Edit tour

Windows Analysis Report
MicrosoftWORD.exe

Overview

General Information

Sample name:	MicrosoftWORD.exe
Analysis ID:	1587444
MD5:	683c5db3796f6ef32a5598a9c442c6b0
SHA1:	39b40a2bb77bc0d46361dec3ecd69d1547b39e6d
SHA256:	cc3f501d414d5bb8fcbb3a4bcfb2b085b9e67a1e7739118f1b727a9336e16f74
Tags:	exePrivateLoaderuser-zhuzhu0009
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Drops large PE files

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MicrosoftWORD.exe (PID: 812 cmdline: "C:\Users\user\Desktop\MicrosoftWORD.exe" MD5: 683C5DB3796F6EF32A5598A9C442C6B0)

csc.exe (PID: 1104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3151381161.0000000008081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3151800226.00000000095E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 1104	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.csc.exe.8106448.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.csc.exe.95e0000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Favorites\components\assets\Chrominum_A.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MicrosoftWORD.exe, ProcessId: 812, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrominum_A

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MicrosoftWORD.exe	Virustotal: Detection: 65%			Perma Link
Source: MicrosoftWORD.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: MicrosoftWORD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MicrosoftWORD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: Vxfoecavth.pdb source: csc.exe, 00000004.00000003.1731696888.000000000817C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151729530.0000000009520000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.6\CloudAgentInstaller\Release\CloudAgentInstaller.pdb source: MicrosoftWORD.exe, Chrominum_A.exe.0.dr

Source: global traffic

TCP traffic: 192.168.2.7:49804 -> 181.71.216.203:30203

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000004.00000002.3150912179.0000000007139000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006F75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MicrosoftWORD.exe, Chrominum_A.exe.0.dr	String found in binary or memory: http://www.newhb.com
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MicrosoftWORD.exe, Chrominum_A.exe.0.dr	String found in binary or memory: https://www.qualys.com/docs/qualys-cloud-agent-windows-install-guide.pdf

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

File dump: Chrominum_A.exe.0.dr 959567321

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_052244A6	4_2_052244A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_052244B0	4_2_052244B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD1CA8	4_2_06BD1CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD6318	4_2_06BD6318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDE07F	4_2_06BDE07F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD1FDF	4_2_06BD1FDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD6419	4_2_06BD6419
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD1C10	4_2_06BD1C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD1C00	4_2_06BD1C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDA44C	4_2_06BDA44C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD65D6	4_2_06BD65D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDE3B7	4_2_06BDE3B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD6308	4_2_06BD6308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD2099	4_2_06BD2099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD20C3	4_2_06BD20C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD2024	4_2_06BD2024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD5937	4_2_06BD5937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDF128	4_2_06BDF128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD5948	4_2_06BD5948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD2141	4_2_06BD2141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BF1468	4_2_06BF1468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BFFB40	4_2_06BFFB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BFE3F8	4_2_06BFE3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BFFB30	4_2_06BFFB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C927C8	4_2_06C927C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C933E0	4_2_06C933E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C97BAE	4_2_06C97BAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C94CD8	4_2_06C94CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C944A0	4_2_06C944A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C90040	4_2_06C90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C95988	4_2_06C95988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C97BF6	4_2_06C97BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C92B10	4_2_06C92B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C94CC9	4_2_06C94CC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C94490	4_2_06C94490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C90006	4_2_06C90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C959C8	4_2_06C959C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C939B0	4_2_06C939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C95983	4_2_06C95983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C939A1	4_2_06C939A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C939B0	4_2_06C939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C9597F	4_2_06C9597F

Source: MicrosoftWORD.exe	Binary or memory string: OriginalFilename vs MicrosoftWORD.exe
Source: MicrosoftWORD.exe, 00000000.00000002.1535438868.0000000002F44000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudAgentInstaller.exeH vs MicrosoftWORD.exe
Source: MicrosoftWORD.exe, 00000000.00000002.1534462310.0000000000A1C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCloudAgentInstaller.exeH vs MicrosoftWORD.exe
Source: MicrosoftWORD.exe, 00000000.00000002.1535242540.000000000292C000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLziarzrkco.exe" vs MicrosoftWORD.exe
Source: MicrosoftWORD.exe	Binary or memory string: OriginalFilenameCloudAgentInstaller.exeH vs MicrosoftWORD.exe

Source: MicrosoftWORD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

File created: C:\Users\user\Favorites\components

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: MicrosoftWORD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MicrosoftWORD.exe, 00000000.00000000.1297806921.000000000055B000.00000002.00000001.01000000.00000003.sdmp, MicrosoftWORD.exe, 00000000.00000002.1535438868.0000000002930000.00000004.00001000.00020000.00000000.sdmp, MicrosoftWORD.exe, 00000000.00000002.1533055814.000000000055B000.00000002.00000001.01000000.00000003.sdmp, Chrominum_A.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MicrosoftWORD.exe, 00000000.00000000.1297806921.000000000055B000.00000002.00000001.01000000.00000003.sdmp, MicrosoftWORD.exe, 00000000.00000002.1535438868.0000000002930000.00000004.00001000.00020000.00000000.sdmp, MicrosoftWORD.exe, 00000000.00000002.1533055814.000000000055B000.00000002.00000001.01000000.00000003.sdmp, Chrominum_A.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: MicrosoftWORD.exe	Virustotal: Detection: 65%
Source: MicrosoftWORD.exe	ReversingLabs: Detection: 52%

Source: MicrosoftWORD.exe

String found in binary or memory: 7XSoftware\Qualys\QualysAgent1.21.11.0Qualys Cloud Security AgentInstallation of Qualys Cloud Agent by double-clicking the executable or installer file is not supported. For installation instructions, refer to 'How to install the Cloud Agent' section in https://www.qualys.com/docs/qualys-cloud-agent-windows-install-guide.pdf

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

File read: C:\Users\user\Desktop\MicrosoftWORD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MicrosoftWORD.exe "C:\Users\user\Desktop\MicrosoftWORD.exe"
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Section loaded: fugu.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Section loaded: fugu2.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MicrosoftWORD.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MicrosoftWORD.exe

Static file information: File size 7432192 > 1048576

Source: MicrosoftWORD.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x159800
Source: MicrosoftWORD.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x578000

Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftWORD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MicrosoftWORD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: MicrosoftWORD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Vxfoecavth.pdb source: csc.exe, 00000004.00000003.1731696888.000000000817C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151729530.0000000009520000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\jenkins_home\workspace\indows-4.5-non-Arxan_release_5.6\CloudAgentInstaller\Release\CloudAgentInstaller.pdb source: MicrosoftWORD.exe, Chrominum_A.exe.0.dr

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.csc.exe.8106448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.csc.exe.95e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3151381161.0000000008081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3151800226.00000000095E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 1104, type: MEMORYSTR

Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: MicrosoftWORD.exe

Static PE information: real checksum: 0x1c8570 should be: 0x726390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06B84F58 push edx; retf	4_2_06B84F5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD6CD8 push es; retn BD90h	4_2_06BDA650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD0620 push es; iretd	4_2_06BD06C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BD1FA8 pushfd ; ret	4_2_06BD1FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDAA8E push es; iretd	4_2_06BDAA9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDA22C push eax; retf	4_2_06BDA22F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDAA1E push es; iretd	4_2_06BDAA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDAB8B push es; ret	4_2_06BDAB8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDABC8 push es; ret	4_2_06BDAB8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06BDA992 push es; retf	4_2_06BDA9A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C976C0 push ds; retf	4_2_06C976C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C976C3 push ds; retf	4_2_06C976CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C982B3 push eax; retf	4_2_06C982B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C975C0 push ds; retf	4_2_06C975C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C975C3 push ds; retf	4_2_06C975CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C965D1 push ss; retf	4_2_06C965D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C965D3 push ss; retf	4_2_06C965D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C965D7 push ss; retf	4_2_06C965DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C975F0 push ds; retf	4_2_06C97682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C97581 push ds; retf	4_2_06C97582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C975A0 push ds; retf	4_2_06C975A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C965B1 push ss; retf	4_2_06C965B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C97541 push ds; retf	4_2_06C97542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C97561 push ds; retf	4_2_06C97562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4_2_06C95978 push cs; retf	4_2_06C9597E

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

File created: C:\Users\user\Favorites\components\assets\Chrominum_A.exe

Jump to dropped file

Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrominum_A			Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrominum_A			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6A40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 526000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Dropped PE file which has not been started: C:\Users\user\Favorites\components\assets\Chrominum_A.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3300	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4260	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3232	Thread sleep time: -526000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 526000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: csc.exe, 00000004.00000002.3152023388.00000000098A0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 4_2_06C90040 LdrInitializeThunk,

4_2_06C90040

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: A00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: A00000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: A00000			Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftWORD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 647008			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\MicrosoftWORD.exe

Code function: 0_2_00512345 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00512345

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000004.00000003.1515707116.00000000098BF000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3149922640.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	31 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	31 Process Injection	NTDS	124 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MicrosoftWORD.exe	65%	Virustotal		Browse
MicrosoftWORD.exe	53%	ReversingLabs	Win32.Trojan.Leonem

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Favorites\components\assets\Chrominum_A.exe	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.newhb.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.qualys.com/docs/qualys-cloud-agent-windows-install-guide.pdf	MicrosoftWORD.exe, Chrominum_A.exe.0.dr	false		high
http://www.newhb.com	MicrosoftWORD.exe, Chrominum_A.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000004.00000002.3150912179.0000000007139000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006F75000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000004.00000003.1731696888.0000000008495000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000004.00000002.3151869345.0000000009640000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000004.00000003.1731696888.000000000835E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587444
Start date and time:	2025-01-10 11:49:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MicrosoftWORD.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 81% Number of executed functions: 87 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MicrosoftWORD.exe, PID 812 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:21:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrominum_A C:\Users\user\Favorites\components\assets\Chrominum_A.exe
13:21:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrominum_A C:\Users\user\Favorites\components\assets\Chrominum_A.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePremierPDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

Process:	C:\Users\user\Desktop\MicrosoftWORD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	959567321
Entropy (8bit):	0.10403134135261466
Encrypted:	false
SSDEEP:
MD5:	2F50620BC392CD4467AF0774F20F0045
SHA1:	897E76B977A57DAE0E0A7BC32EF8C436248316E5
SHA-256:	BB8B678F7382CE794161786A8E11C10986A6B8F24F55B2F3C9108B9871E266ED
SHA-512:	7B11B49A72AA9157BC0FFDBEA67E03BCEE8741BB307F723856011F94476EAB83C2C6918E3AD3E6227BB2224B0075AD501D18027708AB9E09AE198FC964E06A40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...v...v...v...t..v...v.v...w..v.../...v..+(...v..+(..6v..+(..kv.......v..(...v.......v...v..;w..(..;v..(z..v...v...v..(...v..Rich.v..........PE..L....KFf......................[...................@...........................q.....p.....@.................................(\|..x....`....W.............................p...............................@....................z.......................text............................... ..`.rdata..............................@..@.data............V...~..............@....gfids... ...0......................@..@.tls.........P......................@....rsrc.....W..`....W.................@..@........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.664200167453047
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MicrosoftWORD.exe
File size:	7'432'192 bytes
MD5:	683c5db3796f6ef32a5598a9c442c6b0
SHA1:	39b40a2bb77bc0d46361dec3ecd69d1547b39e6d
SHA256:	cc3f501d414d5bb8fcbb3a4bcfb2b085b9e67a1e7739118f1b727a9336e16f74
SHA512:	d3ff24f43b4043f1cae00c79c6cf7418bc78012e37a2f28f42f96185d31ccc0f2f020e69803c0e29672b7db074fe9aaeade584d7cf4494951a59f60fc3dde261
SSDEEP:	98304:zWmwv0GCAR4IQrOWoqNm2T2Nr0WtpHW+WxUbSj8KSS:zWmwHCAcOWoqNm2E0WtlW+W6bCkS
TLSH:	AE767C71E283CC43E8A220BFE129A5FC51256E35E627C587B3C0FE2A70735D295E561B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T....v...v...v....t..v....v..v....w..v.../...v..+(...v..+(..6v..+(..kv.......v...(...v.......v...v..;w...(..;v...(z..v...v...v.

File Icon


Icon Hash:	3368ccd64c69138e

Static PE Info

General

Entrypoint:	0x5116c7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66464B85 [Thu May 16 18:08:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	667cd4ebeeff36c77bc94683d50504ef

Entrypoint Preview

Instruction
call 00007FC750FFF0DEh
jmp 00007FC750FFE2ECh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0055B170h]
push dword ptr [ebp+08h]
call dword ptr [0055B2F0h]
push C0000409h
call dword ptr [0055B260h]
push eax
call dword ptr [0055B13Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FC750FEAB88h
test eax, eax
je 00007FC750FFE467h
push 00000002h
pop ecx
int 29h
mov dword ptr [0059FD30h], eax
mov dword ptr [0059FD2Ch], ecx
mov dword ptr [0059FD28h], edx
mov dword ptr [0059FD24h], ebx
mov dword ptr [0059FD20h], esi
mov dword ptr [0059FD1Ch], edi
mov word ptr [0059FD48h], ss
mov word ptr [0059FD3Ch], cs
mov word ptr [0059FD18h], ds
mov word ptr [0059FD14h], es
mov word ptr [0059FD10h], fs
mov word ptr [0059FD0Ch], gs
pushfd
pop dword ptr [0059FD40h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0059FD34h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0059FD38h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0059FD44h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0059FC80h], 00010001h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x197c28	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a6000	0x577fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bf000	0xdda4	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x18a210	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x16acf8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15b000	0x398	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x197a80	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15a000	0x159800	29eab12d8effad8d0b1170fcfb5a3918	False	0.5572596327785818	data	6.661013407705432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15b000	0x3f000	0x3e200	eae27ead0dbaa6b546d3ad9e2f2eddf2	False	0.3670853244466801	data	5.085860438856158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19a000	0x9000	0x5600	c5bd365bb50e696ac8174b61be590ccd	False	0.2043059593023256	data	4.249683212440647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x1a3000	0x2000	0x1200	db596309d3c1c15c9fe66b4080be2928	False	0.3784722222222222	data	4.026024095908803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x1a5000	0x1000	0x200	adb00c88d5919bab3c4b160cbf2abed5	False	0.03515625	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a6000	0x577fa0	0x578000	65a24c5551dd85360b88203996705aef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x1a6660	0x7028	Device independent bitmap graphic, 448 x 16 x 32, image size 0			0.3149902479799387
RT_BITMAP	0x1ad688	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5955807811901009
RT_BITMAP	0x2200ac	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5876751714443924
RT_BITMAP	0x292ad0	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.4681283809686076
RT_BITMAP	0x3054f4	0x67258	PC bitmap, Windows 3.x format, 52864 x 2 x 54, image size 422942, cbSize 422488, bits offset 54			0.9915003503058075
RT_ICON	0x36c74c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4716312056737589
RT_ICON	0x36cbb4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.29174484052532834
RT_ICON	0x36dc5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22863070539419086
RT_ICON	0x370204	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.20559754369390648
RT_ICON	0x37442c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.15386549154146456
RT_STRING	0x384c54	0x6c	data			0.6481481481481481
RT_RCDATA	0x384cc0	0x9d36	PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced			0.23204790538190131
RT_RCDATA	0x38e9f8	0x7a2b6	data			0.7525569237778924
RT_RCDATA	0x408cb0	0xc32ba	Delphi compiled form 'Tdm'			0.34880500564160427
RT_RCDATA	0x4cbf6c	0x9c27a	Delphi compiled form 'TdmMain'			0.26150935726458313
RT_RCDATA	0x5681e8	0x1cc3e	Delphi compiled form '\017TFanTasticFrame\016FanTasticFrame'			0.4461985028262973
RT_RCDATA	0x584e28	0xf7ece	Delphi compiled form 'TfPNGMessage'			0.1253773995521427
RT_RCDATA	0x67ccf8	0x1ec66	Delphi compiled form 'TfrmMain'			0.16980024433972743
RT_RCDATA	0x69b960	0x5fd99	Delphi compiled form '\023TOperationModeFrame\022OperationModeFrame'			0.6852657023288274
RT_GROUP_ICON	0x6fb6fc	0x4c	data	English	United States	0.75
RT_VERSION	0x6fb748	0x34c	data	English	United States	0.4372037914691943
RT_ANIICON	0x6fba94	0x221a2	PC bitmap, Windows 3.x format, 18288 x 2 x 29, image size 140368, cbSize 139682, bits offset 54			0.9885668876447932
RT_MANIFEST	0x71dc38	0x365	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (809), with CRLF line terminators	English	United States	0.48676639815880324

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, LoadLibraryW, GetSystemInfo, HeapReAlloc, DeleteFileW, DeleteFileA, GetVersionExA, WaitForSingleObjectEx, LoadLibraryA, CreateFileA, FlushViewOfFile, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, FormatMessageW, GetTempPathA, Sleep, MultiByteToWideChar, HeapSize, HeapValidate, UnmapViewOfFile, GetVersionExW, GetFileAttributesW, GetTempPathW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, InterlockedCompareExchange, GetFullPathNameW, HeapFree, HeapCreate, ReadFile, AreFileApisANSI, RaiseException, GetCurrentThreadId, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetLastError, GetConsoleCP, GetVersion, VerSetConditionMask, VerifyVersionInfoW, UnlockFile, DebugBreak, FindFirstFileW, CompareFileTime, FindNextFileW, FindClose, TerminateProcess, GetCurrentThread, SetThreadPriority, SetFileAttributesW, GetModuleFileNameW, GetTimeZoneInformation, GetSystemDirectoryW, HeapCompact, GlobalAlloc, GetLocalTime, CreateDirectoryW, GetCurrentDirectoryW, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, GetEnvironmentVariableW, SetEnvironmentVariableW, DuplicateHandle, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, SetThreadAffinityMask, ResumeThread, SetEvent, ResetEvent, ReleaseSemaphore, CreateEventW, CreateSemaphoreW, GetFileTime, GetSystemWow64DirectoryW, GlobalFree, DecodePointer, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, CreateFileMappingA, LocalFree, LockFileEx, GetFileSize, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, ReleaseMutex, CopyFileW, CreateMutexW, SetDllDirectoryW, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, ExpandEnvironmentStringsW, IsWow64Process, OutputDebugStringW, GetFileSizeEx, WriteFile, CreateFileW, SizeofResource, LockResource, LoadResource, FindResourceW, CloseHandle, OpenProcess, GetProcAddress, GetModuleHandleW, GetCurrentProcess, GetLastError, SetStdHandle, WriteConsoleW, LoadLibraryExW, HeapDestroy, GetConsoleWindow, IsValidCodePage, FindFirstFileExW, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetFileType, GetACP, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, EncodePointer, GetCPInfo, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, SwitchToThread, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, GetModuleHandleA, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, RtlUnwind, ExitThread, GetModuleHandleExW
USER32.dll	ShowWindow, MessageBoxW
ADVAPI32.dll	ControlService, StartServiceW, CloseServiceHandle, QueryServiceStatusEx, OpenServiceW, OpenSCManagerW, GetTokenInformation, CryptReleaseContext, RegDeleteValueW, RegSetValueExW, RegDeleteKeyW, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, RegCreateKeyExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, TreeResetNamedSecurityInfoW
SHELL32.dll	SHCreateDirectoryExW
SHLWAPI.dll	PathFindFileNameW, PathCombineA, PathAppendW, PathRemoveFileSpecW, PathIsDirectoryW, PathFileExistsW, PathCombineW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:50:23.767812967 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:23.772733927 CET	30203	49804	181.71.216.203	192.168.2.7
Jan 10, 2025 11:50:23.772828102 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:23.862126112 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:23.867079973 CET	30203	49804	181.71.216.203	192.168.2.7
Jan 10, 2025 11:50:23.867161036 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:23.871988058 CET	30203	49804	181.71.216.203	192.168.2.7
Jan 10, 2025 11:50:45.144764900 CET	30203	49804	181.71.216.203	192.168.2.7
Jan 10, 2025 11:50:45.144829988 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:45.153711081 CET	49804	30203	192.168.2.7	181.71.216.203
Jan 10, 2025 11:50:45.158544064 CET	30203	49804	181.71.216.203	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:50:23.742748976 CET	54372	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:50:23.764754057 CET	53	54372	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:50:23.742748976 CET	192.168.2.7	1.1.1.1	0xdc63	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:50:23.764754057 CET	1.1.1.1	192.168.2.7	0xdc63	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:50:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MicrosoftWORD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MicrosoftWORD.exe"
Imagebase:	0x400000
File size:	7'432'192 bytes
MD5 hash:	683C5DB3796F6EF32A5598A9C442C6B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:21:23
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xed0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3151381161.0000000008081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3151800226.00000000095E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3150912179.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37.5%
Total number of Nodes:	48
Total number of Limit Nodes:	6

Executed Functions

Function 06BDE07F Relevance: 2.4, Strings: 1, Instructions: 1146COMMON

Download Yara Rule

Strings

4, xrefs: 06BDEA65

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 621d74ff0a3ad07ef2eeddb6760c9a7e82f59fe61127d7280e0e05a5f13aedc6
Instruction ID: 48315aaa0d65066076ab80f766b0fca4a4957f8e6094d0b99cd778fa26373ba0
Opcode Fuzzy Hash: 621d74ff0a3ad07ef2eeddb6760c9a7e82f59fe61127d7280e0e05a5f13aedc6
Instruction Fuzzy Hash: 19B20874A002188FEB54DFA9C894BADB7B6FB48700F148599E505AF2A5DB70EC82CF50

Function 06BDE3B7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 06BDEA65

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 918afe2a157b891c3c28205fc5e21680dc04fe896cc358f47884fd225bdcab34
Instruction ID: fb089870bc0ae2e7ad9a60faf228434625790093e37c4f63920be48912a01b98
Opcode Fuzzy Hash: 918afe2a157b891c3c28205fc5e21680dc04fe896cc358f47884fd225bdcab34
Instruction Fuzzy Hash: 8022DA74A012158FDBA4DFA5C994BA9B7B6FB48304F1480D9E509AF295DB30ED82CF50

Function 06C90006 Relevance: 1.7, APIs: 1, Instructions: 184
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06C900C2

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 376165730a2d29a4ac95daef4d37f06fc8d4a0f773da92a2992105d39fdaba3e
Instruction ID: 515b47ac37f0b68eb197ed23dac5134abc4ee2fe952147fbdeae9b7504ba32ba
Opcode Fuzzy Hash: 376165730a2d29a4ac95daef4d37f06fc8d4a0f773da92a2992105d39fdaba3e
Instruction Fuzzy Hash: F971A030B05244CFEF84CF26D54DBA937B3FB8A314F1890ADE1059B2A5DB798985CB61

Function 06C90040 Relevance: 1.7, APIs: 1, Instructions: 159
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06C900C2

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5bdf1a004d712c94133c7acebadf7b8493c33a7eda9f85651101514296b9d1f
Instruction ID: c16faeec8d63ec1eb7afe7a90eab1255306d46d599cc46a6b2a26b2a33ba8762
Opcode Fuzzy Hash: b5bdf1a004d712c94133c7acebadf7b8493c33a7eda9f85651101514296b9d1f
Instruction Fuzzy Hash: 0C515930B00604CFEF94CF26D54DBA973B3BB8A315F14906DE10A9B6A4DB399985CB64

Function 06BFFB30 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06BFFBD6

Memory Dump Source

Source File: 00000004.00000002.3150744731.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bf0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3ddb34ffbfd5930dc57c52feb0d875ccc9d6a08192e99e6a6f65de31902ba3c4
Instruction ID: fcae1920f79dbc732ce851109ce5439c042f60afab098324ef2e8472f4914f43
Opcode Fuzzy Hash: 3ddb34ffbfd5930dc57c52feb0d875ccc9d6a08192e99e6a6f65de31902ba3c4
Instruction Fuzzy Hash: C6516E347001808FC384DB79D6A5B7A33E2AB8D314B4544ADF51ECF3A1EE789909C795

Function 06BFFB40 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06BFFBD6

Memory Dump Source

Source File: 00000004.00000002.3150744731.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bf0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dfda47c7bb3de7b6cd7c0912d2d03c24e90a9618d164b26cd7465da11717707c
Instruction ID: 79a7c3482be225497cc7a663ee3255edca04919cb1f76512e06a16f9c1c98a46
Opcode Fuzzy Hash: dfda47c7bb3de7b6cd7c0912d2d03c24e90a9618d164b26cd7465da11717707c
Instruction Fuzzy Hash: 72516D347000408FC384EB7AD6A5B7A33E2AB8D314B4544ADF51ECF3A5EE789D498795

Function 06C95983 Relevance: 1.6, Strings: 1, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[wl^, xrefs: 06C95D84

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID: [wl^
API String ID: 0-1344784805
Opcode ID: 64e03e8e5b9159767a70b4c19a7e607623fef6440ec67aff8d8f3693c2327120
Instruction ID: 562aa2615fd067a125af2e633e8930754db2ea81e16aab86b4c2e1d7847bf478
Opcode Fuzzy Hash: 64e03e8e5b9159767a70b4c19a7e607623fef6440ec67aff8d8f3693c2327120
Instruction Fuzzy Hash: 1AC1A171A00204CFFB56DB66D5987AEB7B3EB84320F91C568E4095B394DB349D47CBA0

Function 06C95988 Relevance: 1.6, Strings: 1, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[wl^, xrefs: 06C95D84

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID: [wl^
API String ID: 0-1344784805
Opcode ID: 145d8d27be1fe7c9b4f6dc78e5f43aa502176dd5d8aceb302067d0f81fdc31c0
Instruction ID: 4704748d7d9a16f8e68829c876fe73a1c25f65d812353bf0a7ea5d4ea197496c
Opcode Fuzzy Hash: 145d8d27be1fe7c9b4f6dc78e5f43aa502176dd5d8aceb302067d0f81fdc31c0
Instruction Fuzzy Hash: ADC1A171A00204CFFB56DB66D5987AEB7B3EB84320F91C568E4095B394DB349D46CBA0

Function 06C9597F Relevance: 1.6, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[wl^, xrefs: 06C95D84

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID: [wl^
API String ID: 0-1344784805
Opcode ID: bbf2a690ac6366ced36093349521207968e518c2056006ff44a8f183f056948f
Instruction ID: 4b73aab12d16e9ffa430f42455da10ff20d9a169d2619f831420f589e0af02af
Opcode Fuzzy Hash: bbf2a690ac6366ced36093349521207968e518c2056006ff44a8f183f056948f
Instruction Fuzzy Hash: BAC19171A00204CFFB56CB66D5987AEB7B3EB84320F92C568E4095B394DB349D47CBA0

Function 06C959C8 Relevance: 1.5, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[wl^, xrefs: 06C95D84

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID: [wl^
API String ID: 0-1344784805
Opcode ID: d1ff3d470d5fcfa06a69c9b8d73a6db9cf74e3ca7b2512236de1c239f3a06cb2
Instruction ID: 81db6b90b8ba2559de3395f911a60d9f8f8480b8c6d05a1e3785cbd01207f513
Opcode Fuzzy Hash: d1ff3d470d5fcfa06a69c9b8d73a6db9cf74e3ca7b2512236de1c239f3a06cb2
Instruction Fuzzy Hash: BDC18070A00204CFFB56DB66D5987A9B7B3EB84320F91C568E40D5B394DB389D46CBA0

Function 06BF1468 Relevance: .6, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3150744731.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bf0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13520aca352554fc00c51ba29d340c5816818d170c955358af1688590340960
Instruction ID: 203294a636bbf04bf2bd3fd131d1ac0552b2fcc90f28a92bb49be45a616f8b18
Opcode Fuzzy Hash: d13520aca352554fc00c51ba29d340c5816818d170c955358af1688590340960
Instruction Fuzzy Hash: 1C225674B10604CFDB58DF69C584A6AB7F6EF88710B1588A9E606CB371DB31EC45CBA0

Function 06C94CC9 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0951f791dcdb937d42fbe4f43931bfbdee85e69ddd592b335005b3f4302d278
Instruction ID: be2efcbe027c9cf9d7615b52069bf1499dabcfcd4f3f96cdb0beb482eb5c776e
Opcode Fuzzy Hash: a0951f791dcdb937d42fbe4f43931bfbdee85e69ddd592b335005b3f4302d278
Instruction Fuzzy Hash: E8D17334A00504CFDF89DF65D548BAA73F3EB89314F508469E4159F764DB38AD86CBA0

Function 06C94CD8 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2ea19925351dd80106b445226c5b3c3b284a034cfb8c1b1baa92d4c88387d4
Instruction ID: 0327d07728aaedc102dd01fd8f2181fc46b870ee37d5c50608d187374a848d91
Opcode Fuzzy Hash: 2d2ea19925351dd80106b445226c5b3c3b284a034cfb8c1b1baa92d4c88387d4
Instruction Fuzzy Hash: 0DC16134A00504CFDB89DF65D648BAAB3F3EB89314F508469E4159F764DB38AD86CBA0

Function 06C97BAE Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69afc2b0b169fdb333ff14ca0b6e728673a1b25f9b3a5928392e1d86cad5aeeb
Instruction ID: 30b9a794ff44be8744c6e1a9564b67e88b0c009d2350be0ccfb22e782f75139b
Opcode Fuzzy Hash: 69afc2b0b169fdb333ff14ca0b6e728673a1b25f9b3a5928392e1d86cad5aeeb
Instruction Fuzzy Hash: CCD13B30A22104CFDB94CF29D58CBA977F2FF49714F2580A8E4059B7A1D778AD85CB60

Function 06C933E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90521391979e767c0529cc10d3da5261cfc6ca61840942782a9e1cda0d51f3c2
Instruction ID: dc048ad439fc99734ae1f7f284b8e492c7b8b2fe5d70a7413a0c747c34d30d77
Opcode Fuzzy Hash: 90521391979e767c0529cc10d3da5261cfc6ca61840942782a9e1cda0d51f3c2
Instruction Fuzzy Hash: C6B18A70E002498FDF50CFA9C9897ADBBF2BF88314F148529D819E7294EB749941CFA1

Function 06C927C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d504890eba7ac1dbfe3ce6ae29e30ec212ff557edf76cbf6c6baca84ed07cea6
Instruction ID: bfbdd23ff470b1ff5659a14d920d272542724f2a13f4e978969bae5c2e6eca76
Opcode Fuzzy Hash: d504890eba7ac1dbfe3ce6ae29e30ec212ff557edf76cbf6c6baca84ed07cea6
Instruction Fuzzy Hash: F591A171E102099FDF64CFA9C9887EDBBF2BF88704F14812DD444A7294DB389A45CB91

Function 06C94490 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1a0f5a56a356ba685df1cc8c58dc8b2c873b4e972fa9148dcf4c922fabb6ac
Instruction ID: 89c6058610a9a59c066b6bc0edb3c027bc0e04bdd05c6c058f0e8b43a0c17eba
Opcode Fuzzy Hash: 6d1a0f5a56a356ba685df1cc8c58dc8b2c873b4e972fa9148dcf4c922fabb6ac
Instruction Fuzzy Hash: 5C91C130A01144CFEF98CB66D648BA973F3EB89315F15C079E0069B7A0DB3C9986CB65

Function 06C944A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494f666236186ad9f9b8bfc351bfabb51a50a1dbbe88213468e0e904d5ea43d6
Instruction ID: 8579a267980542fbca00ff8eae0f188c0216ab09941ab6ddd96052bd511ebe12
Opcode Fuzzy Hash: 494f666236186ad9f9b8bfc351bfabb51a50a1dbbe88213468e0e904d5ea43d6
Instruction Fuzzy Hash: 1B91B130A01144CFEF98CB66D649BA973F3EB89314F15C079E1069B7A0DB3C9986CB65

Function 06BD6308 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cbf34f2e3669dad574f34b3f582b2f61a1a516a8fd3ea47aa2615a773cf4f2
Instruction ID: a5250c8615591ad4d962ac4661d9a11835cab50506f5b14c49c229b8dd1da78e
Opcode Fuzzy Hash: 17cbf34f2e3669dad574f34b3f582b2f61a1a516a8fd3ea47aa2615a773cf4f2
Instruction Fuzzy Hash: BF91C0B0E01548CFEB54CB1AD544BED77F2FB89328F1480A9E105AF295F7389889CB94

Function 06BD6318 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5d1ebac23b543d64e690526a247606c95cd550afce21d1fbe02ed1c24b67a
Instruction ID: b147b8eb142b75aba57c812c3e9d6212f87b638ade10aacca326b848a1301dce
Opcode Fuzzy Hash: 01a5d1ebac23b543d64e690526a247606c95cd550afce21d1fbe02ed1c24b67a
Instruction Fuzzy Hash: 4E91BFB0E00548CFEB54CB5AD544BAD77F3FB89328F1490A9E105AF295F7389889CB94

Function 06BD65D6 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cf105618dd419b010ac6d6a7b95b395ae03a154660d6ec5ed8853ee09879bf
Instruction ID: 6f8a3760d2c84da581bb4ebc8003fb3289408d134af068e3dac1f6d1d05c7e1b
Opcode Fuzzy Hash: 39cf105618dd419b010ac6d6a7b95b395ae03a154660d6ec5ed8853ee09879bf
Instruction Fuzzy Hash: 6B81B1B0E00588CFEB54CF5AD544BAD77F2FB89328F1490A5E105AF295F7389889CB54

Function 06BD6419 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b654a09291fa1c51230320b6c29c72eb320554ed619cac21e99306252822e2a
Instruction ID: 99c0d5ce4270602d91a9fa71a9e3f75cd41636453f656beccd5cac9ddd490f44
Opcode Fuzzy Hash: 5b654a09291fa1c51230320b6c29c72eb320554ed619cac21e99306252822e2a
Instruction Fuzzy Hash: 1681AFB0E00548CFEB94CF5AD544BAD77F2FB89328F1490A9E105AF295F7389889CB54

Function 06BD1CA8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41ec71cd140d887f98fb5c4e452e74ac46b5a66758d2489ee2e1e2759aeeb0
Instruction ID: 89ffb6dc429b16b0c858d9ccaa273dea6c78b074f25ebef38f8d2ad1b3e9cf13
Opcode Fuzzy Hash: 0d41ec71cd140d887f98fb5c4e452e74ac46b5a66758d2489ee2e1e2759aeeb0
Instruction Fuzzy Hash: 49814A74A056488FDB84CFA9D595BAD77F1BB4A304F50806EE42ADF3A1EB389945CF00

Function 06C900F9 Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06C900C2

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ba02221bd7b79af6c36d08021802ac25f32b22ba329f0243e6c5c7b922f9e28
Instruction ID: fec4d8b6490e5a1a5ef6ff506ad1b0f6a8cfcf66b97286c3d47178c47d93bc1a
Opcode Fuzzy Hash: 6ba02221bd7b79af6c36d08021802ac25f32b22ba329f0243e6c5c7b922f9e28
Instruction Fuzzy Hash: 44417E30B00605CFEF94CF26D54DB6973B3FB86319F28946DE1069B6A4DB398985CB60

Function 0522CA18 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0522CA8C

Memory Dump Source

Source File: 00000004.00000002.3150205008.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5220000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6c5f53fff7e495d2bc3e9c5ad7c1a80d66dd9e534625365ca01c9baf08b07cec
Instruction ID: 9e42a9f459af0a53441af9639d992f3e7fa841467e4002f1dd86ec8c8ff35f5b
Opcode Fuzzy Hash: 6c5f53fff7e495d2bc3e9c5ad7c1a80d66dd9e534625365ca01c9baf08b07cec
Instruction Fuzzy Hash: 79111375D002499FDB24DFAAC444BAEFBF5EF48310F10842ED419A7200C779A904CFA4

Function 0522CBC8 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0522CC2A

Memory Dump Source

Source File: 00000004.00000002.3150205008.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5220000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 61c924b579ccb80788ec29f0273cf42c593405b311b82a230452b854b192f0c3
Instruction ID: 31e511976c69a33025388de9618e0791f57343cfa058a0e4c6eb66f11e992de2
Opcode Fuzzy Hash: 61c924b579ccb80788ec29f0273cf42c593405b311b82a230452b854b192f0c3
Instruction Fuzzy Hash: BE116671D003498FDB24DFAAC4457AEFBF5EF88324F20841ED419A7240CB79A904CBA4

Function 06BE0078 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150709470.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6be0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748b0304cf54bbe5b4441a00fc8f77730f381d1db67d36304edb2b9d127bbc3e
Instruction ID: 87b4848ef98965359cf424f58fdb97687ff68d3e89e425809a0335e7acbba8d9
Opcode Fuzzy Hash: 748b0304cf54bbe5b4441a00fc8f77730f381d1db67d36304edb2b9d127bbc3e
Instruction Fuzzy Hash: 3B028EB0F406259FABB43AAD445473A25E6EBC9741B0550A9E607DB384DFF08C6287F3

Function 06BE0810 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150709470.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6be0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e2e5ca821d8187cff790774366f098e5470e0b26e5bbb76dad3e64a80f3da0
Instruction ID: a3c1b4a7c241998378265f8aa8e944d61f0738cbf9d4666b574613bf8f1415fe
Opcode Fuzzy Hash: 25e2e5ca821d8187cff790774366f098e5470e0b26e5bbb76dad3e64a80f3da0
Instruction Fuzzy Hash: D3C19D78B002019F9B997FAC949813E7AA3FBC62017145469E907C7391EFB49C1787A7

Function 06BD6CD8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9f740e788bc2398f896e395431dfd895662038bb14545a0a51be5f03f9c06c
Instruction ID: 41690c820c11941bbf3ec3fe9be943418703cd72735a22a918a119e2bffcbcfe
Opcode Fuzzy Hash: 8c9f740e788bc2398f896e395431dfd895662038bb14545a0a51be5f03f9c06c
Instruction Fuzzy Hash: 09715C71D42369AFD7209A28DC04FEB7B79DB06255F0044E8E94AAF242F7204D49CBF6

Function 06BD22D0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba9253383b1bdcab18b12eeb9b668bcaa05a7105f721362ff74d35674227686
Instruction ID: 6eaaf36fae7a0357aff62e0a54f783ed9d239cd33d8b240e24932a3548a5ce3c
Opcode Fuzzy Hash: fba9253383b1bdcab18b12eeb9b668bcaa05a7105f721362ff74d35674227686
Instruction Fuzzy Hash: 6D919A74A006808FCB54DF69D594A59BBF2FF89300F1585A9E605AF3A1DB31ED01CFA4

Function 06BDD108 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b3c67891e7499df666e7402e945681022cad2a1ad669c837e87df9ccafcb40
Instruction ID: a87ed017444ce64badbc8e15c331360a3656128dd0fe779fcc477bde76ef7353
Opcode Fuzzy Hash: 34b3c67891e7499df666e7402e945681022cad2a1ad669c837e87df9ccafcb40
Instruction Fuzzy Hash: 6681CD71B012189FCB14DFA5E894AADBBF2EF89311F2440A9E512EB390DB35DD42CB51

Function 06BD5D39 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae939abe216b468abc82919afdf33350be58f13b011d73bd9e665f87d4fc6bb
Instruction ID: ebbe14f54bc6dedf66be7fc0df0ee344b45aaad233221d02d5accddc96d0830a
Opcode Fuzzy Hash: bae939abe216b468abc82919afdf33350be58f13b011d73bd9e665f87d4fc6bb
Instruction Fuzzy Hash: 6471CFB1604201CFE7A49F35D54CB6A7BA2EB46301F1099A8E407CF7B1FB799845CBA1

Function 06BD5D48 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae7bdf4da5a9f3ed55486727be93440ae42fde2a6d2ff64a584fa96a10a8b6e
Instruction ID: b34b46c4bf70b0bc88955055627a17f9bb280ab2d9712c372b91b6010089cd80
Opcode Fuzzy Hash: eae7bdf4da5a9f3ed55486727be93440ae42fde2a6d2ff64a584fa96a10a8b6e
Instruction Fuzzy Hash: 9A71B0B5604201CFD7A49F35D54CB6A7BA2EB42301F1095A8E407CF7A1FB799845CBA0

Function 06BE0CC8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150709470.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6be0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6db422262389a4351b22568ee1e8861a1473a6fcce621c91351f02b7782d34
Instruction ID: 327ad3b241ed5af17255b9d200296dd5c737dcb0aa611dfa7454003144c4fa04
Opcode Fuzzy Hash: 3d6db422262389a4351b22568ee1e8861a1473a6fcce621c91351f02b7782d34
Instruction Fuzzy Hash: 21517FB07006024BE7082A9984A872AF2EBDFD8610F50447DB306CB355DFF98E1587A6

Function 06B8FAE0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd86241dfee7d9a233d7904ef66c8bf785098a2b52b1494dba17d19d81075d29
Instruction ID: 1fe4fab7f325818229a086bf03a6336e8c7d5a637ef5da5b3e48888dbfacb008
Opcode Fuzzy Hash: cd86241dfee7d9a233d7904ef66c8bf785098a2b52b1494dba17d19d81075d29
Instruction Fuzzy Hash: A6518C707006018FD7A9BFB8D85466E77A7EFC5240B2048ADE6068F391DE35EC42CBA5

Function 06BDB9D0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db2291e16045ee648bfec620b0e6fce273dede749eb65efd21772e08dbd7e36
Instruction ID: 2bad72ad4bb48d163492c847e8bc6a70f803506aa752b5f1c2d1cd70e47af4ae
Opcode Fuzzy Hash: 0db2291e16045ee648bfec620b0e6fce273dede749eb65efd21772e08dbd7e36
Instruction Fuzzy Hash: 21514D76600100AFDB459FA9C845E597BB7FF8C314B168498F2099F372DA36DC21EBA1

Function 06BD6A39 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6714af7b75f32409f8d4c2ed39b400cd26b5f8b53bbcf20560f05d7d7090378
Instruction ID: c55a713786d12386c6ced783b71a2f4806bddd1656a70cbebf69a702014fa2c0
Opcode Fuzzy Hash: a6714af7b75f32409f8d4c2ed39b400cd26b5f8b53bbcf20560f05d7d7090378
Instruction Fuzzy Hash: 9151F270B00504CFEB94CF5AD545BA977F3EB89310F1490A9E1099F2A4FB789C89CB84

Function 06BDC3E8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4f4d6b82daaac8a9b02dcef5acc04c4821ae8843a1860c527c1ecfa746f80b
Instruction ID: ef9a2aa820428b96ef1528c521b1352c52bc014b8f58688c52693ecdadbd178a
Opcode Fuzzy Hash: 4f4f4d6b82daaac8a9b02dcef5acc04c4821ae8843a1860c527c1ecfa746f80b
Instruction Fuzzy Hash: 2D514670200B418FD3A59F29D44035A7BE2EF81310F248A6EE1568F3E1EB38E845CBA1

Function 06BD60D1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5506e97b5180a3016ef0481e027e14577486ece385595ebc71eedf09e4b598f1
Instruction ID: d0c4ed6f19a66369ce44c1da2cc56b669ded8aa033e79db7af308e27ad9b4222
Opcode Fuzzy Hash: 5506e97b5180a3016ef0481e027e14577486ece385595ebc71eedf09e4b598f1
Instruction Fuzzy Hash: 95415E787456108FC7496F78E95C22D37E2EB8A302F104468E40BCB3A5EF788D45CBA6

Function 06BDD428 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ac9de2b4acbe26d070e823ff0a284e175ab808f721ae87ee9b2794a307056c
Instruction ID: 9b8f008298926914cb834e1a8cbdc2ff10b94b911ca2ce4d3fe71d28b30d067a
Opcode Fuzzy Hash: b0ac9de2b4acbe26d070e823ff0a284e175ab808f721ae87ee9b2794a307056c
Instruction Fuzzy Hash: CD4140B5B00205DFDB54DF69D894B6AB7B2EF88214F1484ADE5469F350EB31E801CF90

Function 06BDC273 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ccd4e12ac884b98bc8352c7b93ae204655e6962071157b3d9566e1ef10e1f
Instruction ID: 90a497018abaa068d2e5dabdc473641a20d061c32171ba35939e23662b49438a
Opcode Fuzzy Hash: 4c0ccd4e12ac884b98bc8352c7b93ae204655e6962071157b3d9566e1ef10e1f
Instruction Fuzzy Hash: 543104357053516FD7196BA9E844A9FBFABEBCA220B14407AF609CB361DF318C01C3A1

Function 06BDD5B8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1413e2e67265e6bb62b25d7e2e39af5eaeb43fcbbfc502e0f4df0248013ea4
Instruction ID: 43c41ab87b88f0d4ae6d642cde52aa82c3505ad6a7e1253c653a7f62e62230ea
Opcode Fuzzy Hash: 4b1413e2e67265e6bb62b25d7e2e39af5eaeb43fcbbfc502e0f4df0248013ea4
Instruction Fuzzy Hash: 7141BFB0E006198FDB54DFA9C8406BFBBB5FF88304F008469E589EB261E734D945CB91

Function 06BDC3D9 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3813b46b8e0b3116ad9a3bae79ba38f00d69277054662e0dc20c9b8748bf8c26
Instruction ID: ff40a92e45ccaed3232f917670813b0771555da2d04398c58c13a51006246328
Opcode Fuzzy Hash: 3813b46b8e0b3116ad9a3bae79ba38f00d69277054662e0dc20c9b8748bf8c26
Instruction Fuzzy Hash: 4931B4B1500B018FD374CF26D484357BBF6EF84310F208A6DE5968B6A1EB75E945CB91

Function 06BDAF80 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc062c12669dd0374fa556084236c775d6743b248f0ab4cba62e56289d6523f
Instruction ID: 53eae6e56dc60853d9562be939250bd08fc4624baa6b0ab16752992bb866f254
Opcode Fuzzy Hash: 1dc062c12669dd0374fa556084236c775d6743b248f0ab4cba62e56289d6523f
Instruction Fuzzy Hash: 1031D3B0A00104CFEB54CF56DA48BEA73F3EB88311F2580E9E205AF6A4EB785C45CB55

Function 06BDAF90 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95e7269e787184af2d4d5299095b81c5815aacfa9a9d199b1b435076d486ab1
Instruction ID: dd0390b3c4ce5446b87aaca7fc9efa57d3c3a98a53591cd3c2a2cc5129360d5b
Opcode Fuzzy Hash: b95e7269e787184af2d4d5299095b81c5815aacfa9a9d199b1b435076d486ab1
Instruction Fuzzy Hash: 3131C3B0A00108CFEB54CF56D648BAD73F3EB88311F1580E9E1059F6A4EB789D45CB55

Function 06BDB0D4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d322c53a7ed0df1ccc1b33f01ef9f720c31338ac07a09d164f3e15c97494e8
Instruction ID: 824a852866ad8e9c0d2ddabbbd632037c343e85372641886879011b026c9b33b
Opcode Fuzzy Hash: 34d322c53a7ed0df1ccc1b33f01ef9f720c31338ac07a09d164f3e15c97494e8
Instruction Fuzzy Hash: D531FFF0A00104CFEB94CF96DA88BA973F3EB88351F1580E9E1059F2A4E7788C45CB15

Function 06BD6848 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb844724b96ded8b753b3b4ff058a7d2a12faf7b59723b3689da491ce8b4a677
Instruction ID: b20f887bdea56f562bb20a5b8b877a61f78bb9a68d6407073c801cc78a4f43a0
Opcode Fuzzy Hash: eb844724b96ded8b753b3b4ff058a7d2a12faf7b59723b3689da491ce8b4a677
Instruction Fuzzy Hash: ED316BB0E002059FDB54DF69C558BAEBBF1BF4C310F1040A9E406AB3A1EB759D45CBA0

Function 06BDF8F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02885be4aaa2ace8da85e8deffceed5625021fe53efb5b3ffd53e72a610cac8c
Instruction ID: 1e68f5f58c8ea77a990de5ecee40145b3b1adb566c9f67d855c0b6d2b35a30df
Opcode Fuzzy Hash: 02885be4aaa2ace8da85e8deffceed5625021fe53efb5b3ffd53e72a610cac8c
Instruction Fuzzy Hash: E0213DB1E04209AFDB50DFB8D5047BE7BF9EB44350F1480A6D516DB251E638CA41CB91

Function 06BDC180 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cd2ba44fef77643b028ccb1f0cda58841c4459dd4e92ddc2584ec1b0bb45a3
Instruction ID: 58f70fb3d96bdde622bf4ad8cd2e52eef47c052591a13fdad422666bbba8fd7f
Opcode Fuzzy Hash: e2cd2ba44fef77643b028ccb1f0cda58841c4459dd4e92ddc2584ec1b0bb45a3
Instruction Fuzzy Hash: F5215C31A04219AFDB159FA8C454ADEBFB7AB8D320F145129E911A7390DB319C42CB91

Function 06BDB700 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d6a2b9d819f70db89babaf92a28992db0159cfc14ebf6f0a09432ec90fba5c
Instruction ID: 8acb89d3c39ff81448055ca0fe292424b3ace2e67c3ad943e9a4e5b6cf6e4e5a
Opcode Fuzzy Hash: 85d6a2b9d819f70db89babaf92a28992db0159cfc14ebf6f0a09432ec90fba5c
Instruction Fuzzy Hash: 9421B0707103099FD754ABAAD84979F7BA6EB88310F108528F10BDB681DFB55D0287A6

Function 06BDC190 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e0ae4d9543c4b121192cbab843ae61023c3ee5ccfdb8f526e8232f8fa0afce
Instruction ID: 2d9d0cb0497d9bbeb07589b905a508ebae33402b37c721ceb661dea1d2d4fbae
Opcode Fuzzy Hash: 39e0ae4d9543c4b121192cbab843ae61023c3ee5ccfdb8f526e8232f8fa0afce
Instruction Fuzzy Hash: 8F213D31A00219EFDB159FA8C4449DEBFB7FB8C320F149129E915A73A0DB719C42CBA1

Function 06BDAD20 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4178d63fc5b81ed36e5d371ea1ec88b07739b581d44e39a792e6f6e66f3349e6
Instruction ID: 4e3d3dcec261a0dd317fc3be9cd11e31231d6fad10f4caafc78b1e6a84394b73
Opcode Fuzzy Hash: 4178d63fc5b81ed36e5d371ea1ec88b07739b581d44e39a792e6f6e66f3349e6
Instruction Fuzzy Hash: B911CB307046186FE358EABA8C51BAB6ADAABC9350F11447CB50ADB3D1DEA59C0543E8

Function 06BDCB31 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaa1656c4ed89b2dbdb36078e71e647a7fcc5c822e7b306603c04c385de1be3
Instruction ID: 6305a4c1454a0f7da8f8b303183b5a900b8c1ee25bb7f1bdfdd9c7078733677f
Opcode Fuzzy Hash: ecaa1656c4ed89b2dbdb36078e71e647a7fcc5c822e7b306603c04c385de1be3
Instruction Fuzzy Hash: 7611A375B002099FDB54AFB99845BAE7FF6EB88610F144069E646DB3C0EB71C901CBA1

Function 06BDC77A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c4e66e209bf0e1388d8e7cb377723f9bea5a38ae13e0c5dd330b006199caab
Instruction ID: 0a48cc96cb934e27bb73f805ac51656a6d52f9f299b4d249ada3b5919b84eb3f
Opcode Fuzzy Hash: 04c4e66e209bf0e1388d8e7cb377723f9bea5a38ae13e0c5dd330b006199caab
Instruction Fuzzy Hash: 9811D63A300345AFD7018F59EC80FDA7BA9EB89B20F0040AAFA04CB291C6B1D810C760

Function 06BDCB40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59765795b4d5424877dcff54edd346f0cc5031945e5b3957154b1c3b108b3b08
Instruction ID: 6b39caf5c068f37969437b25922d2ae869c9d1c0c9124a4624c1495c30f7a18c
Opcode Fuzzy Hash: 59765795b4d5424877dcff54edd346f0cc5031945e5b3957154b1c3b108b3b08
Instruction Fuzzy Hash: FF11CA75B002199FDB54AFB988447AE7FF6EB88610F104069E606DB3C0EB71C901CB91

Function 06BDC8A9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d92ddaa2e79ba983b2b8cc91406c8e4484587529620e9af9941165f9fe154b
Instruction ID: 8e9f14cbde8cf43152a53edc749c6ff8d1a6832cdb2d0705c5567f49758b0a57
Opcode Fuzzy Hash: 69d92ddaa2e79ba983b2b8cc91406c8e4484587529620e9af9941165f9fe154b
Instruction Fuzzy Hash: 95216279B022199FDB44DFA8D594EADBBF2BF49300F104098E402AB361DB34AD41CF54

Function 06BE005C Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150709470.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6be0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6080379b4257b2516a0d6b01095c1217ba5d492459b022750e5b32f2799155
Instruction ID: 095278a4c26189c870861d5b8ad5b8cb282ecf2c87910242437769b982d659a5
Opcode Fuzzy Hash: de6080379b4257b2516a0d6b01095c1217ba5d492459b022750e5b32f2799155
Instruction Fuzzy Hash: 0501F275B093508FD7662B2958240AA3B62EBC3222B1800EBE846DB651C7654C96C7B3

Function 06B86D3C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1fa54f7bf3ca9f7c869ed2eb4e50b50a91a02bff6cb655eaa2089cf088f8ba
Instruction ID: 74f54d74d51b203994a351a158d7f527db6da7dd7ce701a0fa10883f96d985c8
Opcode Fuzzy Hash: fa1fa54f7bf3ca9f7c869ed2eb4e50b50a91a02bff6cb655eaa2089cf088f8ba
Instruction Fuzzy Hash: 4A11D6B8A01214CFCB54DF68C48499DBBF5BF48221F1591E9E909A7351C734ED85CF90

Function 06B81071 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a34fbc77f01df8baa96e1e6ae837b10e526931008502e7292ebd38644064c2
Instruction ID: 5c65b9c885e511b8305cbfcfb58da829a6e8ec7b4236c77df619d5d513ad8df3
Opcode Fuzzy Hash: c2a34fbc77f01df8baa96e1e6ae837b10e526931008502e7292ebd38644064c2
Instruction Fuzzy Hash: 09F0F6B3E05155AFDB50AFBA9C056AEFB66DB84611F09C0BAD509D3100E6388C13CAD2

Function 06BDBC18 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f973f5e996e82883e93a8863fb04d61218dcec065a632af7363cd94c8bf251
Instruction ID: acb3bf9e52ce2285cedd7c52a8165ce4b6d7274fab5d28d04c75142ec067c25d
Opcode Fuzzy Hash: a3f973f5e996e82883e93a8863fb04d61218dcec065a632af7363cd94c8bf251
Instruction Fuzzy Hash: 56F059F2F0D2514FF75613645CA43296BA0EBC4300F0944EAC0428F2E5E946DC02C381

Function 06BDBBBA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7c2cac8337cd6305a1a6c5ec09acf6db7459f900b942e80349cc388537eb99
Instruction ID: f25a240075d8013f3aefcbdee9dc4879106276680329feecc7b1715a29fe78f9
Opcode Fuzzy Hash: 8d7c2cac8337cd6305a1a6c5ec09acf6db7459f900b942e80349cc388537eb99
Instruction Fuzzy Hash: 2EF02B72F096525FE3588614984471EF7A5EBC9320F0944ADE5069F3D0D761AC41C380

Function 06BD6CC9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e192f39e1fbb1e6437fd3be303e03f8ef95539632a675e42cf1cf84df5898ee
Instruction ID: 6e8983cbe042406e378170fca23778d3485ed6525fd814bf1ffb98663681ca3d
Opcode Fuzzy Hash: 3e192f39e1fbb1e6437fd3be303e03f8ef95539632a675e42cf1cf84df5898ee
Instruction Fuzzy Hash: 6AF046B1E412025FD7608F2AE944F217BD8DB8A310F1644D5E8048F2A1F720EC41C2A1

Function 06BD2610 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c28a08831057953390435804bcf85d4c99b7ae8c0a0bdb312b81d95aa7ea28
Instruction ID: 68a5e8239dc9eb856610c2cb82b7f01fa4ddd28587bd944edf4cbe003f727c28
Opcode Fuzzy Hash: 59c28a08831057953390435804bcf85d4c99b7ae8c0a0bdb312b81d95aa7ea28
Instruction Fuzzy Hash: 3CF0A7363042241FE31866791C55B7B5A5ADFC9650F16817EE40E9B296CCA18C0543B5

Function 06BDDF80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4c9322f462e91b31303439cd0a7779489a878adc052f04ce22d8925032f8c2
Instruction ID: b07349aa9f52e173ab5c90b19159dd939ea9599a616644b21aaeb6be477d508d
Opcode Fuzzy Hash: fe4c9322f462e91b31303439cd0a7779489a878adc052f04ce22d8925032f8c2
Instruction Fuzzy Hash: EEF0E971E04318AFC709DFA8D8487DDBFB6EF41211F0580D6E046D7281DB300A81C795

Function 06BD2F51 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdc81524102b7322a30277de0cae2aad79547ebc2835d7ede5703352910a3ce
Instruction ID: d31797baadad64b033a97a9475b8a9ccd5dbd9db3978438a57a68ec3770ffd0f
Opcode Fuzzy Hash: dfdc81524102b7322a30277de0cae2aad79547ebc2835d7ede5703352910a3ce
Instruction Fuzzy Hash: BD01FBB1D01276CEEBF4AB64C944795B3A5EF05340F0650E4CA1A6B250E734AE85CB92

Function 06B81080 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7471b44bc1ee3ba47a0b30f817cac48ed3b960a200e42f19bfea3ae8106f74
Instruction ID: 52bed25e23347c7487a5f8cba845472d8a35fc068db6c35734f6805920e178e3
Opcode Fuzzy Hash: 0c7471b44bc1ee3ba47a0b30f817cac48ed3b960a200e42f19bfea3ae8106f74
Instruction Fuzzy Hash: A7F08972E051659FDB50EFBF981466EF7A6DB84611F05C0BAD90DD3100E6758C13CAC1

Function 06BDB68F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bd14d7facf6d1a94c388f49e2edeff4d9e6c079a4200ab3dd25ffc50d32a61
Instruction ID: ef192e3b086f112e46d3d74b0685f7958b00cc40a627c2929eca45c6659cc9a3
Opcode Fuzzy Hash: c4bd14d7facf6d1a94c388f49e2edeff4d9e6c079a4200ab3dd25ffc50d32a61
Instruction Fuzzy Hash: 0FF05C70A1638CAFCB45DFB2AC426EE77A5CB45204F2041D5F809CF282E9350E1043E3

Function 06BD96DF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62489d962fbc8688eb5e86a58bc84f3a3d57372bc1351d1b9a6e732f1e3d0cbd
Instruction ID: 4cb055bedb01d89a0aff1e2bded70c0d642208fe91d3eb32bfb4e50f864eecf2
Opcode Fuzzy Hash: 62489d962fbc8688eb5e86a58bc84f3a3d57372bc1351d1b9a6e732f1e3d0cbd
Instruction Fuzzy Hash: 95F04974B115108FC788EB38D85976D77E6EF8A311B0114A8E90BEB3A0EE349D45CBA5

Function 06B81332 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af32ba75a7f67c5778fe33f8db24ce2a3c15b5353ca97f4319bb0b3840d729f3
Instruction ID: dabaaa67be9cb696ebbe4a361dd46615e9fdef43863be81deed26c13d9a3e97b
Opcode Fuzzy Hash: af32ba75a7f67c5778fe33f8db24ce2a3c15b5353ca97f4319bb0b3840d729f3
Instruction Fuzzy Hash: 01F0F9B1D062738FEB90BB9CC9406ADB7B6AB14751F4604E4C91577201DB60ED07CB81

Function 06BD2620 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30243103deede54b6a93de80e3317c5dc88f66906a35e123103138cc196339dc
Instruction ID: a2e08702e3dd37289a7689a44904f6029a42fb269a3df85ddeab2a169d921716
Opcode Fuzzy Hash: 30243103deede54b6a93de80e3317c5dc88f66906a35e123103138cc196339dc
Instruction Fuzzy Hash: EAE012253042182BE31C266A5855B3B958EDBC9690F55802EB50ACB395CDA58C0102F5

Function 06BDACE0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce18316b6345b529f207c1ac91d31f09db8a08595d49febe5582c395e53a6209
Instruction ID: bba8d1681ec847483813682c1b8e0cffecd1c3c748a1d21a603d6ecfae081f75
Opcode Fuzzy Hash: ce18316b6345b529f207c1ac91d31f09db8a08595d49febe5582c395e53a6209
Instruction Fuzzy Hash: 2AE04F7254F7D86FC75317706C618AB3F78080326531E01DBE488EA5A3D01A4A16C377

Function 06BDDF90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e85266be134dda401bf223c66c167604f0563e1d99017595e477066bee477d6
Instruction ID: b9a9bb99ed966bec855f9a3f6f043843b3111b93166dc2b0e1074aba45aba444
Opcode Fuzzy Hash: 0e85266be134dda401bf223c66c167604f0563e1d99017595e477066bee477d6
Instruction Fuzzy Hash: 5AF06571E04218AFCB09DF99D48C6DDFFF7EF84621F048095E00697240DB701A81CB85

Function 06BDF8A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927c8beb8b1758dfc0e66481f0130618755b53ffb338fa0983a5d84591319b1e
Instruction ID: 84bbc2ce0f3a8b2ad22941454731eb2faa0e8fd709590612e2368c39e73465d2
Opcode Fuzzy Hash: 927c8beb8b1758dfc0e66481f0130618755b53ffb338fa0983a5d84591319b1e
Instruction Fuzzy Hash: 4EE0E2A260E3D29FC307572088219CA7F316A6329030B40C3E5C4DF263E1288E2AE727

Function 06BD69F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6d4a32b0c21060e84e1e8c73d9194b2afead7bbd5ff20dc505f6b74e31f417
Instruction ID: d7b3eb31c2e19d50ffffc3b27fa329d5c578862777ae36f577b4a7b4be887945
Opcode Fuzzy Hash: fd6d4a32b0c21060e84e1e8c73d9194b2afead7bbd5ff20dc505f6b74e31f417
Instruction Fuzzy Hash: F0E08676D05308AFC710DE749C41ADA7BACDB49311F1005F9D905D3261E9319A158791

Function 06BDB648 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad44ba1ba10c93df8b4e5f2d68e2dbf99c4994061ee2ec424a9f0861a14d4b0
Instruction ID: 0c874584a25358152e5d62712a1f2f92fea159d5acfc0b6e793d0c0cf6f5fcd0
Opcode Fuzzy Hash: bad44ba1ba10c93df8b4e5f2d68e2dbf99c4994061ee2ec424a9f0861a14d4b0
Instruction Fuzzy Hash: 76E0DF31A05208AFC700DFB9E94469E77A6DB48201F204098B90A97381DA721E1087B3

Function 06BD6A08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a303a4f5523be986b8b468fa5127952018fc6310960d0137e1128097e035032
Instruction ID: 81bf7177b801248cca75d053541818dae365c7c37b0fbaca1993f02516f1e1d6
Opcode Fuzzy Hash: 8a303a4f5523be986b8b468fa5127952018fc6310960d0137e1128097e035032
Instruction Fuzzy Hash: 74D01772A0520CABCB10DEB5AD015AAB7ACDB09221B1009F99D0DC3200FA329A15D791

Function 06B88D0A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38350bf9f7600a7ab3fb76d4445759d9526a3a89a26b901049ae66a58ad3ff56
Instruction ID: 715bf46abca35310cefbdcf3aa1af7fb8290e44a6497ba8ce59ea582b32ea3d0
Opcode Fuzzy Hash: 38350bf9f7600a7ab3fb76d4445759d9526a3a89a26b901049ae66a58ad3ff56
Instruction Fuzzy Hash: 8FF09278A01218CFD754DF28C584A88BBB1BF4D314F1141E9E90AA7361C730AE81CF40

Function 06BDB6A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c27e067ae6a40d46be77757a4e5ab8e3ef52c625431bae8d0f7553a7c91928
Instruction ID: 727712a338d32d6137f2fcd516f7138786d99607349e0e18c98ed7ba05596bef
Opcode Fuzzy Hash: 50c27e067ae6a40d46be77757a4e5ab8e3ef52c625431bae8d0f7553a7c91928
Instruction Fuzzy Hash: 56E0C230A0120CEFCB04EFF5E98176E73BAEB44204F208498F506DB280DE312F009792

Function 06BDB658 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f72b2d8939ba79e198c24a981dfdab70dca7be4a590d4d5debfcfc0cb8fc82a
Instruction ID: d876a77e1bc983577d477ca7e333300809778c83e1ef1106ff512e6c57c6c239
Opcode Fuzzy Hash: 5f72b2d8939ba79e198c24a981dfdab70dca7be4a590d4d5debfcfc0cb8fc82a
Instruction Fuzzy Hash: BBE0C230A0010CEFCB40EFE9E50469E73F6EB44210F204098B40AD7380DA321F1087A2

Function 06BD2D08 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ddf783a994ce644aa5788845060f1038947da62cfec7aa50965a9e80802b3f
Instruction ID: 776c201bafac83f31fd054472a1f970dfc9077d4ffcc443544f91b822798c9ba
Opcode Fuzzy Hash: a1ddf783a994ce644aa5788845060f1038947da62cfec7aa50965a9e80802b3f
Instruction Fuzzy Hash: 6CE0B6B5D01635CFEBA4DB24C880B99B7B5FF09351F0141E4CA4AAB221E730AD45CB41

Function 06BD78CC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b717e270a8d393b3ffde7867507027ab904765b9d50ae3a1659e0697581b05
Instruction ID: 856baa656263de67ae9352b89ac3e3f7b98e91ca1ec64993675efd130e4778d3
Opcode Fuzzy Hash: 97b717e270a8d393b3ffde7867507027ab904765b9d50ae3a1659e0697581b05
Instruction Fuzzy Hash: 1ED017B4F012568FFBD89A2A98456652317ABC5200B2595BAA0025E294EF3B4900EA96

Function 06BD3C5C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b311cfe134be0ee8f90e4136c2738b05b2bf6c0bee93f6f1e2dc2ac2104bf665
Instruction ID: cad58a4b58e6cb737daf1708b0be3d0e8d29973ee03f4b8e14fba172426048e6
Opcode Fuzzy Hash: b311cfe134be0ee8f90e4136c2738b05b2bf6c0bee93f6f1e2dc2ac2104bf665
Instruction Fuzzy Hash: 12D0CA34800628CBDB668B20C800B9AB672AF04302F1080E9890967340DA365E868F91

Function 06BD69AF Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b778587a2be7add9f4485379a5ed2acc7ea27731e818371d2b3a1d72850873
Instruction ID: ae23f420ef46ab5fb53a12284333c6a52c1ff2ab81e4d2735d0360b1e0fb0f1e
Opcode Fuzzy Hash: 76b778587a2be7add9f4485379a5ed2acc7ea27731e818371d2b3a1d72850873
Instruction Fuzzy Hash: A5B01277B0001986CB00D6C8F4C04DCFB30DBD4332F004033C324620008730157AC7A0

Function 06BD8FCE Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ce1e86b3c5ca348c1496f46a12b672b430c5204718dec6403bc1e973a6e660
Instruction ID: 5ba1691037766c2b17e9c141901a0679730646fbe07093444b92700234c9b5fb
Opcode Fuzzy Hash: 10ce1e86b3c5ca348c1496f46a12b672b430c5204718dec6403bc1e973a6e660
Instruction Fuzzy Hash: 74C09B709021568FE784DB14EC497543322A741300F1195E4640D6A2A49D391F45CFC1

Function 06BDCB1E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4877bf1a401686477d32cd513661760759064a3487441e32f821e9dedad4ab58
Instruction ID: 179c77a54af812d73f998989a676ac6043929da4181dbceebf0d5976cbc87214
Opcode Fuzzy Hash: 4877bf1a401686477d32cd513661760759064a3487441e32f821e9dedad4ab58
Instruction Fuzzy Hash: 15A002747826057EEF2077E66E0BFCA7A1AAB40F11F102080B30A5C0C24AE2548189B7

Function 06B81C48 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150493051.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f725f804abf44d1cbcf84273ee09974fdb1ccba9c197a3c344760bf18a8ae25
Instruction ID: 6ee85b4155d051ab7ab1ad3f1b4a772bf4c18acbccbc14ae59e72226a72b0b5d
Opcode Fuzzy Hash: 2f725f804abf44d1cbcf84273ee09974fdb1ccba9c197a3c344760bf18a8ae25
Instruction Fuzzy Hash: EAB012389050018FE700A790D00839C76229B48322F0880618C0633784857D8C86CAD2

Function 06BDACF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98f38ca89d776274bf3ef54d8f895f84ccb1e92ba24232317d860732b4e72a8
Instruction ID: 7308059fdb63845f292333ba6868f628586d62cb967f5e76061d76a9621f69cd
Opcode Fuzzy Hash: b98f38ca89d776274bf3ef54d8f895f84ccb1e92ba24232317d860732b4e72a8
Instruction Fuzzy Hash: EC902230002F0C8B0A802BE03C080003B0CB0020003800020A00C802000B22300200A0

Non-executed Functions

Function 06BFE3F8 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150744731.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bf0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48de5c6cba0ab38f8f2674ffc819e852b2a2c0023491c118013b846596983001
Instruction ID: 4373ef75d19cd055e2664bd19aa1294cfeb3652f90ebef4426c6060fc03e06fd
Opcode Fuzzy Hash: 48de5c6cba0ab38f8f2674ffc819e852b2a2c0023491c118013b846596983001
Instruction Fuzzy Hash: 9A226AB4B002159FCB98DF69D49467EFBF2FB88300F248929D65697361CB34E906CB91

Function 06BDF128 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddabb1b656a3459e8dd9f4c9b328f11fcf297ed15a3dcbf119aec402c2e40628
Instruction ID: 94203e1f9edc6ffdc45f74a349b3d4d17aef0f1ec01773ef509e645dc02b2eea
Opcode Fuzzy Hash: ddabb1b656a3459e8dd9f4c9b328f11fcf297ed15a3dcbf119aec402c2e40628
Instruction Fuzzy Hash: FAD11874A046058FDB94DF69C684AA9B7F6FF88314F25C4A9E5069F361DB30EC41CB60

Function 06BD5948 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58173f05cd84ca3d746411ff3c2738bd6d78d20518137ae649c19433847ea9ad
Instruction ID: c912a03285c8ec98705beee76d2e632d9458a315ae5a7b684f636c65b7d21d05
Opcode Fuzzy Hash: 58173f05cd84ca3d746411ff3c2738bd6d78d20518137ae649c19433847ea9ad
Instruction Fuzzy Hash: D2C191B2E005298FDB64CBA9C9806AEFBF1FF44301F5885A9D455EB242E734ED41CB94

Function 06C92B10 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444e2c0774de8fed759f1d60e87916105080cbcb7c31e8508302cd557e2a326d
Instruction ID: dd4d55c06938f51efd3644bec0c6e839592326b8bd6cf96688ca5c325982c0c9
Opcode Fuzzy Hash: 444e2c0774de8fed759f1d60e87916105080cbcb7c31e8508302cd557e2a326d
Instruction Fuzzy Hash: C0B18F70E102099FEF54CFA9C88979DBBF2BF88304F14852DD445A7294EB78DA41CBA1

Function 06C97BF6 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182eb967c05c7695f98ebff8ceae1196b756fd2761b797cdef45f31136406435
Instruction ID: 2027f6eed9814b97910429a5dea63cb61d50498b9e0c292266350cf61438bd2d
Opcode Fuzzy Hash: 182eb967c05c7695f98ebff8ceae1196b756fd2761b797cdef45f31136406435
Instruction Fuzzy Hash: 86B15C30A22100CFDB94CF29D58CBA977F3FB89315F2584A8E4059B7A5D778AD85CB60

Function 06BD5937 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122a3be2ac6c7560c3ef8b25f9f0c4714dfe43151d108ca132600b819f90a9b0
Instruction ID: 0c3250ae5da783fbbd9a75fc34251f1bcbf2fccf1d4ed817adc24ce6eb1094f4
Opcode Fuzzy Hash: 122a3be2ac6c7560c3ef8b25f9f0c4714dfe43151d108ca132600b819f90a9b0
Instruction Fuzzy Hash: A27161B2E005298FDB54CFA9C8806AEFBF1FB48311F188569D415EB245E734D946CF90

Function 06C939A1 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f9db3a074b03dc3d442351519d9114e1cf6ce9491db58999dbc0688952145a
Instruction ID: 542ac08bcb656b12d103d7ed1f5071e82db99ec70deb36d3e567a18f16ab9fc0
Opcode Fuzzy Hash: f8f9db3a074b03dc3d442351519d9114e1cf6ce9491db58999dbc0688952145a
Instruction Fuzzy Hash: C161B430B01180CFDF94CF6AC588B6A77F3FB85311F248069E0099B6A4DB789D45CBA4

Function 06BD20C3 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3276dddb18dc9703b9434e07392f864728b66a7a2d09f9bde8e3f606b0b3c4
Instruction ID: 773aef9462a5a04d9fd1ae2faa83a9541813480448ce9e59777421b5d6cd86ca
Opcode Fuzzy Hash: 3a3276dddb18dc9703b9434e07392f864728b66a7a2d09f9bde8e3f606b0b3c4
Instruction Fuzzy Hash: 53812A74A006488FDB84CFA9D595BAD77F2BB49304F50846EE42ADF3A1EB389945CF00

Function 06C939B0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150809099.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e78b0b0853d13a0b868c0fac6c9f10d9d8bb00f8a05e946887770cc37026d61
Instruction ID: 9eb0b1e78e19421af3fcf41c23607fb26acdbce9721ca8d2a48278ac3994571c
Opcode Fuzzy Hash: 5e78b0b0853d13a0b868c0fac6c9f10d9d8bb00f8a05e946887770cc37026d61
Instruction Fuzzy Hash: CA619330A01184CFEF94CF6AD588B6A77F3FB84311F148469E0099B6A4DB789D85CBA4

Function 06BD2024 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d416000fe016028a7d103a67a2ba5bf7cdabc1a7735f55cb537dbb8e2dce15ff
Instruction ID: e7e89d522a7d1f69e8bf02439dadbb6dfc9d30b5a89120d8e929222f0967f7f3
Opcode Fuzzy Hash: d416000fe016028a7d103a67a2ba5bf7cdabc1a7735f55cb537dbb8e2dce15ff
Instruction Fuzzy Hash: 79811874A016488FDB84CFA9D595B9D77F1BB4A304F5084AEE42ADF3A1EB389945CF00

Function 06BD1C00 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60533016970455bace3383fef3b347c9ef7d74bb6ecc3a5ab90fac975b351752
Instruction ID: c3f12e94e8efa4a0051cbab5814f8bfa0fd9d56b2b014531f79b71b66f13037a
Opcode Fuzzy Hash: 60533016970455bace3383fef3b347c9ef7d74bb6ecc3a5ab90fac975b351752
Instruction Fuzzy Hash: E1615C74A04648CFDB44CFA9D595B9D7BF1BB4A304F50806DE41A9F3A1EB389945CF00

Function 052244A6 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150205008.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5220000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cb6f9e095ed886770ed8ae6c05bc035ba6f0cdc0935be987ef02e6e65284
Instruction ID: a6aae3014cdd3b8d4f1074964a5ed1b2442826090aeb9e6bfa5cc68c70f9c3dc
Opcode Fuzzy Hash: 75e1cb6f9e095ed886770ed8ae6c05bc035ba6f0cdc0935be987ef02e6e65284
Instruction Fuzzy Hash: BC51AC34A057848FE708DF6BE84568ABBE3BBCA300F14C529F4149F3B4EB7919059B64

Function 06BD1FDF Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf364da0e719b861a3103b653d5cb2424bbbe6ef3f9bebfeb63ca2ddc658a703
Instruction ID: 2cfd89a4f672776b0e4a5ff3214447ebe51d7044ce06176ea1f13e676530bbf6
Opcode Fuzzy Hash: cf364da0e719b861a3103b653d5cb2424bbbe6ef3f9bebfeb63ca2ddc658a703
Instruction Fuzzy Hash: 62713974A00648CFDB84CFAAD595B9D7BF2BB46304F54846DE02A9F3A1EB389945CF00

Function 06BD2141 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00383f41a1c064a3c80cdbd70d132850c71bef1962eef502712af58828aa0efa
Instruction ID: c61943bee3a586b157239c1a1cf15e69b85cb615dcece5ad202e492b50c5ac5a
Opcode Fuzzy Hash: 00383f41a1c064a3c80cdbd70d132850c71bef1962eef502712af58828aa0efa
Instruction Fuzzy Hash: 1E712974A00648CFDB84CFA9D595B9D77F2BB46304F5084ADE02A9F3A1EB389945CF00

Function 06BD1C10 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a1e21fbb347996f338997cce96d6979255a35ee739112402a34ef472aaab43
Instruction ID: 6909609c621746e8d8ae37da3c791f753d7c1c1ae35969348dfe45d12c6bade7
Opcode Fuzzy Hash: 31a1e21fbb347996f338997cce96d6979255a35ee739112402a34ef472aaab43
Instruction Fuzzy Hash: CB615974A00648CFDB84CFA9D595B9D77F2BB4A304F50806DE42A9F3A1EB389945CF40

Function 052244B0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150205008.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5220000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a81af9e77af1a5beb881c040285500e6e639997a55651e9acb39662d0bf8a2
Instruction ID: 1281ed6059f31715c4bec70c5179dace668a3bc8e3d190c223e9f9d8dff0efac
Opcode Fuzzy Hash: 41a81af9e77af1a5beb881c040285500e6e639997a55651e9acb39662d0bf8a2
Instruction Fuzzy Hash: 6E51B934A057848FE708DF6BE84568ABBE3BBCA300F14C529F4149F3B4EB7919059B64

Function 06BD2099 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eecc3b37876f337d9138cc8154e54d77e8d5f78a37c59f8e986d5e32015b3f
Instruction ID: 9248b581d547e1bd854c78184eb88ff9cf9c13e01deaa9a366bee0f3e63f9c40
Opcode Fuzzy Hash: c1eecc3b37876f337d9138cc8154e54d77e8d5f78a37c59f8e986d5e32015b3f
Instruction Fuzzy Hash: 20614974A04648CFDB84CFA9D595B9D77F1BB46304F5080ADE02A9F3A1EB389945CF00

Function 06BDA44C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3150679385.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adaee35817ba6a5114cbe4ec0a8a7f44ea17b964c82f463571d70b3bfe22565
Instruction ID: f6a074f355870b0fa69d59bd5fa5246ada7943276e903dfedad677102f45233b
Opcode Fuzzy Hash: 6adaee35817ba6a5114cbe4ec0a8a7f44ea17b964c82f463571d70b3bfe22565
Instruction Fuzzy Hash: 4011E332B14624CBEB1CCE3CDC503ADA6E29788310F1546BCD44AE3741E574CD168B85

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MicrosoftWORD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Favorites\components\assets\Chrominum_A.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
MicrosoftWORD.exe

Function 06C90006 Relevance: 1.7, APIs: 1, Instructions: 184
libraryCOMMON

Function 06C90040 Relevance: 1.7, APIs: 1, Instructions: 159
libraryCOMMON

Function 06BFFB30 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Function 06BFFB40 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 06C95983 Relevance: 1.6, Strings: 1, Instructions: 314
COMMON

Function 06C95988 Relevance: 1.6, Strings: 1, Instructions: 311
COMMON

Function 06C9597F Relevance: 1.6, Strings: 1, Instructions: 309
COMMON

Function 06C959C8 Relevance: 1.5, Strings: 1, Instructions: 289
COMMON

Function 06BF1468 Relevance: .6, Instructions: 555
COMMON

Function 06C900F9 Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Function 0522CA18 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 0522CBC8 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON