzy Hash: 92D012B53005005BC384C528CC56B12BBE5DBD9601F58C13C6449CB351DE32DC138A11

Function 06171C98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73a7ed6d96a80e49a938b02a2a514b3fc1d7e51c590a0b7fa20e36e1c222d30
Instruction ID: f0f41ab5e7b0f8a8eab0f9baeae1b7416b0fd081902b1aff4388fd9669fec5a3
Opcode Fuzzy Hash: b73a7ed6d96a80e49a938b02a2a514b3fc1d7e51c590a0b7fa20e36e1c222d30
Instruction Fuzzy Hash: 59D0A9382083408BE341CA14DDA0BA6BB61FBD5304F28C85DE8A697342CB22CC17CBA0

Function 06173A9B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0042c0f1d55dd4246530da282d3af90c703f9da6e7c67a4fc0e59740262a1a8
Instruction ID: 10ddf9a3d5d9021c677a7ed46828c9a021eabee81bb9293f91017efa604ff079
Opcode Fuzzy Hash: e0042c0f1d55dd4246530da282d3af90c703f9da6e7c67a4fc0e59740262a1a8
Instruction Fuzzy Hash: A6D0A73690120CBF8B01DFA0E9005CEF7F8DB45110B4001E6A908E3200F9314E005B91

Function 0617B3B9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b31f0942bccaebc703dcfdb1fc68616205fc524c9d6511aa1b833399c3d8fd3
Instruction ID: ba925a46e5f9525ef8bfbb39a268aecea4574f6d9a47e847eef83ce5eac72e9a
Opcode Fuzzy Hash: 1b31f0942bccaebc703dcfdb1fc68616205fc524c9d6511aa1b833399c3d8fd3
Instruction Fuzzy Hash: 62D017342083808FC351DF14D8A0C01FBF1BF86200716888ED890CB262C722DC07DB21

Function 06179898 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ff57ea5a967b062686e296f2fee58ac989ce6cc3cb9827ecd71452f3559573
Instruction ID: e70472ee8fdd7be97d99eaef4d357ae325f3036e86b4fb3da2cf3f515239b6c6
Opcode Fuzzy Hash: 18ff57ea5a967b062686e296f2fee58ac989ce6cc3cb9827ecd71452f3559573
Instruction Fuzzy Hash: ABD05B7910C3C04FC342DF54D451495BF71AF9661071888CBE5D587353C621EC1BD725

Function 0602D758 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d03f4f0ee033dc13b0cdf4d882d84d75a8e19aaa0a7212333faa8a1a5836d70
Instruction ID: 607d872b42dcbca333bef82b88a90daddc3bd01538cfe457f1cd1a1fec691f48
Opcode Fuzzy Hash: 4d03f4f0ee033dc13b0cdf4d882d84d75a8e19aaa0a7212333faa8a1a5836d70
Instruction Fuzzy Hash: F6D05EB61081009BD740CE10ED91A1ABBA1EBD9B04F16C84EE44497352C622DC47DA32

Function 06028D38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4ca923d01fc1814bcc205ca1a8b1ffe76dfbe0a4074345f919b679d1514231
Instruction ID: a813742492d22a02d3b9e7a2daef963a24fe191e9e0b45b02958287e34e8ec00
Opcode Fuzzy Hash: 5d4ca923d01fc1814bcc205ca1a8b1ffe76dfbe0a4074345f919b679d1514231
Instruction Fuzzy Hash: 1CD012729092489BCB51DBA4AA117DEBBF49F85201F1405EE8889D3140F5355A149B41

Function 0602D9C8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0a6e3a4cad239cb34a35189af6c2b4f9b77769846d4bc70b0c913e8e479877
Instruction ID: 6a50c619611a3cc70a529bbb1d1f733f4a6b8831f33bb7bc5532897f1375cf78
Opcode Fuzzy Hash: ab0a6e3a4cad239cb34a35189af6c2b4f9b77769846d4bc70b0c913e8e479877
Instruction Fuzzy Hash: DDD012363002006BC394C628EC87B26FBE9DBC8625F28C53DA409CB351DE32EC238620

Function 06179FC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f15f5fb141d4fc8f48bdeebc46e02eb9df2daf4f058cdb51f9b3dd35c8529e
Instruction ID: 80fc416a8594c9801ea7240647c45a6e60ade91ef2e783f73e9a42bd08a6a681
Opcode Fuzzy Hash: a4f15f5fb141d4fc8f48bdeebc46e02eb9df2daf4f058cdb51f9b3dd35c8529e
Instruction Fuzzy Hash: 34D0A7242092805FC341CB20CC10852BFB1DFDB204315C0DAA4C5D7353C621CA43C725

Function 06172C48 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97c73d6baf82206fd5de3116c5a37e83abea9fb95d719fb8ca0849e3f2dbd3
Instruction ID: e9bf1dd838cf348866009a575fd4bc1d34d42ac11278354335b9b19c1ef5a9a4
Opcode Fuzzy Hash: cf97c73d6baf82206fd5de3116c5a37e83abea9fb95d719fb8ca0849e3f2dbd3
Instruction Fuzzy Hash: 30D012313005019BE284C524CC57B25ABA5DBD4600FE4C43DB409C7350DE76DD03C610

Function 061705C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdeb47de658a1500c041f8e1c1db83b37ba7ba87f528832fa7dea1455cf3f1dd
Instruction ID: 109da0782546195591a7123cb8321d917e2338f4f04da136f1092a4b8544d0f2
Opcode Fuzzy Hash: cdeb47de658a1500c041f8e1c1db83b37ba7ba87f528832fa7dea1455cf3f1dd
Instruction Fuzzy Hash: 00D0C972A0620CAF8B41DFE599005DEB7F9DB4A210B9045EA9908E7210FD315A149B95

Function 06173AA0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e39bd51442399bb716eefeca5d0b5545d17a4d04708a21c27eb75ced0d62c9
Instruction ID: 9c9757ea3d6a3272a224dbdb517a8abb8ed22a56c993dc66cbfdafc2b7d9c30f
Opcode Fuzzy Hash: c6e39bd51442399bb716eefeca5d0b5545d17a4d04708a21c27eb75ced0d62c9
Instruction Fuzzy Hash: FAD0C976A0220CAF8B41DFA5A9005DEB7F9DB4A210B5045EA9908E7210F9315E149B96

Function 0617D8C8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a6f2be397ba09741efaec46b7de6bb5c01b0c247522b9b69d34facaa3a7291
Instruction ID: eafa0ce91f09dbc441c126ab632acd53363ce685abae344a2c8908d294273ddb
Opcode Fuzzy Hash: f0a6f2be397ba09741efaec46b7de6bb5c01b0c247522b9b69d34facaa3a7291
Instruction Fuzzy Hash: 0BD0C971A0220CBF8B41DFE59A005DEB7F9DB8A210B9045EA9908E7210F9315E149B95

Function 061709A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d779f63b32d70837bfa959df092a39db6404b53b451d7a71c2fa064135999062
Instruction ID: 94569ddb6b904995aad61219bf860fdf0451c06a34c44dd1c5c4b4b630113d1d
Opcode Fuzzy Hash: d779f63b32d70837bfa959df092a39db6404b53b451d7a71c2fa064135999062
Instruction Fuzzy Hash: 18D0A972A0220CAF8B00DFA0A9004CEF7FDDB4A210B5000EA8808D3200FA314B009BA2

Function 061709C8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400007190e3fd2d8e831281b1fd21b8ccadeb647caac2fde81a68ef9ef62ebd6
Instruction ID: a5d937365dbf49156898724b2aee5a4c947ac3920afe5376f22dc793541c4a5f
Opcode Fuzzy Hash: 400007190e3fd2d8e831281b1fd21b8ccadeb647caac2fde81a68ef9ef62ebd6
Instruction Fuzzy Hash: 9ED0127410C2419FC305DB14E951817BBA1EFC5704B19888EE49497353C622DC56DB62

Function 06028D48 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec47fe015d606290bb47e23bf4fb33e5c2d141b2828496114e31b4129ba086f
Instruction ID: bfdf50d7cb03170a9690a3b2ee963eb8ea9b4627e2cd41b0fe48bc892691c567
Opcode Fuzzy Hash: cec47fe015d606290bb47e23bf4fb33e5c2d141b2828496114e31b4129ba086f
Instruction Fuzzy Hash: 58D0C972A0220CAB8B41DFA599005DEB7F9EB8A210B5045EA9909D7210F9315A149B95

Function 0602F970 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349b3d5607e62571127208f9401ddf7499a9efadb709ff26749483cc99108253
Instruction ID: 3c2b83a5fba7ac131710456a7b018cfdafe860a6ad6e118ef17625d57990073b
Opcode Fuzzy Hash: 349b3d5607e62571127208f9401ddf7499a9efadb709ff26749483cc99108253
Instruction Fuzzy Hash: 5DD0C971E0220CAF8B41DFA5A9005DEB7F9DB4A210B5045EA9A08D7210FA315E149B95

Function 06020658 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791868b2b6d4904eca63423b42afb3773cf3bd7afed7f015f908fe64dc81cf6d
Instruction ID: 1d2c5b51030abd186a83bee4b09449a282c16bbf154cb9b97365610c327b5c4c
Opcode Fuzzy Hash: 791868b2b6d4904eca63423b42afb3773cf3bd7afed7f015f908fe64dc81cf6d
Instruction Fuzzy Hash: B8D0C9712081219F9244CA48E950C6BB7E9DBC9A10B14884EB88493241CA62DC16CBB2

Function 0617B548 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 06173A6B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ae9351ad3ccd99a2c733c7081097715bf6934e8c5c6ba9347635abcf07db65
Instruction ID: 5e214b9518bd9fd61d251916d3fada451257eab4049dbe324adf09a0725a9a86
Opcode Fuzzy Hash: b2ae9351ad3ccd99a2c733c7081097715bf6934e8c5c6ba9347635abcf07db65
Instruction Fuzzy Hash: 89C012767011006BD344C518CC46B16E7B5DBD5650F54C82DA408C7355FA32EC038764

Function 061709D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 0602D228 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd5862abba9300e25b077a0ac4af4b5da7c8fab61ce18239a04dd38772a8edf
Instruction ID: 805465856a0e97f1801a7b9e58a9ccc16fe6aa036e262aa7ced1ad80dc8590cd
Opcode Fuzzy Hash: 6fd5862abba9300e25b077a0ac4af4b5da7c8fab61ce18239a04dd38772a8edf
Instruction Fuzzy Hash: 59C012752142125BD254DA04C841D66B3A6FFC8314F14C86EE85083345CF76DC07C7A0

Function 06021FC1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566a49739a256e8f4cfc1e9f0ab4bbd43e49080c26b3370d2dd04753f784adef
Instruction ID: a8b3139f6d43266658af0ab456b83d26273eeb3fada6554515f4ba1d7fd870ab
Opcode Fuzzy Hash: 566a49739a256e8f4cfc1e9f0ab4bbd43e49080c26b3370d2dd04753f784adef
Instruction Fuzzy Hash: 58C092312057105BC784C628DC83704BB61DBCAA08F28C9B96418CF3D5CF23DC438590

Function 0602AC49 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57513ac02141e9d1d7e133c47ea9fee8205805730fde783510a7d0b6061fe255
Instruction ID: 2e50d3e9a545708f477cd1a030db028a42297c595d175d97976c56630e823a33
Opcode Fuzzy Hash: 57513ac02141e9d1d7e133c47ea9fee8205805730fde783510a7d0b6061fe255
Instruction Fuzzy Hash: 11D0126265510007D241C634CD47746BBD5D741340F58C8A98489C729ADA25E5038751

Function 01350932 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cff829ca0f52a3761480f66f5ab225615ff72b8801d95b927ddb0bfcb29ffd6
Instruction ID: 493e80b47d0dd5e4c7581b49b1773bcb65d749e6d44c38a7c23d8968699fa1af
Opcode Fuzzy Hash: 5cff829ca0f52a3761480f66f5ab225615ff72b8801d95b927ddb0bfcb29ffd6
Instruction Fuzzy Hash: D4D01232A9D3C0AFCB130B70242A0E83F30AFA3218B2884CFD4C5C90A3D2920802C722

Function 01351BDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d5506a9d6a8b6eeed2a6a8151ba50a761c47b10e727529d1966cda3514f0a1
Instruction ID: dbef7fbc915fe8bbfb59a6852ce6c02fc45e02650ac8213088b9cf1ab519f2b4
Opcode Fuzzy Hash: f8d5506a9d6a8b6eeed2a6a8151ba50a761c47b10e727529d1966cda3514f0a1
Instruction Fuzzy Hash: 12D0A735E14148FBCF01AE50F8009BC3672FB49710F104414FC0152244CA324D488701

Function 06171CA8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 06174370 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb096841ae137bf6e2da397a40f00fedefa2f019f0a1832841df6e1445a2d69
Instruction ID: e12e6a63d05d3941e1b5adbe60937d9aed3db4a1661b185eca9f54c1f0023feb
Opcode Fuzzy Hash: 3bb096841ae137bf6e2da397a40f00fedefa2f019f0a1832841df6e1445a2d69
Instruction Fuzzy Hash: 16C02B3630000127C2809530CC43304B721C741A08F48C4785805CF381CF23D803C350

Function 06029EE8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1d37d27d6e10a642791418a20f1907ebcada42271d9b7884dfc45ed8c43823
Instruction ID: 8fbefc5eceb86901d1698faf633d79ec625782781f4fc3f1bc50040f9a5b7ff1
Opcode Fuzzy Hash: 8b1d37d27d6e10a642791418a20f1907ebcada42271d9b7884dfc45ed8c43823
Instruction Fuzzy Hash: 52D01261255D0057C311CB24CD17A46B7E19F85245B58CC9D80CDC7297D626E517CB45

Function 06025FB8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 06171420 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec380425d037252639c0073ac2496995665147d8861d8efa161fa5135962a078
Instruction ID: 9d5ad3f80c6dd6c1d69066dcd801aedecf43b17265d8d96d974301e2330a1db4
Opcode Fuzzy Hash: ec380425d037252639c0073ac2496995665147d8861d8efa161fa5135962a078
Instruction Fuzzy Hash: 24C0923A2002004BC2808620CDC3748EF64DB82A04F98CAE8680ACB399CF23DA0B8661

Function 061735B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2f44bbe4a554c931c0fd6384fccdf32aca64fb076bf5608c421f7373763d56
Instruction ID: 89681bdc793c621be63cb39384366f756d4bfd89c8cacaee9b7a94a65798fee7
Opcode Fuzzy Hash: db2f44bbe4a554c931c0fd6384fccdf32aca64fb076bf5608c421f7373763d56
Instruction Fuzzy Hash: 0DC092AF10020187C6808E20ECE7741AB32DF80619F18CAA8640A8B342CE73D8079A60

Function 061732B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3106b35888495af1c0adfed7bcb0a84f7f2521ad7609fa12387a5bcdb32d55d
Instruction ID: 558af90159cd980518b47d14ef24e5b7f06d7d304b19607eff6f5e0ff1b1b6bf
Opcode Fuzzy Hash: b3106b35888495af1c0adfed7bcb0a84f7f2521ad7609fa12387a5bcdb32d55d
Instruction Fuzzy Hash: FDC0922A10010087C2C08739DCA3754BB60DB80A84FA8C9ACB8088B351CE33DE03C720

Function 06170AF0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcf3173a38c61adc37c8ed62a98e77ad8689670bc314c3f84293f938799299e
Instruction ID: 6509bdcce27b6a1ede11d189fed7d6f8a2ae71f67cfe9406a4398b39dcded177
Opcode Fuzzy Hash: 8bcf3173a38c61adc37c8ed62a98e77ad8689670bc314c3f84293f938799299e
Instruction Fuzzy Hash: 26C08C7264E2808FC382C228CCA2808BF30CB82204308C0EF9888CF293CA22CC03C310

Function 06173BD1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c00421973443affc710959890adff8a6c9c1af880ce71a2c24a89f06ca02474
Instruction ID: c6d31c05c1f691de5d84f81ee4454a6d04fe4eb6859e55718fb7f2ce5dcaf836
Opcode Fuzzy Hash: 6c00421973443affc710959890adff8a6c9c1af880ce71a2c24a89f06ca02474
Instruction Fuzzy Hash: 0EC0923A1002044BCA84EA64CC83744BF24DB84A14F58C2B86419CB381CF63D80BC6A1

Function 06173040 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a18b4f74c0c2e84fe719b61399955e6bf687256cf5fef621723f8b3b579dc6
Instruction ID: 4b743cf5da502dc58bfe418083663d7f2176d5ac5b639c7f27d55fbae873e427
Opcode Fuzzy Hash: e3a18b4f74c0c2e84fe719b61399955e6bf687256cf5fef621723f8b3b579dc6
Instruction Fuzzy Hash: A9C092B62900045BC301F604CD82708B732DB81209FECC49A980CEB393CF2BE917DB81

Function 061729E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cf7d91a4c3cb13573f7cb8e85efe17d0c85d09e74529c6ab26f1a56fd644fc
Instruction ID: a9c0806a0a17b706ccdbd566ddbc49b0486dfadad8100a8acd32afc7cbcff0e9
Opcode Fuzzy Hash: 35cf7d91a4c3cb13573f7cb8e85efe17d0c85d09e74529c6ab26f1a56fd644fc
Instruction Fuzzy Hash: 69C09226102100ABCA88C670DDE7741EB20EB99B18F3CD1A8A4088B345CE22EC03D6A0

Function 0602F9A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e4536b5ac680188123ddfac0cccda4dae497e4663f123e6157c56e28a2c762
Instruction ID: 42ac4cae6b313e2d5684ce81d6b830d73126c3ab5907db9aff04f6646952f743
Opcode Fuzzy Hash: b9e4536b5ac680188123ddfac0cccda4dae497e4663f123e6157c56e28a2c762
Instruction Fuzzy Hash: B6C09221104200A7D6A18624CDA3788BB71DB8AB09F58C9AAA844CB369CF2ADA039615

Function 06170E60 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c333c1069c537e73dfec1b035e54dd83e41dbe2b9102a70e4bf28dc4561669
Instruction ID: abe6ec36bc0b9358e9f7eca271412db64abc05e69506de0469f400af3377deef
Opcode Fuzzy Hash: 49c333c1069c537e73dfec1b035e54dd83e41dbe2b9102a70e4bf28dc4561669
Instruction Fuzzy Hash: E9C012301096904BC34ADB28C8C0705BF909F82305F2A88DE90898B686CB72A803CA04

Function 06172EB1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f254b803dd837c448125a1728b46dc5f93bf259fb50c9b9b9cbac1b9cb5fca
Instruction ID: 59c4210d1ee0443e371d105bab14a42d8148454b79def7c05d903cc4fc6ca896
Opcode Fuzzy Hash: 12f254b803dd837c448125a1728b46dc5f93bf259fb50c9b9b9cbac1b9cb5fca
Instruction Fuzzy Hash: 25C0926610150187C2408610CD92745B768EB81249F98C6B89856CF392EF63DA039A40

Function 06170471 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1256d45575f9066d6a6c5cf55eff847bda167aa3d53bb631977be103e6886e9
Instruction ID: 9db3c495d434c8f03bc907d588d098dffad5e8ab07777ff846a3c5534a141d95
Opcode Fuzzy Hash: d1256d45575f9066d6a6c5cf55eff847bda167aa3d53bb631977be103e6886e9
Instruction Fuzzy Hash: F8C09BA55091406FD703D710CC914057F315FC5515729C0D9E445AF756E737DC87C751

Function 061722D8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c9f6f7ed09a3646b8082a243533167cd8b28f1e58d98e3bfd38f9c68897995
Instruction ID: 7a01e11aa1737e4f19fb9e220f94211491b4262c4b954bc0e8c5806335c37630
Opcode Fuzzy Hash: c1c9f6f7ed09a3646b8082a243533167cd8b28f1e58d98e3bfd38f9c68897995
Instruction Fuzzy Hash: 77C08CD244E28057C341A738CDB18457F706EA22A470989DA848A8F0DBCF219A2ACB10

Function 06171B32 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fcccf0e6be2379d6e6053272f54ee8062772843aef1cb8bd8ae8f8d0302a8d
Instruction ID: f8ac070e6deee90ff68322bec0112e8a47604a9559e0d51fe4fe7cf996af2917
Opcode Fuzzy Hash: e8fcccf0e6be2379d6e6053272f54ee8062772843aef1cb8bd8ae8f8d0302a8d
Instruction Fuzzy Hash: 60C09B6750110057C744D660CD43740E730D741654F5CC5645419C7355DE13DC03C9A0

Function 0602E598 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbcb63472128d0a210ea9036b863d07e77fffc7870fc97c2ca3b239b1a2b54e
Instruction ID: 39a73c9bbe3c0ed7792a8b53aabb37d2f4b2636dfcf14e288d4917beaa58d51d
Opcode Fuzzy Hash: 7fbcb63472128d0a210ea9036b863d07e77fffc7870fc97c2ca3b239b1a2b54e
Instruction Fuzzy Hash: 35C04C753415025BD354C618C851A26F7A6DFD8315F14C47D6449C7759DE36DC03D614

Function 061706B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6bca23eabf03638478ca6c74703adc22f2b83c856307fd8cda42cb0fee466f
Instruction ID: 96ed61cd659729cddace470085e5a372cdf8aa45515e50b5beefe711df309708
Opcode Fuzzy Hash: 8e6bca23eabf03638478ca6c74703adc22f2b83c856307fd8cda42cb0fee466f
Instruction Fuzzy Hash: D9C04C74100600DBC225CA24C555B42F7E0FF40329F26CC5DD456CB246CB72A806DA05

Function 06029EF8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 0602AC58 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 06170FC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644

Function 0602FB51 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097994d8bb8bcbdfb61acbf4a34acf5f76a48018ba4b42041c1265cb679810a5
Instruction ID: 7f4540f073ca95a9c614968db48b42dca208c4394c52333c4e96e916d41c409e
Opcode Fuzzy Hash: 097994d8bb8bcbdfb61acbf4a34acf5f76a48018ba4b42041c1265cb679810a5
Instruction Fuzzy Hash: 29C02B604052804BC301C3108C510007F211B4700970F44DEE0899B083CB00CE44C341

Function 0602FC5A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ee693e57ae749216da5a0a46d964b043b93b1dd40267dfa8d04c337cf6cfff
Instruction ID: 25f4b59391525c67e6090d253ab4925db0c73bec31285503dceda00f2c0e9684
Opcode Fuzzy Hash: a4ee693e57ae749216da5a0a46d964b043b93b1dd40267dfa8d04c337cf6cfff
Instruction Fuzzy Hash: 60B011302000008BC280CA20CCC2800B320EF8020ABA8C8A8A8088B302CF23E8038E80

Function 0617A580 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 0617A2A0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06172850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 01350940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eb87bf267acfa7efd6c9912e1b79a75f2e7fe12090ebd379c4c5176fd6d5e0
Instruction ID: bc1463b00dd638fc2e4625ae4ac69f05058d9450edc8bc857f5524e93212d23c
Opcode Fuzzy Hash: c6eb87bf267acfa7efd6c9912e1b79a75f2e7fe12090ebd379c4c5176fd6d5e0
Instruction Fuzzy Hash: 4190023604460C9B4D602B95740D5997B5CA6446267801051E90D515056A5569508695

Function 06179722 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Non-executed Functions

Function 06173D75 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

@, xrefs: 0617411C

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9820713e4dac0ca8aab7ace62cc58c19bf262e197f7da549165c7764272d5c3e
Instruction ID: bc523a15bf52b228a4d3c1c6a97e387188e5e246f3dfc1e02f7a405cdea4f038
Opcode Fuzzy Hash: 9820713e4dac0ca8aab7ace62cc58c19bf262e197f7da549165c7764272d5c3e
Instruction Fuzzy Hash: EB91CA74301124CFD644FB22FD64AAB73F6FF88214B554A69D806AF29CDB30AC65CB85

Function 0602A048 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542b72f0f4b3ecd2cb2832efc132c02e8ce4b1a5fafb32b674fe8fcfbd0f7deb
Instruction ID: 3617eb039da03c9b4c1b2d60e268fcae53ae6fd65d39d3e412bcbda3c8edb4ff
Opcode Fuzzy Hash: 542b72f0f4b3ecd2cb2832efc132c02e8ce4b1a5fafb32b674fe8fcfbd0f7deb
Instruction Fuzzy Hash: 42521D34B012248FDB55FF65E894AADB7B2FF89300F1086A9D40A6B365DB30AD95CF50

Function 0602BF60 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbc8590e2c68ca42f7d3c387bfd1c96b923fb849158ef68c960dbe8e0eeae1c
Instruction ID: c4f8ad31d227793514fbff0559ad9a3633bf78b2b17964e5721bc573e1ef181c
Opcode Fuzzy Hash: 5cbc8590e2c68ca42f7d3c387bfd1c96b923fb849158ef68c960dbe8e0eeae1c
Instruction Fuzzy Hash: C4522D34B012249FDB44FF65E894AADB7B2FFC9200F1096A9D40A6B365DB30AD55CF50

Function 0602A039 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bff54402dba017d7fd04121fedd0573e453127bc6fdeb686f4b3e0c46a6b8b
Instruction ID: 9447f5a543a1b1e8a115f247c2293220c01799e868bd092ef7086f32b4007750
Opcode Fuzzy Hash: d8bff54402dba017d7fd04121fedd0573e453127bc6fdeb686f4b3e0c46a6b8b
Instruction Fuzzy Hash: 3A421C34B012249FDB54FF65E894AADB7B2FF89200F1086A9D40A6B365DF30AD95CF50

Function 0602BF50 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e41825cc785e3b2426154b880213a22d000a9aebbfb6ac8cae97be25ee74ec
Instruction ID: 43855e865c5aae1418f8048827e53843e687eeb652d5350f22b21ed42d2a1f60
Opcode Fuzzy Hash: a0e41825cc785e3b2426154b880213a22d000a9aebbfb6ac8cae97be25ee74ec
Instruction Fuzzy Hash: 58422C34B012249FDB44FF65E898AADB7B2FFC9200F1096AAD4066B365DB30AD55CF50

Function 01351C87 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdd20a43c7c09689c4a5529e3ee45bf6d7bdc2e50ff69b2d92fbd46ab362bfb
Instruction ID: 87bb1a7df8714fc54979141318e06d6bba0adcb21da05d1c28f7ebda0dc0438f
Opcode Fuzzy Hash: ccdd20a43c7c09689c4a5529e3ee45bf6d7bdc2e50ff69b2d92fbd46ab362bfb
Instruction Fuzzy Hash: 4732F4F2D283548FCB86CF74D48429ABBB1FF5172478689AED444E6542F7769843CB80

Function 01351BFE Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1add6777803a35003d74ee1702246d0579f15d8df58884511a6ad296b7bf0e89
Instruction ID: da9bd1e7514eb962b53af27a0370f9bf36add421a53125579943ff16b2f8fd6c
Opcode Fuzzy Hash: 1add6777803a35003d74ee1702246d0579f15d8df58884511a6ad296b7bf0e89
Instruction Fuzzy Hash: F43204F2D283548FCB86CF74D48429ABBB1FF51724B8689AED444E6542F7769843CB80

Function 01351C3D Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473d1173ebbe75bbb16e9f74ae4ce2914b0d9c07c5917e892f0bd90451d03048
Instruction ID: ef41024d0d174f54022f682f90f4c4fc4cbd09476d0c96f6273a6898dd9e103a
Opcode Fuzzy Hash: 473d1173ebbe75bbb16e9f74ae4ce2914b0d9c07c5917e892f0bd90451d03048
Instruction Fuzzy Hash: 3D32F4F2D283548FCB86CF74D48429ABBB1FF5172478689AED444EA542F7769843CB80

Function 01351C26 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2815c73d0dde9ecc23936e64b2dcd0084ebc24c5247f672962cbd8e4cb47ef
Instruction ID: e10646efd358f4c1b59fdf245e22934e6466971d56659616ab1526b4a2decdda
Opcode Fuzzy Hash: cf2815c73d0dde9ecc23936e64b2dcd0084ebc24c5247f672962cbd8e4cb47ef
Instruction Fuzzy Hash: 653204F2D283548FCB86CF74D48429ABBB1FF51724B8689AED440E6542F7769843CB84

Function 0602DCA8 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574bb8797d3e9357ae6108d06f5f466a5d89503331cddf068d578c23381a4519
Instruction ID: a8a6af7848528b615957a2f69168ba917e4397f1dc9605938ba7372ded63bc6f
Opcode Fuzzy Hash: 574bb8797d3e9357ae6108d06f5f466a5d89503331cddf068d578c23381a4519
Instruction Fuzzy Hash: 22028E74B412268FDB94DFA8C49462EFBF1FF88300F108629D5569B385DB30E952CB91

Function 06028590 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa110437bea823bdca48c337acb4cced536817604e2b1d2bbc32c66fd29102aa
Instruction ID: e16a12b55bdc6d707050338028ff2e87b3d1ea987bee55cd85abab54c2d82653
Opcode Fuzzy Hash: fa110437bea823bdca48c337acb4cced536817604e2b1d2bbc32c66fd29102aa
Instruction Fuzzy Hash: 37F1FF34B11224AFDB45FBA5E898AAEB7B7FFC8300F148519E8056B398DB306C55CB54

Function 01353D92 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209ac3c10be9defcf10ce483d37672dbd6cc604b7e684f7baf498d70823b21ac
Instruction ID: f0eae526fbb4e988c30843df9d39e79dac7000a1009b60194ecd44f5f40f2677
Opcode Fuzzy Hash: 209ac3c10be9defcf10ce483d37672dbd6cc604b7e684f7baf498d70823b21ac
Instruction Fuzzy Hash: 0CE171F3C683548BCB96CF30D445192BBB1BB217243C788EEE485A9442F6779853CB85

Function 06028580 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a815e4731273eaea207200b7e363a970a8dac8aecd8adef41539be9b49d0ff
Instruction ID: eabea2e60b5405390d87439bff0f3132fd56ec935144b884a50e1fbce5f2969f
Opcode Fuzzy Hash: 81a815e4731273eaea207200b7e363a970a8dac8aecd8adef41539be9b49d0ff
Instruction Fuzzy Hash: 54D10F34B112249FDB45FBA5E898AAEB7B7FFC8300F14C519E805AB398DA306C55CB54

Function 06176153 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c561c65ac55ae47143407900c909dec47103e2d64f6c0238cd7099e42d18fd5f
Instruction ID: 2610dd4c3041d2167939a9025afe1152a73828610c544627a3c20369fd73d74f
Opcode Fuzzy Hash: c561c65ac55ae47143407900c909dec47103e2d64f6c0238cd7099e42d18fd5f
Instruction Fuzzy Hash: FEC1EE347011558FC754EB69E9A9B6B77F2AF88300F1585A9D80AEB389DF349D42CF80

Function 0617615C Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526cbc14fe6f1ceba95b0f8723fa8e319aa213fc8aa96bb78e6ffee898574642
Instruction ID: 6b8302e09c74d1b622cd78c8a62da281108c899e3d7b8f6a39487e09f71abe75
Opcode Fuzzy Hash: 526cbc14fe6f1ceba95b0f8723fa8e319aa213fc8aa96bb78e6ffee898574642
Instruction Fuzzy Hash: F7C1EF347011558FC754EB69E9A9B6B77F2AF88200F1585A9D80AEB389DF349D42CF80

Function 06023488 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3782984071.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91afdefdf16f49a848e7be0d6ca416018cb44f85235b6e46726844938cb8e5ff
Instruction ID: 09e52495c0ff176791be4dc6d5c7709ba0881fbb46a19b2166e56b5e40de9c9b
Opcode Fuzzy Hash: 91afdefdf16f49a848e7be0d6ca416018cb44f85235b6e46726844938cb8e5ff
Instruction Fuzzy Hash: 18A131347022159FDB54FB25EC98A7E77A3EFC8250B548625DC06AF398DB30AD22CB51

Function 013542F8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a77db31eb3dd86e21789acef63e9fc32f96a870a509222d2d87b792f61f81f7
Instruction ID: 23e55f20096b5c28d2878aadfcb349271ad5e6651fa70f6cdfac1e22196ae4bb
Opcode Fuzzy Hash: 5a77db31eb3dd86e21789acef63e9fc32f96a870a509222d2d87b792f61f81f7
Instruction Fuzzy Hash: 1AB18171E101698FDB55CFA9C980AADFBF1FB44704F188569D455E7602E730ED82CB90

Function 0617623D Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783187860.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5810c79d456459bfb3703c68fa027dd10e107fef8f93fee2938a0e2845561db
Instruction ID: 06099b958b83fef94f3b2447ee4fe0d93e9706dcb7ac77a709b533904c6f58e9
Opcode Fuzzy Hash: d5810c79d456459bfb3703c68fa027dd10e107fef8f93fee2938a0e2845561db
Instruction Fuzzy Hash: 6FB1D0747011558FC754EB69E9A9B6B77F2AF88200F1585A9D80AEB389DF309D42CF80

Function 013515A8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c137267512ef1e0334ba7808e323f00678bcb0f7fde794196536491a1472ca
Instruction ID: bc0bf499a5846db2ed8df90429834f7ef43b3eff604a082e435277bd70b70d66
Opcode Fuzzy Hash: 56c137267512ef1e0334ba7808e323f00678bcb0f7fde794196536491a1472ca
Instruction Fuzzy Hash: B8613F74A00258AFEB19EF7BF84469E7BE3BFD8210B04D16AC0459B26CEB345905CF54

Function 013515B8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3775880178.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5470da54f5c94dfa342e40b8a1059e93632557ca26c8358e8d20eb9bda53de42
Instruction ID: 2d20a6323e4cdef6f6d15f695e9fc67e45d08b65788eeeb52bd711830e625396
Opcode Fuzzy Hash: 5470da54f5c94dfa342e40b8a1059e93632557ca26c8358e8d20eb9bda53de42
Instruction Fuzzy Hash: CB512D74A00254AFEB19EF7BF84469EBBE3BBD8210F04D22AC0459B268EB3559058F55

Analysis Process: powershell.exePID: 7616, Parent PID: 7508COMMON

Executed Functions

Function 04257A88 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06781c74167c433ec71856a5f05a9dd228e78819bcd4ae40104e2864f831b891
Instruction ID: 5b708fa6a8b5617119b68c339a0b9b5f02ad969fdcce8dd5e646499b1b353d45
Opcode Fuzzy Hash: 06781c74167c433ec71856a5f05a9dd228e78819bcd4ae40104e2864f831b891
Instruction Fuzzy Hash: 3032E434A11219AFDB15DFA8D484A9DFBF2FF88314F258199E805AB361C771ED81CB90

Function 042590D8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb62501dbd08ed01189192a2e4b3a6e259e571de7e6b8cb098fc552713e314
Instruction ID: bb1d5bb621c733f04e6affd5b8f934d1b7a7c2273593e859a94d4ffad2c8f826
Opcode Fuzzy Hash: 8ceb62501dbd08ed01189192a2e4b3a6e259e571de7e6b8cb098fc552713e314
Instruction Fuzzy Hash: 10D1F674A11219EFDB05DF98D484A9DFBB2FF88320F258169E805AB365C771ED81CB90

Function 042529F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a4141e623ca59a70761890d33ef30510212fb2a75e17e12fdf18ecf219fcfb
Instruction ID: a405f4805c25d4b49e61cc2e28f6ed6535f22b237347a9d0aeb2eb86bc25a6c2
Opcode Fuzzy Hash: 60a4141e623ca59a70761890d33ef30510212fb2a75e17e12fdf18ecf219fcfb
Instruction Fuzzy Hash: E8916B74A00206CFCB15CF58C494AAAFBB1FF88310B258599D915AB3A5C736FC91CFA4

Function 04256BE8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d48bfaf5858a423e897f1f80f666dd2ec3a5d0e94053254c1f72332e8f2c459
Instruction ID: f53d588ae42581280fbbfbc3528f9a34a609093ee76ea54e25bdd54bea051f6d
Opcode Fuzzy Hash: 6d48bfaf5858a423e897f1f80f666dd2ec3a5d0e94053254c1f72332e8f2c459
Instruction Fuzzy Hash: 9D617B34B11204DFCB04DF69D484E9EBBF6EF88310B5580A9E819AB321DB31EC45CB60

Function 06FF1820 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1353745461.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e48bc62319b292e505e86f50227a64d94ee8e16ef1a8752ab6c5e63da29466f
Instruction ID: 3e6affde856da2ee71c2c4249e491746cc7471857bf697b55a931f87c7b0634b
Opcode Fuzzy Hash: 6e48bc62319b292e505e86f50227a64d94ee8e16ef1a8752ab6c5e63da29466f
Instruction Fuzzy Hash: 5751E331F24214CFEBA4DBA985117BBB7A29F81615B14807AD6059B368DB32CD41CBE2

Function 04259668 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2813b9339e7c54b53df5d9e745003e27e5ef6dc32f605e6e48fd10a0fc9a3f17
Instruction ID: 948e6f63095161adf85fc06cab216f5e989f55ee4fa286beeb8d434169731652
Opcode Fuzzy Hash: 2813b9339e7c54b53df5d9e745003e27e5ef6dc32f605e6e48fd10a0fc9a3f17
Instruction Fuzzy Hash: 58513C74A01208DFCB14DFA9D4849DEBBF5EF89320B15859AE805A7321D731ED45CBA0

Function 06FF1805 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1353745461.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd42abd1d9f925a8ea6babc86a41605717e4cfe3b26320a8dbb797b714f235c
Instruction ID: 7f59333b8d1e2ee11e7436a9d834e0496239731f3121d1dbcb8979954e8c91f4
Opcode Fuzzy Hash: 8cd42abd1d9f925a8ea6babc86a41605717e4cfe3b26320a8dbb797b714f235c
Instruction Fuzzy Hash: F541D431F14200DFDB70CF558641ABA7BA2AF81214B5580AAD6449B269DB31C941CBB2

Function 042575E0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e07f4d9c42cfd28c3d6923c029a93b4598fd7ca98de158a93cc40bbfae2ee2a
Instruction ID: b99b46db6142384228235ab94ad471068e3e643b6968712a3df391fe6f4d1716
Opcode Fuzzy Hash: 2e07f4d9c42cfd28c3d6923c029a93b4598fd7ca98de158a93cc40bbfae2ee2a
Instruction Fuzzy Hash: B631C674A0A3959FCB02DF6CD8909DABFB4AF4A210B0541C7D445DB363C234ED45CBA5

Function 042590C8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a838069a6d09e67ce0dad07a338a5071a831163325c3981d9d94fca61cca4409
Instruction ID: 15d7a87980fc1469731e7527b76bdceb8518c31effc653ed2e2ae00d91cf42e2
Opcode Fuzzy Hash: a838069a6d09e67ce0dad07a338a5071a831163325c3981d9d94fca61cca4409
Instruction Fuzzy Hash: 5F211974A0021AEFCB04DF49C9849AAFBB5FF88310B158565E809EB361C731FC91CBA0

Function 04257DC8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07242409a6188ac55a11e10d4b917658ae4ab9902e5510bb4685951fd0f94c62
Instruction ID: 9a34fc337d1daeb5ee2180589466d607d0b5e8aad6d19828fdf67209168b0ed6
Opcode Fuzzy Hash: 07242409a6188ac55a11e10d4b917658ae4ab9902e5510bb4685951fd0f94c62
Instruction Fuzzy Hash: 0E21E574A0060A9FCB04DF48C584AAAF7F5FF88310B258555E919EB755C731FC91CBA0

Function 042575D1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1349005649.0000000004250000.00000040.00000800.00020000.00000000.sdmp, Offset: 04250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18481b302b6ac61d3a0800de8ad0a935cd270445cc668f8a70f97b798b1ea812
Instruction ID: be573b339033cef0a3d602e1e88816e2d5a819129511194f4a042bdf8724c602
Opcode Fuzzy Hash: 18481b302b6ac61d3a0800de8ad0a935cd270445cc668f8a70f97b798b1ea812
Instruction Fuzzy Hash: 67212E74A01215DFCB05DF98D8809AAFBB4FF89310B158599E819EB352C331ED41CBA1

Function 0089D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1348629384.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_89d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d779246bd171d1d59ba985eab4276fc22957fd822fbdbc10a7be059999fc75dc
Instruction ID: 6d12d56e167e3d4aa90c1e6c4aaa2fb06e1c168a2efb00d8d22a1cd72d874f7c
Opcode Fuzzy Hash: d779246bd171d1d59ba985eab4276fc22957fd822fbdbc10a7be059999fc75dc
Instruction Fuzzy Hash: 3D01A771509744AFEB209A25CC847A7BBD8FF41374F1CC519ED488B142C2799841CABA

Function 0089D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1348629384.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_89d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9808cb16bded601152ef81b59231605fe39ee19f124d3a7fc1c4520e3d4898f0
Instruction ID: 5130e2ab398fc8e74584f413632152bd651e036e9453f8fdcec99560053d2aea
Opcode Fuzzy Hash: 9808cb16bded601152ef81b59231605fe39ee19f124d3a7fc1c4520e3d4898f0
Instruction Fuzzy Hash: 4FF0C272409340AFEB208E16CC84BA3FFD8EF51334F18C05AED484E282C3799840CAB1

Analysis Process: G6hxXf90i5.exePID: 7880, Parent PID: 3504COMMON

Executed Functions

Function 02A31830 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d42ccd5bf78980bffba69269b588a036c2f764644212861f18f14cbce8e30b
Instruction ID: f6715f35301656dd84f4e799ab2681eb0e9d0c9114564441f0bc283f5ba36ca4
Opcode Fuzzy Hash: 12d42ccd5bf78980bffba69269b588a036c2f764644212861f18f14cbce8e30b
Instruction Fuzzy Hash: C6A1CE74A00214DFCB15DF69D594A99BBF2FF88714F158169E409AB3A4EF70EC01CBA0

Function 02A31119 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3394a6e5fb7a0fe961b89019c2f8bf07bec183095fe537e73c06579b68d4a36e
Instruction ID: 518ff1021d5fe2fffb2acc754e5c1429679e2341fd2a6d0c741859824117d3b4
Opcode Fuzzy Hash: 3394a6e5fb7a0fe961b89019c2f8bf07bec183095fe537e73c06579b68d4a36e
Instruction Fuzzy Hash: FB21B270B002008FC755DB78D958AAA7BF5AF89314B044468F406DB3A5EF70ED05CBA1

Function 02A31138 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76081eb392e60c67ed225e76a578a2846d305d3a91d0e63b30d923deab0a0aa9
Instruction ID: 2e0f3ba616cf23ce546273690f897985e1cbe0faee4babe80be28acd323a54e5
Opcode Fuzzy Hash: 76081eb392e60c67ed225e76a578a2846d305d3a91d0e63b30d923deab0a0aa9
Instruction Fuzzy Hash: 9F219C30B00204DFD755DF65D958BAABBF5AB88714F144868E50ADB394DFB0AD04CBA0

Function 02A30898 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723cc9a22db764a783e1a6ad585e16da44ef467b70d29bf1723fefa62fe0acf3
Instruction ID: cfaa2f698e31337d0e3c06973bd9227d14f5f98f21ac15cc16be669305653be8
Opcode Fuzzy Hash: 723cc9a22db764a783e1a6ad585e16da44ef467b70d29bf1723fefa62fe0acf3
Instruction Fuzzy Hash: 04F0A030504309FFD746DBB0DA509ACBBF5FB062047500099E406D7215DB326E04DBA5

Function 02A30861 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ff43ab9686c56d9bcbf0a7657691579a62378026d9d354078a73fc09d5e968
Instruction ID: 683f509f17199c0833ecd9a39a3ca8abd1c25b43028c53800810fe79b00252de
Opcode Fuzzy Hash: 61ff43ab9686c56d9bcbf0a7657691579a62378026d9d354078a73fc09d5e968
Instruction Fuzzy Hash: 2AE0B62100E7C15FC3138B788D604813FB0AD4720835E09CBC080CF6A3D66AA918D752

Function 02A3124F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3e236ab913a7b0878018e5f743a923dfcdd5d744f274ff1514057d095da95d
Instruction ID: 018aa6f52c1a9fbcb12a7aab462039e3baa702f7fd8a109d2f83dcb791b2a16f
Opcode Fuzzy Hash: 3c3e236ab913a7b0878018e5f743a923dfcdd5d744f274ff1514057d095da95d
Instruction Fuzzy Hash: 4AE0C772B00200CFC3A19FBCC4088887BF5EF0A27034100B6E846CB232EA349C028B91

Function 02A308A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb2ad931cb1fd744596226ba8ca6b81c5eecb6b38df0480eef43b6c3e80a314
Instruction ID: c5200c3574abbb45bff780bbbbc167520bbda55455de649040897d5ba4c7f609
Opcode Fuzzy Hash: feb2ad931cb1fd744596226ba8ca6b81c5eecb6b38df0480eef43b6c3e80a314
Instruction Fuzzy Hash: 92E04F7090430DEFD745DBA0D61055CB7F5FB446047404568E40A93204EF311E00DBD5

Function 02A30C66 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0956ba2b3c7e648591eaba27bff3e09e0bad708efde4b07289205bf3d2f73597
Instruction ID: a1f854bd1921799998e8329124b8b1407e4b1708b9bfe5c0a23fa8f6af7f0e1a
Opcode Fuzzy Hash: 0956ba2b3c7e648591eaba27bff3e09e0bad708efde4b07289205bf3d2f73597
Instruction Fuzzy Hash: EDE08634608615CED3129F149814BA776F8FB05329F9602B9F5FB67652EB309C02CB56

Function 02A31BDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9c20e6ddc9becc7ce1db1a71b34ad0c8121cd85959ce2ae32ffeb9d4d0f32
Instruction ID: ca7bd5429a9de7bdcff22289c9e57877e1fcb295f236a629c9e14113b574e3ed
Opcode Fuzzy Hash: 05d9c20e6ddc9becc7ce1db1a71b34ad0c8121cd85959ce2ae32ffeb9d4d0f32
Instruction Fuzzy Hash: 8AD0A938E04244EBCF0A2F94E8004BC7232FF89302F108C68F502A2294CB368DA8CB04

Function 02A30932 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3784fff6bb7459af450cc9084bf16eed43417e4c48f8271cc14e703915bc8318
Instruction ID: cde6d6c81866b376840eabdd865e95a172da4012f64a064a8e9ebd1212245da8
Opcode Fuzzy Hash: 3784fff6bb7459af450cc9084bf16eed43417e4c48f8271cc14e703915bc8318
Instruction Fuzzy Hash: 8CD0123298D384EFCB568B3098688843FB0AF83318B2840DFD045CA1A6D3A25900CB12

Function 02A31290 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03f76eda91a344d8ea2f47b05e485cfed194a28a450c69599e80cf72a23d1b1
Instruction ID: abb55cc56345fe13f4160ec2399ec7e923d5ccf1966f6d4872df99809e9f6662
Opcode Fuzzy Hash: f03f76eda91a344d8ea2f47b05e485cfed194a28a450c69599e80cf72a23d1b1
Instruction Fuzzy Hash: 0CC02B3000024C33C60050A6CC48F43BFBCC389380F0040307904522449D50351080F1

Function 02A30940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1606397200.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a30000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3b7766e830d3a907a4ac1911f3a9cb3c054741b16c299ed315558f82841fbe
Instruction ID: 40a2bbe7f0918fd99c4f5324fada18f67c0e8d139be5ececee0aa8e199c790b4
Opcode Fuzzy Hash: 4b3b7766e830d3a907a4ac1911f3a9cb3c054741b16c299ed315558f82841fbe
Instruction Fuzzy Hash: C290023514460C9B4958279574095957B5C95446267800061A51D4150D5B556A90CA95

Analysis Process: G6hxXf90i5.exePID: 8024, Parent PID: 3504COMMON

Executed Functions

Function 00DA1830 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b262f06477bf7bdd2115e3d241df9922e44a2a5cc3ff741f47d07b830dcb248c
Instruction ID: 23fda259c7a912d07de266b2a16bb533a5cb8cefd654993693ff1bb39151448f
Opcode Fuzzy Hash: b262f06477bf7bdd2115e3d241df9922e44a2a5cc3ff741f47d07b830dcb248c
Instruction Fuzzy Hash: 23A1AE78A00A049FDB15DF6DD554A9ABBF2FF89710F1581A8E405AB3A1DB71EC01CFA0

Function 00DA1281 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fcd0c0cf97441956801fa19777631cb13fbc6a50f29d37a9aba7f92aea8de3
Instruction ID: 469e7e1068faaa228646f4fa56cc9f09dfefa13e5c10d3b36f087cbeef15a090
Opcode Fuzzy Hash: 88fcd0c0cf97441956801fa19777631cb13fbc6a50f29d37a9aba7f92aea8de3
Instruction Fuzzy Hash: 93511F74B00214CFDB44EFA9D499AADBBF2BF89710F254069E506DB3A1CE759C01CB64

Function 00DA1290 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9765435814e0c938a27cb75a9892517330dfabe290494cdf4079a82ab77247f0
Instruction ID: 0ae0bd15c5ccab2eba348b106c0d247e41c9bf632a4e5d5e2defe2f65299f742
Opcode Fuzzy Hash: 9765435814e0c938a27cb75a9892517330dfabe290494cdf4079a82ab77247f0
Instruction Fuzzy Hash: 60511F74B00214CFD744EFA9C499AADBBF2BF89700F254069E506EB3A1CE749C01CB64

Function 00DA1138 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d95fb3a944028164d42e3a2b65618ecf7bdac5b512975fae63a8ac92ed33343
Instruction ID: 4a831ff6d08543158696980911aebb42197c611e10dc1bc175ea1c58e9499486
Opcode Fuzzy Hash: 2d95fb3a944028164d42e3a2b65618ecf7bdac5b512975fae63a8ac92ed33343
Instruction Fuzzy Hash: 5A215A38B007049FD714DBA9D959B6A7BF5AB89350F1444A8E506DB3A4DBB0DD008BB0

Function 00DA1127 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b980917e41956605d65eadf64203f07c77ddd5eade2f218fd9fb11300510ace
Instruction ID: 0e5db4c963f0956682a29d59ef32a86c0d3dd313f483f5a7b2655d801e0a4051
Opcode Fuzzy Hash: 2b980917e41956605d65eadf64203f07c77ddd5eade2f218fd9fb11300510ace
Instruction Fuzzy Hash: 25218B747007009FD715EB79D859A6A7BF1AF89720B1444A8E906DB3A4DBB0DD008BB1

Function 00DA0898 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407a02f5c8121ebf30ca98ca4527d8160133abd455788069a63dc7df22e8f23f
Instruction ID: 52f48e7238da7103464a96b90e65a99d5bbf5f73e6847b11d15fd90a2c8a4217
Opcode Fuzzy Hash: 407a02f5c8121ebf30ca98ca4527d8160133abd455788069a63dc7df22e8f23f
Instruction Fuzzy Hash: 30F0E5B1905708EFE742EBF8EC315AD7BB4EA023007200295D846D3281D6B16F00ABF5

Function 00DA0861 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd4f4393e57986f59da49356ef6dddf7fb0dbbd14056572a8bcec121b9152d7
Instruction ID: d5a282b044ec5bee4936b5e2398ebb3641e8111a0882289f7c420e68352a213d
Opcode Fuzzy Hash: 2fd4f4393e57986f59da49356ef6dddf7fb0dbbd14056572a8bcec121b9152d7
Instruction Fuzzy Hash: C5D048C680FBC05EE7A312749C340A5BFB0A86721538E06CB88C0CA1A3A0CE0A1D9336

Function 00DA124F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a2f947208b364cbed6514dce5d4ca0a0756f74b69348f95591557b3d50185c
Instruction ID: 6eebdd00747023eec92f7edb16b50b00c6e0c0fb2a94d42ad8370dbdf67024cc
Opcode Fuzzy Hash: a1a2f947208b364cbed6514dce5d4ca0a0756f74b69348f95591557b3d50185c
Instruction Fuzzy Hash: 30E0C237B087408FC3025BB898188C43FB0DF571B131100E3E841CB372D6204C02C7A1

Function 00DA08A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bdecbce1a9d4541f7db469730e33f76439b4144126df6bf0f588c648dfe388
Instruction ID: acd6c2ee78e7f328d9a840e81207b7f8353624b60fe915bc331c6325235b8d05
Opcode Fuzzy Hash: c3bdecbce1a9d4541f7db469730e33f76439b4144126df6bf0f588c648dfe388
Instruction Fuzzy Hash: 33E0867090470DEFD701EFF8E92155DBBB4EB023017500198D806D3384DA306E00ABF5

Function 00DA0C66 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39034763ffa552e308ca69fc4e0e949f32c750b3815aeb4822702d53cdbeb97
Instruction ID: 5b14e76e51d4941318c6a8a8c329cceb749b8d6371391ca3363af2680c99e1c1
Opcode Fuzzy Hash: f39034763ffa552e308ca69fc4e0e949f32c750b3815aeb4822702d53cdbeb97
Instruction Fuzzy Hash: B3E04F34508611CFD3119B149814BA77EA8BB0B316F9A06A9D4E6A7652D324D802AB76

Function 00DA0931 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14705d78dc1e97449e5de0d08eee3d9b84e6f5984fa530a640f1d6002cc873dd
Instruction ID: 313e2a408dabe895097bbcca034cbe4e635b2506f6f3afe719a0369261f683f4
Opcode Fuzzy Hash: 14705d78dc1e97449e5de0d08eee3d9b84e6f5984fa530a640f1d6002cc873dd
Instruction Fuzzy Hash: 85C002699CD7C85FCB0713A42C694C83F30485317671E43DBD8A6D69E3A5994906C762

Function 00DA1BDC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1372c9dead67a449ba28119c7e5fddd799732ad4898bf7d574873f800c6aa537
Instruction ID: f2c0eb861b2a2b7f26f69f4182462d313aa8e8bd429ca8e99242c6c790ae79a0
Opcode Fuzzy Hash: 1372c9dead67a449ba28119c7e5fddd799732ad4898bf7d574873f800c6aa537
Instruction Fuzzy Hash: 5CD0C738A04254EBDF056F58FC404BD7672EB4A311F204925F941A3390C6358E589B31

Function 00DA0940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1688905311.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_da0000_G6hxXf90i5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0c1ec497008cf44a4a9e73d62a8cd80f282d578384c8015a7f44d19f96336e
Instruction ID: e671ed77536cc8d39fc9782bdacb6ca072f5529f342512bb734a7c5e0a24af98
Opcode Fuzzy Hash: 7a0c1ec497008cf44a4a9e73d62a8cd80f282d578384c8015a7f44d19f96336e
Instruction Fuzzy Hash: 1A90023544470C8B4A80279578095957B5C95446377C00051A90DC26115A55A95085A5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report G6hxXf90i5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\G6hxXf90i5.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpf54ar4.fl2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saskvzxt.g50.ps1

C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
G6hxXf90i5.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre