Edit tour

Windows Analysis Report
ReaderPDFadobe.exe

Overview

General Information

Sample name:	ReaderPDFadobe.exe
Analysis ID:	1587448
MD5:	5b3f4288f2239f1805e7d5c935fec648
SHA1:	3e7d6b9b8e8549bd5e359c79e64829da329c0f92
SHA256:	c761b3063a4cdad0061c015cda2d006077b52d833952ca912157bfa31d8a975d
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ReaderPDFadobe.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\ReaderPDFadobe.exe" MD5: 5B3F4288F2239F1805E7D5C935FEC648)

csc.exe (PID: 5576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4043696145.0000000007F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.4044173599.0000000009600000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 5576	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.csc.exe.80169a8.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.csc.exe.9600000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ReaderPDFadobe.exe	Virustotal: Detection: 54%			Perma Link
Source: ReaderPDFadobe.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ReaderPDFadobe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: ReaderPDFadobe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: Sotffzqoj.pdb source: csc.exe, 00000005.00000002.4043973497.0000000009430000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000808C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Sources\foobar2000-2.24\foobar2000\Release\foobar2000.pdb source: ReaderPDFadobe.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.6:49820 -> 181.71.216.203:30203

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: ReaderPDFadobe.exe	String found in binary or memory: http://forums.foobar2000.org/
Source: csc.exe, 00000005.00000002.4043308059.0000000006E9B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006E86000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ReaderPDFadobe.exe	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Replaygain
Source: ReaderPDFadobe.exe	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet
Source: ReaderPDFadobe.exe	String found in binary or memory: https://fastcopy.jp/pro/
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: ReaderPDFadobe.exe	String found in binary or memory: https://help.foobar2000.org/
Source: ReaderPDFadobe.exe	String found in binary or memory: https://help.foobar2000.org/~rbvrb
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.foobar2000.org/
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.foobar2000.org/download
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.foobar2000.org/license
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.radio-browser.info/
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.radio-browser.info/CountryLanguageTagNameLoading...No
Source: ReaderPDFadobe.exe	String found in binary or memory: https://www.radio-browser.info/history/

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05093C58	5_2_05093C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05093C4A	5_2_05093C4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952D320	5_2_0952D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952112B	5_2_0952112B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095211D0	5_2_095211D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095210F0	5_2_095210F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952E350	5_2_0952E350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09521305	5_2_09521305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095213D3	5_2_095213D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09521254	5_2_09521254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952155F	5_2_0952155F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09521464	5_2_09521464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095214F1	5_2_095214F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952A71F	5_2_0952A71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0952D647	5_2_0952D647
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095216BA	5_2_095216BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09673D38	5_2_09673D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09671870	5_2_09671870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09676C8E	5_2_09676C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09672488	5_2_09672488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09673D2C	5_2_09673D2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09674100	5_2_09674100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09671BB8	5_2_09671BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_096A07C8	5_2_096A07C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_096AEEB8	5_2_096AEEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_096AD8F0	5_2_096AD8F0

Source: ReaderPDFadobe.exe, 00000000.00000002.2367986617.00000000008F0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefoobar2000.exeN vs ReaderPDFadobe.exe
Source: ReaderPDFadobe.exe, 00000000.00000002.2369477635.000000000276C000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFfjhitsk.exe" vs ReaderPDFadobe.exe
Source: ReaderPDFadobe.exe, 00000000.00000000.2180194122.00000000008D5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefoobar2000.exeN vs ReaderPDFadobe.exe
Source: ReaderPDFadobe.exe	Binary or memory string: OriginalFilenamefoobar2000.exeN vs ReaderPDFadobe.exe

Source: ReaderPDFadobe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.evad.winEXE@3/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: ReaderPDFadobe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ReaderPDFadobe.exe, 00000000.00000002.2359657380.0000000000675000.00000002.00000001.01000000.00000003.sdmp, ReaderPDFadobe.exe, 00000000.00000000.2180118175.0000000000675000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?;
Source: ReaderPDFadobe.exe, 00000000.00000002.2359657380.0000000000675000.00000002.00000001.01000000.00000003.sdmp, ReaderPDFadobe.exe, 00000000.00000000.2180118175.0000000000675000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE metadb SET lastseen = ? WHERE rowid IN (SELECT rowid FROM temp.gc_present_items);

Source: ReaderPDFadobe.exe	Virustotal: Detection: 54%
Source: ReaderPDFadobe.exe	ReversingLabs: Detection: 47%

Source: ReaderPDFadobe.exe	String found in binary or memory: /add <list-of-files> - appends the specified files to the current playlist instead of replacing the playlist content and playing them immediately
Source: ReaderPDFadobe.exe	String found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
Source: ReaderPDFadobe.exe	String found in binary or memory: /play, /pause, /playpause, /prev, /next, /rand, /stop - playback controls
Source: ReaderPDFadobe.exe	String found in binary or memory: " /add "%1"
Source: ReaderPDFadobe.exe	String found in binary or memory: @" "addplaynow.icoicons\generic.icoSoftware\Classesfoobar2000.url.foobar2000.SOFTWARE\Classes\CLSID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}\InprocServer32/CommandDelegateExecute{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}Directory\shellex\ContextMenuHandlers\Fb2kShellExtPlay in foobar2000PlayerMultiSelectModel" "%1"{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}Enqueue in foobar2000" /add "%1"AudioCD\shell\play\commandbckupAudioCDAudioCDbckupAudioCD(9D
Source: ReaderPDFadobe.exe	String found in binary or memory: /install
Source: ReaderPDFadobe.exe	String found in binary or memory: /stop
Source: ReaderPDFadobe.exe	String found in binary or memory: /stop
Source: ReaderPDFadobe.exe	String found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
Source: ReaderPDFadobe.exe	String found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
Source: ReaderPDFadobe.exe	String found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
Source: ReaderPDFadobe.exe	String found in binary or memory: BThis playlist is already an autoplaylistThis playlist is not an autoplaylistPlaylist could not be lockedautoplaylist workerAutoplaylist provider missingCould not restore autoplaylist : Multiple wildcard levels not supported./immediate/add/playnow/help/?ErrorUnknown commandline parameter: /nogui/noresume/quiet/safe/install/hardreset/keepcomponents/nocrashinfo/playlist:/config/play/pause/playpause/prev/next/rand/stop/autoquit/exit/quit/show/hideCommand-line Help/command:/playlist_command:/playing_command:/context_command:
Source: ReaderPDFadobe.exe	String found in binary or memory: /addcomponent
Source: ReaderPDFadobe.exe	String found in binary or memory: VersionChecking for Updates UTC)ModuleAbout Install ComponentComponent maintenance failureAnother instance of this component already exists in your foobar2000 application folder; you need to remove it manually before you can update this component automatically.foobar2000 components\|foo_.zip;.fb2k-componentCould not load component "": Component removal failure(unknown - please apply changes to load)/addcomponentComponentsChecks for updated versions of installed components.Check for updated componentswww.foobar2000.orgInvalid responsechallengecomponent-updatesfingerprint5www.foobar2000.org/update-componentsmax_downloadSignature mismatchx-foobar2000-signature suppressed by user settingsComponent update: .zipComponent update of failed: Download corrupted (updated from Released on

Source: unknown	Process created: C:\Users\user\Desktop\ReaderPDFadobe.exe "C:\Users\user\Desktop\ReaderPDFadobe.exe"
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ReaderPDFadobe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ReaderPDFadobe.exe

Static file information: File size 5649920 > 1048576

Source: ReaderPDFadobe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x273200
Source: ReaderPDFadobe.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x241200

Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ReaderPDFadobe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ReaderPDFadobe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ReaderPDFadobe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Sotffzqoj.pdb source: csc.exe, 00000005.00000002.4043973497.0000000009430000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000808C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Sources\foobar2000-2.24\foobar2000\Release\foobar2000.pdb source: ReaderPDFadobe.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 5.2.csc.exe.80169a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.9600000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4043696145.0000000007F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4044173599.0000000009600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5576, type: MEMORYSTR

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: ReaderPDFadobe.exe

Static PE information: section name: _RDATA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09521B80 push E8FBB725h; ret	5_2_09521B99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_095292EB push esi; iretd	5_2_095292F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_09521671 push ss; retf	5_2_09521683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_096AC8B0 pushad ; iretd	5_2_096AC8B1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6B30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 511000	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1812	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 4340	Thread sleep count: 196 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 3064	Thread sleep time: -511000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 511000	Jump to behavior

Source: csc.exe, 00000005.00000002.4044300954.00000000098C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4860000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4860000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4860000			Jump to behavior
Source: C:\Users\user\Desktop\ReaderPDFadobe.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4B40008			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ReaderPDFadobe.exe

Code function: 0_2_00644383 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00644383

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000005.00000002.4042932561.00000000050E8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4044300954.00000000098C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	31 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	124 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ReaderPDFadobe.exe	54%	Virustotal		Browse
ReaderPDFadobe.exe	47%	ReversingLabs	Win32.Backdoor.Remcos

Source	Detection	Scanner	Label
https://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	0%	Avira URL Cloud	safe
https://www.radio-browser.info/	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	0%	Avira URL Cloud	safe
http://forums.foobar2000.org/	0%	Avira URL Cloud	safe
https://help.foobar2000.org/~rbvrb	0%	Avira URL Cloud	safe
https://www.foobar2000.org/license	0%	Avira URL Cloud	safe
https://help.foobar2000.org/	0%	Avira URL Cloud	safe
https://fastcopy.jp/pro/	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	0%	Avira URL Cloud	safe
https://www.foobar2000.org/download	0%	Avira URL Cloud	safe
https://www.radio-browser.info/CountryLanguageTagNameLoading...No	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	0%	Avira URL Cloud	safe
https://www.radio-browser.info/history/	0%	Avira URL Cloud	safe
https://www.foobar2000.org/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.radio-browser.info/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forums.foobar2000.org/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/license	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://fastcopy.jp/pro/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	csc.exe, 00000005.00000002.4044112109.0000000009530000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.00000000083A5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2609454965.000000000826E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.foobar2000.org/~rbvrb	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://help.foobar2000.org/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000005.00000002.4043308059.0000000006E9B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006E86000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.foobar2000.org/download	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://www.radio-browser.info/CountryLanguageTagNameLoading...No	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://www.foobar2000.org/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown
https://www.radio-browser.info/history/	ReaderPDFadobe.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587448
Start date and time:	2025-01-10 11:58:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ReaderPDFadobe.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 77% Number of executed functions: 103 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ReaderPDFadobe.exe, PID 2488 because there are no executed function
Report size getting too big, too many NtProtectVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	PDFONLINE.exe	Get hash	malicious	Unknown	Browse
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newstaticfreepoint24.ddns-ip.net	PDFONLINE.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	PDFONLINE.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.871666663925079
TrID:	Win32 Executable (generic) a (10002005/4) 98.19% foobar 2000 generic component (102126/2) 1.00% foobar 2000 Diskwriter output component (78126/2) 0.77% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ReaderPDFadobe.exe
File size:	5'649'920 bytes
MD5:	5b3f4288f2239f1805e7d5c935fec648
SHA1:	3e7d6b9b8e8549bd5e359c79e64829da329c0f92
SHA256:	c761b3063a4cdad0061c015cda2d006077b52d833952ca912157bfa31d8a975d
SHA512:	ba36f0584d294b1566b77185bf9c3450f13af917b656f0abdc1f35456974a630c9e3d17b94b23b4079a594817a2f2a3d30af673ef4e1f90c527b0911d1457c52
SSDEEP:	49152:/hKqxQ06Ybgpey773zDpgNaPvsGbNhvaE/0+dbMie3c/Hat0f3rNcXeiXzOHQXeb:5nbgpe4xdaEMybVR/XfGBPN74TlwDU
TLSH:	2C46AD32B753CC66C65100BF8979AAFD9128ED78CB7346C35284FE1D20B39E216B6917
File Content Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$..........,..............h........~...............~.......~.......~............'..~....d..~.......~.......~.......~.......~.......~...

File Icon


Icon Hash:	334de0b2926d330e

Static PE Info

General

Entrypoint:	0x643e93
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67600E9F [Mon Dec 16 11:27:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d0efa8288bc8fcf1ae384debe93de6ac

Entrypoint Preview

Instruction
call 00007F2400E954DDh
jmp 00007F2400E94E1Fh
push 00000010h
push 006E65C0h
call 00007F2400E9542Ch
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
mov byte ptr [ebp-19h], bl
mov dword ptr [ebp-04h], ebx
cmp ebx, dword ptr [ebp+14h]
je 00007F2400E94FC3h
push dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+18h]
call dword ptr [00675B18h]
mov ecx, dword ptr [ebp+08h]
call dword ptr [ebp+18h]
mov eax, dword ptr [ebp+10h]
add dword ptr [ebp+08h], eax
add dword ptr [ebp+0Ch], eax
inc ebx
mov dword ptr [ebp-20h], ebx
jmp 00007F2400E94F7Ch
mov al, 01h
mov byte ptr [ebp-19h], al
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F2400E94FBDh
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
retn 0018h
mov ebx, dword ptr [ebp-20h]
mov al, byte ptr [ebp-19h]
test al, al
jne 00007F2400E94FB1h
push dword ptr [ebp+1Ch]
push ebx
push dword ptr [ebp+10h]
push dword ptr [ebp+08h]
call 00007F2400E94A14h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2400C5D760h
push 006E66B4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2400E956ABh
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2400C5CBB3h
push 006E6608h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2400E9568Eh
int3
push ebp
mov ebp, esp
and dword ptr [00701C04h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e826c	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32e000	0x24102c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x350000	0x2c140	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a823c	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a82c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x276d30	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x275000	0xb18	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2e8128	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x274000	0x273200	696e190c41e929632b849b4372bca92f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x275000	0x78000	0x77600	2a4704a587240261914c1de80110ddb1	False	0.3565792702879581	data	5.125253402867627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2ed000	0x1e000	0x14c00	0b15f16cdaeb2ade44ddb62497a9e5fb	False	0.22939806099397592	DOS executable (block device driver @\273\)	5.393205596281875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x30b000	0x23000	0x22c00	241f50e9d164772437fd3eebd88a3edb	False	0.16984459307553956	data	5.38723924085817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x32e000	0x24102c	0x241200	f4ab587bb2ddbe9f5f1d926f55817b5d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x32f96c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f970	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f974	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f978	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f97c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f980	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f984	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f988	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f98c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f990	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f994	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f998	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f99c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9a0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9a4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9a8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9ac	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9b0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9b4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9b8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9bc	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9c0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x32f9c4	0x2	data	English	United States	5.0
PNG	0x32f9c8	0x5366	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004215456674472
RT_BITMAP	0x334d30	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.6494377475827405
RT_BITMAP	0x3a7754	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5587979724837074
RT_BITMAP	0x41a178	0x14be8	Device independent bitmap graphic, 302 x 276 x 8, image size 83904, 256 important colors			0.1667098201675925
RT_BITMAP	0x42ed60	0x46e8c	PC bitmap, Windows 3.x format, 36628 x 2 x 52, image size 290472, cbSize 290444, bits offset 54			0.9879563702469323
RT_BITMAP	0x475bec	0x2e02a	Device independent bitmap graphic, 1472 x 32 x 32, image size 188418, resolution 2834 x 2834 px/m			0.216446104702374
RT_BITMAP	0x4a3c18	0x402a	Device independent bitmap graphic, 64 x 64 x 32, image size 16386, resolution 2834 x 2834 px/m			0.35370753683185197
RT_BITMAP	0x4a7c44	0xcf28	Device independent bitmap graphic, 552 x 24 x 32, image size 52992, resolution 3543 x 3543 px/m			0.23476391612611253
RT_ICON	0x4b4b6c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.33630393996247654
RT_ICON	0x4b5c14	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.29319526627218934
RT_ICON	0x4b767c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.258298755186722
RT_ICON	0x4b9c24	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.20896315540859708
RT_ICON	0x4bde4c	0x5cd2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9988216480094269
RT_ICON	0x4c3b20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5301418439716312
RT_ICON	0x4c3f88	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.4511627906976744
RT_ICON	0x4c4640	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.41270491803278686
RT_DIALOG	0x4c4fc8	0x32a	data			0.7555555555555555
RT_DIALOG	0x4c52f4	0x35c	data	English	United States	0.436046511627907
RT_DIALOG	0x4c5650	0x502	data	English	United States	0.3962558502340094
RT_DIALOG	0x4c5b54	0x248	data	English	United States	0.4828767123287671
RT_DIALOG	0x4c5d9c	0x2c2	data	English	United States	0.4730878186968839
RT_DIALOG	0x4c6060	0x630	data	English	United States	0.4116161616161616
RT_DIALOG	0x4c6690	0x1e8	data	English	United States	0.5368852459016393
RT_DIALOG	0x4c6878	0x828	data	English	United States	0.4051724137931034
RT_DIALOG	0x4c70a0	0x36c	data	English	United States	0.45662100456621
RT_DIALOG	0x4c740c	0x188	data	English	United States	0.5586734693877551
RT_DIALOG	0x4c7594	0x1e8	data	English	United States	0.5430327868852459
RT_DIALOG	0x4c777c	0x4a8	data	English	United States	0.42533557046979864
RT_DIALOG	0x4c7c24	0x278	data	English	United States	0.44936708860759494
RT_DIALOG	0x4c7e9c	0xc8	data	English	United States	0.675
RT_DIALOG	0x4c7f64	0x634	data	English	United States	0.4275818639798489
RT_DIALOG	0x4c8598	0x4d2	data	English	United States	0.3987034035656402
RT_DIALOG	0x4c8a6c	0x2b0	data	English	United States	0.4738372093023256
RT_DIALOG	0x4c8d1c	0xd0	data	English	United States	0.6586538461538461
RT_DIALOG	0x4c8dec	0x124	data	English	United States	0.589041095890411
RT_DIALOG	0x4c8f10	0x30e	data	English	United States	0.4322250639386189
RT_DIALOG	0x4c9220	0x174	data	English	United States	0.5698924731182796
RT_DIALOG	0x4c9394	0x220	data	English	United States	0.48713235294117646
RT_DIALOG	0x4c95b4	0x2d2	data	English	United States	0.4695290858725762
RT_DIALOG	0x4c9888	0xec	data	English	United States	0.673728813559322
RT_DIALOG	0x4c9974	0x1e0	data	English	United States	0.5229166666666667
RT_DIALOG	0x4c9b54	0x1b0	data	English	United States	0.5532407407407407
RT_DIALOG	0x4c9d04	0x1a4	data	English	United States	0.5333333333333333
RT_DIALOG	0x4c9ea8	0x100	data	English	United States	0.62890625
RT_DIALOG	0x4c9fa8	0x60	data	English	United States	0.7291666666666666
RT_DIALOG	0x4ca008	0x4ac	data	English	United States	0.3804347826086957
RT_DIALOG	0x4ca4b4	0x326	data	English	United States	0.4640198511166253
RT_DIALOG	0x4ca7dc	0x1f8	data	English	United States	0.5515873015873016
RT_DIALOG	0x4ca9d4	0xe0	data	English	United States	0.6607142857142857
RT_DIALOG	0x4caab4	0xe4	data	English	United States	0.6798245614035088
RT_DIALOG	0x4cab98	0x1c4	data	English	United States	0.5575221238938053
RT_DIALOG	0x4cad5c	0x104	data	English	United States	0.573076923076923
RT_DIALOG	0x4cae60	0xaa	data	English	United States	0.7411764705882353
RT_DIALOG	0x4caf0c	0x1f4	data	English	United States	0.492
RT_DIALOG	0x4cb100	0x12c	data	English	United States	0.5966666666666667
RT_DIALOG	0x4cb22c	0x7c	data	English	United States	0.7903225806451613
RT_DIALOG	0x4cb2a8	0x40	data	English	United States	0.765625
RT_DIALOG	0x4cb2e8	0x228	data	English	United States	0.519927536231884
RT_DIALOG	0x4cb510	0xa4	data	English	United States	0.6829268292682927
RT_DIALOG	0x4cb5b4	0xb8	data	English	United States	0.6739130434782609
RT_DIALOG	0x4cb66c	0x228	data	English	United States	0.5018115942028986
RT_DIALOG	0x4cb894	0xa8	data	English	United States	0.6607142857142857
RT_DIALOG	0x4cb93c	0x11c	data	English	United States	0.5845070422535211
RT_DIALOG	0x4cba58	0x1c8	data	English	United States	0.4868421052631579
RT_DIALOG	0x4cbc20	0x32c	data	English	United States	0.45689655172413796
RT_DIALOG	0x4cbf4c	0x90	data	English	United States	0.6944444444444444
RT_DIALOG	0x4cbfdc	0xc6	data	English	United States	0.6919191919191919
RT_DIALOG	0x4cc0a4	0x224	data	English	United States	0.5547445255474452
RT_DIALOG	0x4cc2c8	0x224	data	English	United States	0.5602189781021898
RT_DIALOG	0x4cc4ec	0x120	data	English	United States	0.5972222222222222
RT_DIALOG	0x4cc60c	0x5d4	data	English	United States	0.4175603217158177
RT_DIALOG	0x4ccbe0	0x17e	data	English	United States	0.5837696335078534
RT_DIALOG	0x4ccd60	0x19e	data	English	United States	0.5217391304347826
RT_DIALOG	0x4ccf00	0x1e0	data	English	United States	0.51875
RT_DIALOG	0x4cd0e0	0x3f8	data	English	United States	0.43799212598425197
RT_DIALOG	0x4cd4d8	0x6e	data	English	United States	0.7181818181818181
RT_DIALOG	0x4cd548	0x7c	data	English	United States	0.7338709677419355
RT_DIALOG	0x4cd5c4	0x3e0	data	English	United States	0.4254032258064516
RT_DIALOG	0x4cd9a4	0x94	data	English	United States	0.7905405405405406
RT_DIALOG	0x4cda38	0x246	data	English	United States	0.49140893470790376
RT_DIALOG	0x4cdc80	0x1e8	data	English	United States	0.4959016393442623
RT_DIALOG	0x4cde68	0xfc	data	English	United States	0.6626984126984127
RT_DIALOG	0x4cdf64	0x160	data	English	United States	0.6051136363636364
RT_DIALOG	0x4ce0c4	0x4ec	data	English	United States	0.44047619047619047
RT_DIALOG	0x4ce5b0	0x2f0	data	English	United States	0.4654255319148936
RT_DIALOG	0x4ce8a0	0x1ac	data	English	United States	0.5677570093457944
RT_DIALOG	0x4cea4c	0x142	data	English	United States	0.5869565217391305
RT_DIALOG	0x4ceb90	0x1ae	data	English	United States	0.5511627906976744
RT_ACCELERATOR	0x4ced40	0x20	data	English	United States	0.96875
RT_ACCELERATOR	0x4ced60	0x28	data	English	United States	0.95
RT_RCDATA	0x4ced88	0x82e8	data			0.24680711386965862
RT_RCDATA	0x4d7070	0x11dab	Delphi compiled form 'TfFolderProperties'			0.31615867416006893
RT_RCDATA	0x4e8e1c	0x11dab	Delphi compiled form 'TfFolderProperties'			0.4024558668690432
RT_RCDATA	0x4fabc8	0x23e27	Delphi compiled form 'TfLogin'			0.28407366838341847
RT_RCDATA	0x51e9f0	0x2092	Delphi compiled form 'TWizardForm'			0.2983928999760134
RT_RCDATA	0x520a84	0xbd22	PNG image data, 118 x 102, 8-bit/color RGBA, non-interlaced			0.24928745507868974
RT_GROUP_ICON	0x52c7a8	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x52c820	0x30c	data	English	United States	0.44358974358974357
RT_ANIICON	0x52cb2c	0x424fd	PC bitmap, Windows 3.x format, 34094 x 2 x 35, image size 271646, cbSize 271613, bits offset 54			0.9939619974007136

Imports

DLL	Import
COMCTL32.dll	ImageList_Destroy, ImageList_Create, ImageList_Add
WINMM.dll	timeGetTime, timeBeginPeriod, timeEndPeriod
SHLWAPI.dll	SHAutoComplete, StrCmpLogicalW, SHDeleteKeyW
UxTheme.dll	IsThemePartDefined, OpenThemeData, GetThemePartSize, SetWindowTheme, DrawThemeBackground, EnableThemeDialogTexture, CloseThemeData
KERNEL32.dll	GetSystemPowerStatus, VerifyVersionInfoW, VerSetConditionMask, GlobalFree, SystemTimeToFileTime, LocalFileTimeToFileTime, ResumeThread, GetLocaleInfoW, GetNumberFormatW, GlobalSize, DecodePointer, Sleep, SetErrorMode, LoadLibraryW, CreateEventW, FindResourceW, FindResourceExW, LoadResource, LockResource, SizeofResource, SetEndOfFile, GetFileTime, FlushFileBuffers, CreateFileW, GetDiskFreeSpaceExW, FindFirstFileW, DeleteFileW, RemoveDirectoryW, GetFileAttributesW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, LoadLibraryExA, GetCurrentThreadId, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, InitOnceComplete, InitOnceBeginInitialize, SystemTimeToTzSpecificLocalTime, MoveFileExW, NormalizeString, TryEnterCriticalSection, GetVolumeNameForVolumeMountPointW, GetVolumePathNameW, DeviceIoControl, SetFileTime, SetFilePointer, DosDateTimeToFileTime, GetFileSizeEx, FileTimeToSystemTime, GetSystemTimeAsFileTime, ReadDirectoryChangesW, GetThreadPriority, GetThreadId, GetFileInformationByHandle, TerminateProcess, GetCurrentProcess, DuplicateHandle, WriteFile, CancelIo, GetOverlappedResult, ReadFile, WideCharToMultiByte, MultiByteToWideChar, WaitForMultipleObjects, FormatMessageW, GlobalUnlock, GlobalLock, GlobalAlloc, GetCommandLineW, LoadLibraryExW, lstrlenW, GetNativeSystemInfo, GetVersionExW, PowerCreateRequest, PowerClearRequest, PowerSetRequest, SetLastError, EnterCriticalSection, SetThreadPriority, OutputDebugStringW, LeaveCriticalSection, GetTickCount64, DeleteCriticalSection, GetFileAttributesExW, FindNextFileW, FindClose, GetCurrentThread, SetEvent, ResetEvent, GetExitCodeThread, GetCurrentProcessId, VirtualQuery, VirtualProtect, GetSystemInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockShared, CopyFileW, IsDebuggerPresent, FreeLibrary, SetDllDirectoryW, CloseHandle, WaitForSingleObject, GetModuleHandleW, GetProcAddress, GetTickCount, GetProcessHeap, HeapAlloc, CreateMutexW, InitializeCriticalSection, QueryPerformanceCounter, QueryPerformanceFrequency, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, MulDiv, InitializeCriticalSectionEx, GetLastError, RaiseException, VirtualFree
USER32.dll	SetDlgItemTextW, MapVirtualKeyW, GetDlgItem, SendMessageW, ShowWindow, EnableWindow, SetWindowTextW, DestroyWindow, UnregisterClassW, CreateDialogParamW, SetWindowLongW, SendDlgItemMessageW, GetActiveWindow, GetWindowLongW, GetClientRect, ClientToScreen, GetWindowRect, SetWindowPos, SetLayeredWindowAttributes, CharUpperW, GetComboBoxInfo, GetSystemMetrics, EnumThreadWindows, GetWindowPlacement, IsIconic, AdjustWindowRect, DrawEdge, SetClipboardData, CloseClipboard, OpenClipboard, FillRect, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, NotifyWinEvent, RedrawWindow, IsRectEmpty, DrawTextW, TrackMouseEvent, InflateRect, FrameRect, UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, GetNextDlgTabItem, InvalidateRgn, SystemParametersInfoW, ScrollWindowEx, SetScrollPos, UpdateWindow, SetScrollInfo, SetRectEmpty, SetGestureConfig, CloseGestureInfoHandle, GetGestureInfo, GetScrollInfo, MapDialogRect, IsZoomed, SetMenuItemInfoW, GetMenuItemInfoW, GetMenu, GetWindow, GetDC, BeginPaint, EndPaint, InvalidateRect, IsWindowEnabled, PostMessageW, CreateWindowExW, ScreenToClient, IntersectRect, MonitorFromWindow, LoadIconW, RegisterClipboardFormatW, wsprintfW, AllowSetForegroundWindow, EnumWindows, GetClassNameW, GetWindowThreadProcessId, WindowFromPoint, CheckMenuRadioItem, RegisterShellHookWindow, DeregisterShellHookWindow, RegisterWindowMessageW, RegisterClassW, GetClipboardData, IsCharAlphaW, IsClipboardFormatAvailable, DispatchMessageW, TranslateMessage, LoadImageW, GetDesktopWindow, PostQuitMessage, GetMessageW, MsgWaitForMultipleObjects, OffsetRect, CopyRect, MonitorFromRect, CharLowerW, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, EmptyClipboard, IsWindowVisible, MoveWindow, IsChild, PeekMessageW, SetTimer, DrawTextExW, SetForegroundWindow, PtInRect, DefWindowProcW, GetCursorPos, SetFocus, KillTimer, SetCapture, SetCursor, LoadCursorW, IsDialogMessageW, RegisterClassExW, GetClassInfoExW, CallWindowProcW, GetWindowDC, ReleaseDC, DrawFrameControl, GetParent, GetKeyState, GetMessagePos, AppendMenuW, TrackPopupMenu, CreatePopupMenu, MonitorFromPoint, GetMonitorInfoW, DestroyMenu, MessageBoxW, EndDialog, DialogBoxParamW, MessageBeep, SetActiveWindow, EnumChildWindows, MapWindowPoints, SetMenuDefaultItem, TrackPopupMenuEx, GetDlgCtrlID, GetSysColor, GetFocus, TranslateAcceleratorW, LoadAcceleratorsW, DestroyAcceleratorTable, RegisterHotKey, UnregisterHotKey
GDI32.dll	GetStockObject, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, ExtTextOutW, SetBkColor, SetTextColor, DeleteDC, DeleteObject, GetObjectW, CreateFontIndirectW, SetBkMode, CreateRectRgnIndirect, CreateRectRgn, GetTextExtentPoint32W, GetTextColor, GetBkColor, GetCurrentObject, SetDCBrushColor, CreatePen, GetDeviceCaps, GetTextMetricsW, LPtoDP, SaveDC, RestoreDC, OffsetWindowOrgEx, SetWindowOrgEx, IntersectClipRect, CreatePolygonRgn, FrameRgn, FillRgn, SetViewportOrgEx, BitBlt, CombineRgn, SetDCPenColor, LineTo, MoveToEx, OffsetRgn
ADVAPI32.dll	CryptImportKey, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegOpenKeyW, RegCreateKeyW, RegDeleteValueW, CryptGetHashParam, CryptVerifySignatureW, CryptHashData, CryptCreateHash, RegGetValueW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, RegEnumValueW, CryptAcquireContextW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW
SHELL32.dll	SHOpenFolderAndSelectItems, SHGetFolderPathW, SHCreateItemFromIDList, DragAcceptFiles, ShellExecuteExW, SHGetDesktopFolder, DragFinish
ole32.dll	CoCreateInstance, OleSetClipboard, OleGetClipboard, CoTaskMemFree, PropVariantClear, CLSIDFromString, CoTaskMemAlloc, ReleaseStgMedium, CoCreateGuid, DoDragDrop, CoUninitialize, RegisterDragDrop, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, RevokeDragDrop
OLEAUT32.dll	VariantClear, VariantInit, SysAllocString
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject
CRYPT32.dll	CertVerifyRevocation, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertVerifyTimeValidity, CertCloseStore, CertFreeCertificateChain, CertFreeCertificateContext

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:59:32.653295994 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:32.658135891 CET	30203	49820	181.71.216.203	192.168.2.6
Jan 10, 2025 11:59:32.658216000 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:32.693619013 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:32.703099012 CET	30203	49820	181.71.216.203	192.168.2.6
Jan 10, 2025 11:59:32.703185081 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:32.707946062 CET	30203	49820	181.71.216.203	192.168.2.6
Jan 10, 2025 11:59:54.029483080 CET	30203	49820	181.71.216.203	192.168.2.6
Jan 10, 2025 11:59:54.029691935 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:54.035111904 CET	49820	30203	192.168.2.6	181.71.216.203
Jan 10, 2025 11:59:54.041973114 CET	30203	49820	181.71.216.203	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:59:32.623963118 CET	60736	53	192.168.2.6	1.1.1.1
Jan 10, 2025 11:59:32.650717020 CET	53	60736	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:59:32.623963118 CET	192.168.2.6	1.1.1.1	0x54b9	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:59:32.650717020 CET	1.1.1.1	192.168.2.6	0x54b9	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:59:10
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ReaderPDFadobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ReaderPDFadobe.exe"
Imagebase:	0x400000
File size:	5'649'920 bytes
MD5 hash:	5B3F4288F2239F1805E7D5C935FEC648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:59:27
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x650000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.4043696145.0000000007F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.4044173599.0000000009600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.4043308059.0000000006DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.2%
Total number of Nodes:	18
Total number of Limit Nodes:	1

Executed Functions

Function 0952D320 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

4, xrefs: 0952DCF5

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: f95443c6305d6888204cf16064fb80c6894863bff975b6fb1c50674e31b56881
Instruction ID: 418369eece45c35de4369d2259ef9201b8af2d2b029e2b61f4685d8aa05a184e
Opcode Fuzzy Hash: f95443c6305d6888204cf16064fb80c6894863bff975b6fb1c50674e31b56881
Instruction Fuzzy Hash: 35B2F734A00228CFDB14CFA9C995BADB7B6BF89300F158199E505EB3A5DB74AC85CF50

Function 0952D647 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 0952DCF5

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: f1aa7cd2892a73c4a730e64d0db5d4420c0e0156922548b94be40f505691b819
Instruction ID: 5a69a1c6005cb1e6684779ea5ad91704ab257ccb9b952a324794dca1e07a40e1
Opcode Fuzzy Hash: f1aa7cd2892a73c4a730e64d0db5d4420c0e0156922548b94be40f505691b819
Instruction Fuzzy Hash: AA22F934A00228CFDB14CF55C995BADB7B6BF89300F1581A9E509EB3A5DB74AD81CF50

Function 096AEEB8 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 096AEF74

Memory Dump Source

Source File: 00000005.00000002.4044235664.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_96a0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3e5353e7125e7e9890eeb10daa9ffbdada002762063e810254af8aaab0e84be8
Instruction ID: f8f26ac3feb353b5afaf414b9413746261905866cd9440501ee7099baa5e3edc
Opcode Fuzzy Hash: 3e5353e7125e7e9890eeb10daa9ffbdada002762063e810254af8aaab0e84be8
Instruction Fuzzy Hash: F9516D347110428FC744EB69D295B7B33EBBBCD368B4954A8D01BCB391DE389C498B91

Function 096A07C8 Relevance: .6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4044235664.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_96a0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6953c1f05053f2862e1d6fa66858b43a96fbbb5eaabbc61b3e5ab9a33eab1794
Instruction ID: 8d09c007ab570a5b57265c3ceb0ce520d10bafeeaf3d8d04ce20290c55b84a52
Opcode Fuzzy Hash: 6953c1f05053f2862e1d6fa66858b43a96fbbb5eaabbc61b3e5ab9a33eab1794
Instruction Fuzzy Hash: 63221234B002058FDB14DF29C994A6ABBF6BF8A310F1584A9E506DB3A1DB75EC42CF51

Function 09673D2C Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c6deeb5cba1b11addff9db3434375c6d2fda428fa69583b7813803f96f9c1f
Instruction ID: c97cc5b5e7f618036e0c5debdb9a5cbf352d27adac4e61ff76a373fa4b4b2601
Opcode Fuzzy Hash: d5c6deeb5cba1b11addff9db3434375c6d2fda428fa69583b7813803f96f9c1f
Instruction Fuzzy Hash: 3FD15A30B01245CFDB08DF65E645BAEB3F3BB88314F649469D4069B7A4DB389C86DB81

Function 09673D38 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e833456023bd82d94c4ab8834d31beac3e1484e69fe7f79dc7f420cb4130cc
Instruction ID: 32844737f86c87371149ffa634a5ae6c3dfa78889bb3a3994aa42d147b291776
Opcode Fuzzy Hash: b4e833456023bd82d94c4ab8834d31beac3e1484e69fe7f79dc7f420cb4130cc
Instruction Fuzzy Hash: D2C15B30B01245CFDB08DF65E645BAEB3F3BB88314F649069D4069B7A4DB389C86DB41

Function 09676C8E Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b04ebd1e8f2e2f895cddae359163592bf4b4a66aa67d2cc0aa1e69df855d23e
Instruction ID: 4093808e74900d63bb865f8004a23a19166d34382c6bc14f8bb0aa3428c0a92d
Opcode Fuzzy Hash: 7b04ebd1e8f2e2f895cddae359163592bf4b4a66aa67d2cc0aa1e69df855d23e
Instruction Fuzzy Hash: A8C12B34601604CFDB44CF64D699BAAB7F3FF88314F6580A4E4059B7A5CB79AC86CB41

Function 09672488 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9700cbe4da4f10b5025a2b17dbef17118217868a79306c957b88b3b4405a294a
Instruction ID: 097fbee8dc50b4bcd2cbdff2ef35d5cb25f98b5a9da8f80cd85503eb16a94384
Opcode Fuzzy Hash: 9700cbe4da4f10b5025a2b17dbef17118217868a79306c957b88b3b4405a294a
Instruction Fuzzy Hash: 83B14E71E003099FDB14CFA9C9A57ADFBF2AF88714F148129E825E7394EB749845CB81

Function 09671870 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8796edc4cf74bdaeccf514b4f5a5936633d20a677cffbee5b13db3050b0d533
Instruction ID: 79657763d4849130778f2e9c1617746d4c6758f7460cbf574d05b1062ac52031
Opcode Fuzzy Hash: d8796edc4cf74bdaeccf514b4f5a5936633d20a677cffbee5b13db3050b0d533
Instruction Fuzzy Hash: C1916A71E043098FDF14CFA9C9957AEFBF2AF89704F15812AE405A7394EB749846CB81

Function 09674100 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a7db6502e25efbf63145f537bdd3e1305c365dacf58e75c425aec9e774cb8f
Instruction ID: 7f6d10346147b1af250ef34f4d34468fe411bdba2ac38f193b70a16d11bad1ad
Opcode Fuzzy Hash: 83a7db6502e25efbf63145f537bdd3e1305c365dacf58e75c425aec9e774cb8f
Instruction Fuzzy Hash: DD914930A05204CFDB14DF64E548BAEB7B3FF88314F64956AE4159B3A4DB389C86DB41

Function 05093C4A Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4042893867.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5090000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e32a4c12f17520d033a246d1652ac47913990d2d9c49d7db2289bb1137b350
Instruction ID: 9268258c14054ecb246e33a426eb28239d033e076fd0f4a36e3296b0a2b7ce83
Opcode Fuzzy Hash: f9e32a4c12f17520d033a246d1652ac47913990d2d9c49d7db2289bb1137b350
Instruction Fuzzy Hash: 43510AB1E006898BE708EF7AF841A9A7BF3FBC8314F15C139C504AB364EB7858158B50

Function 05093C58 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4042893867.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5090000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a40ccda151a9e4a453cb3b028f8119d9cb4dabe2386e1f69a56ac81bca04f1
Instruction ID: c105e368459f71f35bae510ccc69034517d7610d9751f75c3f30595254b56b0a
Opcode Fuzzy Hash: b0a40ccda151a9e4a453cb3b028f8119d9cb4dabe2386e1f69a56ac81bca04f1
Instruction Fuzzy Hash: 8251E8B1E006898BE748EF7AF841A9A7BF3FBC8314F15C139C504AB364DB7958158B50

Function 0509C1D8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0509C24C

Memory Dump Source

Source File: 00000005.00000002.4042893867.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5090000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 45912a2b9748159b584459c37cdf8c0f19cd3a378f1524c96cb1c73967f5f807
Instruction ID: 7fc86e2ec8114497aa4ced34cab8319558e361b2927b892100662931f62aaf56
Opcode Fuzzy Hash: 45912a2b9748159b584459c37cdf8c0f19cd3a378f1524c96cb1c73967f5f807
Instruction Fuzzy Hash: 3B112771D003099FDB10DFAAC844B9EFBF5BF48320F10841AD519A7204C775A904CFA1

Function 0509C388 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0509C3EA

Memory Dump Source

Source File: 00000005.00000002.4042893867.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5090000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7c6a1807e41a3931982366df2bc6cdba2d6373f7b909398a35e97a523cc05ee2
Instruction ID: 4b4e4ea924a71c0d242b2c07ee2229df5acaf9b3080d5ccae22ddb31bd6c371c
Opcode Fuzzy Hash: 7c6a1807e41a3931982366df2bc6cdba2d6373f7b909398a35e97a523cc05ee2
Instruction Fuzzy Hash: 23116AB1D003498FEB20DFAAC4457AFFBF5AF88324F208419D519A7240CB79A904CB95

Function 09660078 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044204004.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9660000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6d9fd9c2e1b14089a97c5a11e619fee983297d65e7561133964314d9d81173
Instruction ID: b63ad747af66cced3135e7cd6e5ad2645430463876483341a6eb2e08a7272693
Opcode Fuzzy Hash: 5e6d9fd9c2e1b14089a97c5a11e619fee983297d65e7561133964314d9d81173
Instruction Fuzzy Hash: 9D02C270F441158BAB361EBB891523F7ADA9BC8795F144039E903EB3A4DE60DC1BC792

Function 0952F7E0 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e2d585b3b2dad453a762945d130ea17e29a19fb0281c4b1e7b969e46ea8482
Instruction ID: a65206ae0c56be7979cd189e3c3141c0b13d98df14788133c603f352c7efbc1a
Opcode Fuzzy Hash: c3e2d585b3b2dad453a762945d130ea17e29a19fb0281c4b1e7b969e46ea8482
Instruction Fuzzy Hash: B7228E30E00229CFCB15DFA6E855AADBBB1FF89310F148115E851EB395DB78A942CF90

Function 09675E48 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b515d58ff0e21d733d54c6bee1bb1dadb27031837b210c996c53086bd40fcce2
Instruction ID: 755f87aa63c508915b1afaea2f95c48c1141e64bb443aff12705749343037202
Opcode Fuzzy Hash: b515d58ff0e21d733d54c6bee1bb1dadb27031837b210c996c53086bd40fcce2
Instruction Fuzzy Hash: 72027934B00B059FDB58DF69C884A6EBBF2FF88710B508629D44AD7790DB34AD02CB95

Function 0952C398 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7610d101b6e09fc92a03700be4da28c689a22bb3a623e68e77f19e9206103afc
Instruction ID: a0482d76e898357e10fe855854613dcfe9ef01f037fba7a0dcfa3964624a69dc
Opcode Fuzzy Hash: 7610d101b6e09fc92a03700be4da28c689a22bb3a623e68e77f19e9206103afc
Instruction Fuzzy Hash: 88E19B35B002159FCB14CFA9D855AAEBBB6FF89310F1580A9E845EB391DB75DC01CB90

Function 09660810 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044204004.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9660000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e958952850e2b41de85238de78e846f88b3e550f9056ecb17a698484e4ba9dac
Instruction ID: c33c8d9c4f7bc1d8755938b865a462fde1c4130e971a6346759a97c031bb68e1
Opcode Fuzzy Hash: e958952850e2b41de85238de78e846f88b3e550f9056ecb17a698484e4ba9dac
Instruction Fuzzy Hash: DEC17E38B041058B9F5AAF76A06917D7BEBEFC9344B14402DE807D73A0DF399C2A8B41

Function 09675AA0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2d68db25a9d3a3786e0544f37705dca2dc10e0e3dc50f2613a98bd849521ad
Instruction ID: e521ae46204c6675be13c763508093bb13ca51e521576fe9587ddfaaaf30b7ac
Opcode Fuzzy Hash: 4f2d68db25a9d3a3786e0544f37705dca2dc10e0e3dc50f2613a98bd849521ad
Instruction Fuzzy Hash: 139103317043504FE716AF78986172EBBA2EFC6610B5484AEE50ACF3A1DE359C06C7A5

Function 09521741 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915fe4459da12d3f43a4b814c7f1645bd1d38ccdbddf33da8b54600585a46360
Instruction ID: 9d9ef37bec89154901a2b4f4f93c7983b0760367469f27a4e96bf4dd6076dcce
Opcode Fuzzy Hash: 915fe4459da12d3f43a4b814c7f1645bd1d38ccdbddf33da8b54600585a46360
Instruction Fuzzy Hash: C8B1BD34A046909FDB08DF69D895A5EBBF2FF89310F1581A9E506DB3A1DB70EC41CB90

Function 0967247C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77b1ca1e8112efd273dbd6594124acfdabdef687bfd731cc383c56c58d79cd9
Instruction ID: 7efed7d54ae61ed95c951d1b02054bfea7f6c5558497939e4d65bd0de03d121a
Opcode Fuzzy Hash: a77b1ca1e8112efd273dbd6594124acfdabdef687bfd731cc383c56c58d79cd9
Instruction Fuzzy Hash: 3BB14B70E003099FEB14CFA8D9A579DFBF1AF48714F248129E825E7394EB749845CB91

Function 09671864 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33508c529c93f6a03d9f776aceb9e5f6d61dae2fafd44091120be5436c2a99b
Instruction ID: cd2370797ec367033c10288ee11725403507dafc550b8017788f287c9065baec
Opcode Fuzzy Hash: d33508c529c93f6a03d9f776aceb9e5f6d61dae2fafd44091120be5436c2a99b
Instruction Fuzzy Hash: 8CA15870E043099FDB14CFA8C9857AEFBF2AF89704F15812AE405A7394EB749846CB91

Function 09660CC8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044204004.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9660000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db971ad35be19e487e5ef8b8340ccb9213d860c74f22ee5d30a5b26f76a6df4
Instruction ID: 0934a29ad03b49e40459424c4298e548068120c1dda257b42a7df6203acf47ec
Opcode Fuzzy Hash: 8db971ad35be19e487e5ef8b8340ccb9213d860c74f22ee5d30a5b26f76a6df4
Instruction Fuzzy Hash: 04515F7070018297EB085E9F849872BFAAE9BD4704F54443DB706C7368DFB59C4A8792

Function 0952F0A0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db5fde93be31dde4e0dcef12f509f6b0c474c57f88bf33684f16de10a9c4840
Instruction ID: 68e35064e3dece0b39927cca01a153c9d2d7e7123f27785b1a62fc84cf5bc90c
Opcode Fuzzy Hash: 4db5fde93be31dde4e0dcef12f509f6b0c474c57f88bf33684f16de10a9c4840
Instruction Fuzzy Hash: 4A516734B002119FEB19AF75D85562E77B2BFCA744BA0446DD906DB3A0CF35AC06CB91

Function 09525240 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f589faf0de57222f00f384446b9427223fcc1ef83bed755430b6be23f3b053
Instruction ID: bac55753363cc84505c647eead0c7a384f9e97c989c1d43a42cb5f1bba9142e3
Opcode Fuzzy Hash: 02f589faf0de57222f00f384446b9427223fcc1ef83bed755430b6be23f3b053
Instruction Fuzzy Hash: CB618C70B04214CFDB28AB65E508B6A77A6FB86385F058879E406CB7C0EB7CDC46CB51

Function 09521790 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f850292aeb3416c656babda8aae76c02d3587fe2c8ce96f7ae7e530d564753
Instruction ID: c8acc1b711c0a664569e0a26f50e5f4c5375e70697101a43da8a73815ff88dfc
Opcode Fuzzy Hash: 24f850292aeb3416c656babda8aae76c02d3587fe2c8ce96f7ae7e530d564753
Instruction Fuzzy Hash: 4B616D74A00A50CFCB14DF69D58495ABBF2FF89320B558269E406EB3A1DB30EC41CF90

Function 0952AC68 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaab68b8412f38ae3325592b402b7d5df0a1eb9709222c0c0b554268b1006659
Instruction ID: 9a5b570aac7d2ca25e07a2caa86db61a5347360995d6a060dfb1fcc790a28681
Opcode Fuzzy Hash: eaab68b8412f38ae3325592b402b7d5df0a1eb9709222c0c0b554268b1006659
Instruction Fuzzy Hash: 54515A76600104AFDB459FA8C805D2A7BF6FF8D3147168099E209DB372DA32DC22DB51

Function 0952B680 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da79d60bada10ef159a56261ab099eb858035668e04a404bdf49b878731faf4
Instruction ID: 1dbedf7030febbbd5eae54dc5a6a7ad5b361e627cd46ed387b474301ec4df8b9
Opcode Fuzzy Hash: 4da79d60bada10ef159a56261ab099eb858035668e04a404bdf49b878731faf4
Instruction Fuzzy Hash: 7551CF346047518FE3259F3AD48035B7BE2EFC6310F148A2DE49ACB6A1DB74E845CB61

Function 09677130 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2962c26656dcf0ea1fc203951111a4a7b10ce1e32cd9ba921abac0ea9b1d917
Instruction ID: efaeab76a83957f43de6f1a451db11ee21d72720f49a3d4b03de2d1ff9c9e5dd
Opcode Fuzzy Hash: d2962c26656dcf0ea1fc203951111a4a7b10ce1e32cd9ba921abac0ea9b1d917
Instruction Fuzzy Hash: 3E515D30A05241CFDB18CF18D689BAAF3B2EB84354F18C079E4298B795D7799987CF45

Function 096756B1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ede41ca6ff111c52925e66c69150c1af505b3a1b252c8690537e572ec6794e
Instruction ID: c0246505704379ece6ebf9c25731d88e23afe17872f46ef61e0b1c7183266fea
Opcode Fuzzy Hash: b4ede41ca6ff111c52925e66c69150c1af505b3a1b252c8690537e572ec6794e
Instruction Fuzzy Hash: 3D419D35A01300DFEB15CF64D995B5ABBB2FB89314F2481B9E11A8B7A1C779AC42CB41

Function 0952BC88 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611e6a913930d67c81ea2dbf013ad9126c25fdef46d4de275bc9d9865a768110
Instruction ID: ced1b047903831bda5555e3257a48e0faa26f6f9627a8a7d32dfd300555ec09b
Opcode Fuzzy Hash: 611e6a913930d67c81ea2dbf013ad9126c25fdef46d4de275bc9d9865a768110
Instruction Fuzzy Hash: 6641AC30A00616CFDB00DF69C494AAAFBB5FF8A320F15829AD555EB291C730EC42CBD1

Function 096756E0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5089c0ed2dd7214eb6fce3dc240812c41c77ea5cc77334775123dc4be22a8ed8
Instruction ID: f6a1e2b721a0d4893301edd018d74cb642c531ce61584bde1c1d0c6c961d15d1
Opcode Fuzzy Hash: 5089c0ed2dd7214eb6fce3dc240812c41c77ea5cc77334775123dc4be22a8ed8
Instruction Fuzzy Hash: DC419A35A00304DFEB14CF65DA94B5AB7F2FB88311F5481B9E11A9B790C779AC82CB51

Function 0952B510 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6789934093a991fefe542339cccbec91a5017c53ab63e75574e5a77e170daedd
Instruction ID: a1f265a503b0f5f238707282ed88484ab5e11c5200dbbbbe168bad4f7293c113
Opcode Fuzzy Hash: 6789934093a991fefe542339cccbec91a5017c53ab63e75574e5a77e170daedd
Instruction Fuzzy Hash: 4F31E4367002559FEB055FA9D8946AE7BA6EFCA320F54413AF905CB361DA31CC068760

Function 0952C848 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b2536f016a60b1e7550ff716e0586c6bba91af1efed06a3f62dea86015ebea
Instruction ID: 5bce469608867c5125745d17a4895654366869dfd73354a599815192c75f8520
Opcode Fuzzy Hash: 82b2536f016a60b1e7550ff716e0586c6bba91af1efed06a3f62dea86015ebea
Instruction Fuzzy Hash: 8641D271A042268FCB14CFA6C8417BEBBF1FF8A710F0084A9E495E7291D734E945CB90

Function 06BDEDE0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d146d5780d31bf96741ef9de6f2e13e43e9c754b0bc86a2e4e3a29b9b377b33
Instruction ID: cbdad189fd0c9f64c51b88d4aa207c220f3b22ea6f6e9490e1f035b5744aad01
Opcode Fuzzy Hash: 6d146d5780d31bf96741ef9de6f2e13e43e9c754b0bc86a2e4e3a29b9b377b33
Instruction Fuzzy Hash: 2231C1B5F412618FDB94EBB9985426EB6A6EBC4210F0544B9DA1AEF240FE34CD0387D1

Function 0952B3B5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a70d282af6448d5cb9e225ee58514d35ccf3f29774d8a426a0c4014e882d5a
Instruction ID: 7ffea0c6110c6b8b75c48542c0f61fe4cce518a0de8d231a14a3f6ff4434b79b
Opcode Fuzzy Hash: b6a70d282af6448d5cb9e225ee58514d35ccf3f29774d8a426a0c4014e882d5a
Instruction Fuzzy Hash: D0417A35A24214DFCB04DFA8C8949DA7BF6FB8E320F05451AE815EB3A0CB359845CB90

Function 0952D30F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53604808986a984fc913df22c43dd143b1d13dc1385ac7f7e5486c72d3e2c84
Instruction ID: 8358e4aebbf687fc5b805f040eea825997d454b7285fb6d853f15044fac10fdf
Opcode Fuzzy Hash: e53604808986a984fc913df22c43dd143b1d13dc1385ac7f7e5486c72d3e2c84
Instruction Fuzzy Hash: 8841D174A012248FEB64DF25C991F99B7B1BF59310F1041E5EA09AB3D1D671ED81CF90

Function 0952B671 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae2a232723a3266d7cfea4c6dfa66228428c2a4c3fe6572e537375f9a966eae
Instruction ID: 0ca6d2c2f7b1cb34c2e62ebf90baecf47a96a8d88d28b217c5ac92533ddd57b8
Opcode Fuzzy Hash: 4ae2a232723a3266d7cfea4c6dfa66228428c2a4c3fe6572e537375f9a966eae
Instruction Fuzzy Hash: 1F318D75100B118FE724CF2BD580356BBE1BF86350F148A2DE59ACB6E1EBB4E8458B50

Function 0952A97E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b748765062bffead34920037df47d0a1e895f75632939f03098dc83850d03170
Instruction ID: 1381669d0eea6f7ac6699ea688bdf8a9ae72ba945937e1b09ef8a978dea5a17d
Opcode Fuzzy Hash: b748765062bffead34920037df47d0a1e895f75632939f03098dc83850d03170
Instruction Fuzzy Hash: 3321E5316142059FEB14EBA8D89679EBFF9EF85304F00452DE109EB281DFB49D068BE0

Function 09525D41 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91270e8ab085343142b3ec222fe8c61f89c84ec15be00bced407fc48ee157030
Instruction ID: 1f98cc9d40d9cb24c196a52b46994cb0c4559bd9bb4cd35f4753c14f991b8871
Opcode Fuzzy Hash: 91270e8ab085343142b3ec222fe8c61f89c84ec15be00bced407fc48ee157030
Instruction Fuzzy Hash: 05317C75A002159FD704DF65D559BAEBBF1FF89310F104469E402EB3A0EB349D41CBA0

Function 0967723A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a50b7c503aa228ae4908786359dd2d07d6820aa1b6787594b5e96c77a96e06
Instruction ID: b0d7f726e3cbfc13192fb786c6b7142112bcf4b2f43245966f3b87f6e76db4ac
Opcode Fuzzy Hash: 27a50b7c503aa228ae4908786359dd2d07d6820aa1b6787594b5e96c77a96e06
Instruction Fuzzy Hash: C3315A30A02341CFDB18CF14E689BA6F3A2EB81354F18D1B5E4398B795D778A896CF05

Function 09677299 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1936389fbab13dae9332750a8484d3b17afaf100de0b36ab3e3007602bc0c8
Instruction ID: 481f8f010ce1259f4d26a3083b787793c4f10c172571823df302e4078cd264d1
Opcode Fuzzy Hash: 3c1936389fbab13dae9332750a8484d3b17afaf100de0b36ab3e3007602bc0c8
Instruction Fuzzy Hash: 2B314B30602281CFDB18CF14E689BA6F3A2EB80354F18D1A5E4398B795D3789896CF05

Function 0952F707 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340d46fb72c05eaae6f7a5f4bd31d2b4e8b6568c8fafb8c790fc8670c1963f52
Instruction ID: 3306e9d9d14e914d7d561ffbcd1dc6a9903e2a5f09596c0f8e25b3372c3d483c
Opcode Fuzzy Hash: 340d46fb72c05eaae6f7a5f4bd31d2b4e8b6568c8fafb8c790fc8670c1963f52
Instruction Fuzzy Hash: 132169743001549FDB05CF2AD840AAA3BFAFF8A340B0940A6FC55CB2B1DA75DC51CB20

Function 0952EB70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb14ba50c4bc45bf2787a0f83516cbafff7dd13f035597fbb7ff11bd4770b3a3
Instruction ID: ca4e5b64868e742fefc8793cf4f92eb0489e4f68218fba8e10b8f87e00d4fa83
Opcode Fuzzy Hash: cb14ba50c4bc45bf2787a0f83516cbafff7dd13f035597fbb7ff11bd4770b3a3
Instruction Fuzzy Hash: 4C214C31E00229DFDB10DEBAC805BAEBBF5BB06340F508466E915D7290E634DA44CB91

Function 095261A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0ec41f6117f109f87f09d47b30594567bf5d9286e359cd86e0e72f70af3afb
Instruction ID: 9c3dea23c78bc5cf5b3b3bace6ba5fddc5051164d78bcdfff9fea4151c598bcf
Opcode Fuzzy Hash: cb0ec41f6117f109f87f09d47b30594567bf5d9286e359cd86e0e72f70af3afb
Instruction Fuzzy Hash: BC113631B022B49FD7209A6AE414B6B7BA4FBC6320F06447BE405C72D2C734DC8587A2

Function 0952B428 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df708502f95ae5059e2fe153180336702ed7d8cbf111a228c36944d021511bcd
Instruction ID: 43c618f5db0b8c3ffcf1d794af31490b5c3c33270333ff59d01addfa8b9d64cc
Opcode Fuzzy Hash: df708502f95ae5059e2fe153180336702ed7d8cbf111a228c36944d021511bcd
Instruction Fuzzy Hash: E6216A35A00118DFCB148FA9C8549DEBFBAFF8D320F148129E815AB390CE759845CBA0

Function 0952A0C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caabde804a1f4a6a7eb4c6aa30130768e12cf667c59bbf3037cd85625e3186b2
Instruction ID: ebea7fd7ec4f6b2ca245901274744bda2443f7c7743c80a363622460217a920e
Opcode Fuzzy Hash: caabde804a1f4a6a7eb4c6aa30130768e12cf667c59bbf3037cd85625e3186b2
Instruction Fuzzy Hash: 7711A0313081108FE3548E6AD958B97B7E6FBC6720F268476E50DCB7E6DA74AC42CB50

Function 0952BDC1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347037e96b26433236c3ec1ca160ed8304077bc9df5f352df32a7b602d213393
Instruction ID: 508bb7e2c4d150c77a5cf885f47186656ebde798f0a8786e8cdb4da47c497f02
Opcode Fuzzy Hash: 347037e96b26433236c3ec1ca160ed8304077bc9df5f352df32a7b602d213393
Instruction Fuzzy Hash: AD118675B501159FCF549F799855BBA7BF5BF89700F14412AF505EB280DB31C901CBA0

Function 09674D8F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c34953ded5d9dc70d1b7f05b908001ee6e142939a5c07017100e7ebc63ff19
Instruction ID: b444544b6f3351a256ff6daa863432b0daa28241548fa14e74ff09fc01a42819
Opcode Fuzzy Hash: 23c34953ded5d9dc70d1b7f05b908001ee6e142939a5c07017100e7ebc63ff19
Instruction Fuzzy Hash: 6A213930D1124DDBCB04EFA8E59469DFB72FF85300F508669E842673A8DF346946CB41

Function 09673243 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c2888ff6645d78457e3991afe2836adcd9df1ac374c5669e61a6e793e7a3e1
Instruction ID: 2abd72f5fa8cbf0a21cf5aae2171f537d488f64d8f7504249dd6420cee05b50f
Opcode Fuzzy Hash: 93c2888ff6645d78457e3991afe2836adcd9df1ac374c5669e61a6e793e7a3e1
Instruction Fuzzy Hash: A0216A30701281DFE704DB64E695FAA73E2AB89350F4550B5E6168F391EB389C89CB16

Function 0952A0D0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f8aee223cb91d7a97b351096a223b04d949c312ca5d3f117ba1a174fa9a850
Instruction ID: a4ba718cc159d55e2fe83290056636fdf55e95c36d4236b2ae281801ee67c32c
Opcode Fuzzy Hash: 97f8aee223cb91d7a97b351096a223b04d949c312ca5d3f117ba1a174fa9a850
Instruction Fuzzy Hash: A9116D313041108FE3548E5AD948B6BB3E6FBC9724F258479E509C77E6DB75AC41CA40

Function 0952BB41 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9a891b094ce8e8024fd7cade36884c402126875649a61ec6238c4ef840bed9
Instruction ID: d684e23f6a07284545e5e8597de8314e082cf02b6515b94f50d5eb2acb0b9304
Opcode Fuzzy Hash: ef9a891b094ce8e8024fd7cade36884c402126875649a61ec6238c4ef840bed9
Instruction Fuzzy Hash: 02215F79A02619DFCB04CF69D594AADBBB2BF4A300F144154F901EB365DB34AD41CB50

Function 0952BA12 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ec762cd079b4b18cf023b1af37e7c651c6a9f24789bf6feede98420253969
Instruction ID: f60d2f17b25c991163782fdb6ff21bd99629b1cc4b8547cca0accb2f04483e1e
Opcode Fuzzy Hash: 999ec762cd079b4b18cf023b1af37e7c651c6a9f24789bf6feede98420253969
Instruction Fuzzy Hash: 7B11A535340259AFDB158F59EC95FAA7BA9FB89710F004067F905CB2A1C771D9008760

Function 096748B0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90673ad9d8a538b18192e5da6aaceaa8d918d2f93b11815c1443af06aae5ac39
Instruction ID: 20f54807b21beb7ff7c27265d8422429b736553e6e6589b4b080bb3edb0cc87d
Opcode Fuzzy Hash: 90673ad9d8a538b18192e5da6aaceaa8d918d2f93b11815c1443af06aae5ac39
Instruction Fuzzy Hash: E401D8317073E19FD7167F34441426D7BE29FC6610B1804BED1828F382ED29C842C784

Function 096759F7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5168853b7a6077165dce2abc82e95be793ca0d7f4a233164fd01f4511eeb80b
Instruction ID: d530c5286dd7634816c33c3253f0ffdb2f39ea281f1fd144e212b949715d9484
Opcode Fuzzy Hash: e5168853b7a6077165dce2abc82e95be793ca0d7f4a233164fd01f4511eeb80b
Instruction Fuzzy Hash: FB018B30A00204ABDB159F65D4596AEBFF6EF8C311F10406EF802A7360CF754D05DB91

Function 096748C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266da2d98a64f610020e752ae782dc5054d00ade2bfe416a67c7b738a374f15c
Instruction ID: dcf8d191560368f112d3f9100611e14b3321b4aac4fe6ce249b1923e2509d948
Opcode Fuzzy Hash: 266da2d98a64f610020e752ae782dc5054d00ade2bfe416a67c7b738a374f15c
Instruction Fuzzy Hash: ABF06231B063A29FDB193B74581462E7AD65FCAA11B15087ED5468F381EE3AC88683C5

Function 0952A897 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b04c226c969c8720efe67189d34925e1e3b883bc32d8837e63e88b8ca0c58d
Instruction ID: 78ec31c7c483284fcf500c6595820193fff4026b6a8d02bae0c1816058afda29
Opcode Fuzzy Hash: 28b04c226c969c8720efe67189d34925e1e3b883bc32d8837e63e88b8ca0c58d
Instruction Fuzzy Hash: 9E01DE32619298CFD742EBBCE9A12987FB0EF47314B14189BD404CB252DA71AD09CB95

Function 09675A08 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ad557a19e45a6e0675f09b92e8348ba0ea31e950d494c1a0441a6eaa1afd5d
Instruction ID: 0446a9bc32811f76e0811376991f3c803a338bb06d73ecc66a7eb2e0296dfa50
Opcode Fuzzy Hash: 31ad557a19e45a6e0675f09b92e8348ba0ea31e950d494c1a0441a6eaa1afd5d
Instruction Fuzzy Hash: 6B01B130600218EBDB149F65D8195AEBFFAEF8C310F10446AF802A7350CF765D05CB91

Function 0952AE4A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca1ef23c947496b86a18cfa1e12ad896eeb38a24244d85f6196eed1fd93aeb8
Instruction ID: f8d14c44b345a55ead8b1503bf2eec1d8ecc70fdf7557ec6968f25fe1778e61e
Opcode Fuzzy Hash: 3ca1ef23c947496b86a18cfa1e12ad896eeb38a24244d85f6196eed1fd93aeb8
Instruction Fuzzy Hash: 7EF02831B082115FE7164A696C10B6BFBA9BFC9320F19446AE105DF3E1CA759C4283A0

Function 09673A28 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc4f33558895fb524dde5ce214ee5c0840aaddb3ec8d8dafe513bd6f79c154
Instruction ID: deac9281a49b6f6d7ef9892bfc9246c82f11296bfb7a3dd7df96e338ca0d4cc7
Opcode Fuzzy Hash: 94bc4f33558895fb524dde5ce214ee5c0840aaddb3ec8d8dafe513bd6f79c154
Instruction Fuzzy Hash: F0F06231601219AFDB40AEB8D846AEE77A6EF89314F4000BAE105EB361DB359C158FE1

Function 096749E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ceaa9b4ad3179da04d09ffb890212b6477e6b732ad4545d9a6b5f5e0c7f996
Instruction ID: 3e33011936c87b043c5dbb352f16ab23c75fae09568b73303cb77125ba58566e
Opcode Fuzzy Hash: 73ceaa9b4ad3179da04d09ffb890212b6477e6b732ad4545d9a6b5f5e0c7f996
Instruction Fuzzy Hash: 64F0F632A15208DBCB24CEA5E58879AF77BE7C0350F018136E50193368EF756844C785

Function 096749D5 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de0ac05e19b55bafb02abb98d8886c724abaac98e0596f058802c3b7f522cf8
Instruction ID: b2a9372674130bf6d8cf28d13e2d862e07b2c24338ba6c683767b6ee013ece0e
Opcode Fuzzy Hash: 3de0ac05e19b55bafb02abb98d8886c724abaac98e0596f058802c3b7f522cf8
Instruction Fuzzy Hash: 47F0F031616354CFCB1A8F20E588A5AF777EB80340F11843DE4028B378EF755846C785

Function 0952AEB0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1ffe313d08b5e9efe5bd420f26aba7d6d57d7a296bc7afaa2d97b7f425a719
Instruction ID: 452270e000e28dedf1abc942249b0cf001123638f79a580504bc8748d1151767
Opcode Fuzzy Hash: de1ffe313d08b5e9efe5bd420f26aba7d6d57d7a296bc7afaa2d97b7f425a719
Instruction Fuzzy Hash: 99F02E62F4D2619FE7161BA95C61379BF61EBC6340F0444AAD145CF3D1DE9ADC438350

Function 09674C89 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1478cab98248bca247c7002ec82ea8740e9319dc5c43e2d76f997822e7ed35
Instruction ID: 4dd4cb192e83f4824d520e3cdef933e22b6d6645c86f2cef843d6db840b03d80
Opcode Fuzzy Hash: 6b1478cab98248bca247c7002ec82ea8740e9319dc5c43e2d76f997822e7ed35
Instruction Fuzzy Hash: 3FF06D30316245DFEB1C9B24A29837EB2A3ABC4314F554579C5075F3ACEF782C86878A

Function 06BD0769 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab027bfa91c06983d69bd28ff01ea4f29cb03b857542b3d877f12679a6444b69
Instruction ID: 868d33afb4e238757295422c2e5461455dc3a08822b7cf1bc81853d6b0751833
Opcode Fuzzy Hash: ab027bfa91c06983d69bd28ff01ea4f29cb03b857542b3d877f12679a6444b69
Instruction Fuzzy Hash: BFF096B7D08120FBF7569FB6941569DFB95DB45312F0980BAD409EF101FA3449018F91

Function 06BD0778 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f2d73f5575c21933e28313caf18b9e7033de0ad41ca906627cffa55d87689
Instruction ID: 15c75a151f3775a13972929bbe1a5431f5288e9722f9ac967da4db7493c78632
Opcode Fuzzy Hash: 4f8f2d73f5575c21933e28313caf18b9e7033de0ad41ca906627cffa55d87689
Instruction Fuzzy Hash: E8F08972D18124BBA755AF7794045DEFBA9EB88712F05C1B9D409DF100FA3058018FD1

Function 09674C62 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0341e7ba9524faeadaea7fabd667f512c2c9027c2323fd2e5ec99f144cc97ee1
Instruction ID: 0ba2852fb92d3f89b47a66050350b0cb79a412aac1965d61414773f1135af0f4
Opcode Fuzzy Hash: 0341e7ba9524faeadaea7fabd667f512c2c9027c2323fd2e5ec99f144cc97ee1
Instruction Fuzzy Hash: 65011931116240CFD318CF24E28CB65F3A3AB40321F5692A5E4120B7B9EB78A986CB48

Function 09673A38 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ae7bd86ac335ebda9993cdf8ba46e188e61e361f7e5bd81da9338f4d38e8cf
Instruction ID: bb4666bd06227faa2624c371f65a1572bb8d52ae2787c341badc46e8425ef55c
Opcode Fuzzy Hash: e0ae7bd86ac335ebda9993cdf8ba46e188e61e361f7e5bd81da9338f4d38e8cf
Instruction Fuzzy Hash: 37F08C31B012199FDF00EAA9E809ADE77E6EF89315F4000B5E105AB361DB39AC098BD1

Function 09673C20 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfe4eeca82b26d56b13b3546e5cf50bd669e8db85e84457a14041fb1bcf8474
Instruction ID: fb6a03aea3049feac7dbb6dcdf9a5bc48d866409bb08a1968b539098ee12b2a8
Opcode Fuzzy Hash: 0dfe4eeca82b26d56b13b3546e5cf50bd669e8db85e84457a14041fb1bcf8474
Instruction Fuzzy Hash: 74F05E31A04349EFDF08AFB4D5056AF73B5AB85314F01487AD5029F351DB39884ACB91

Function 09521AE0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fbf7ec3408c395ed44ed914d3dcbb83e905ed674512fa93d4ff404a2a42986
Instruction ID: 6c83166d8bab4c26b6beb1f22e7e8171d43f818b11336d4aba4bc4583affeb72
Opcode Fuzzy Hash: 48fbf7ec3408c395ed44ed914d3dcbb83e905ed674512fa93d4ff404a2a42986
Instruction Fuzzy Hash: 34E0122170021867F70825BE5C55B6BB99EEBC5654F24803EA509C739ACCA19C4203E5

Function 0952D210 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb7449dabf56eca4707fc57ca84b5e0aab92e44d3e272720cd9fe62581942c7
Instruction ID: 378511b5848be4178afea210f9e41c4815466d7367828d21cf14fe04a6347c88
Opcode Fuzzy Hash: 6fb7449dabf56eca4707fc57ca84b5e0aab92e44d3e272720cd9fe62581942c7
Instruction Fuzzy Hash: 81F0BE71908218AFCB0ACFB4D048ADDBFFABF85300F05809AE005EB1A1DB380A81CB50

Function 095222D9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24558fec76f981524b5684db53dfb1305d9aadbf641a4ce66980e6f2d2f40462
Instruction ID: 37e02355577c5135940b1ca9e7def349bc406462aed395529e92a9f71f3ecc83
Opcode Fuzzy Hash: 24558fec76f981524b5684db53dfb1305d9aadbf641a4ce66980e6f2d2f40462
Instruction Fuzzy Hash: 63F09031A19270DBEB38AE52C851B6A76707F06300F4600F4EA29EB2C0D330AD418FA2

Function 09674A40 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50f7bd7e56cff10f0c949b8ad44f8183a51f6d42f7729597cfa9935c7243293
Instruction ID: 1edff62c32cecc92481481e7b4920c9848fc01c6665160e12ea1504f730d9ce6
Opcode Fuzzy Hash: d50f7bd7e56cff10f0c949b8ad44f8183a51f6d42f7729597cfa9935c7243293
Instruction Fuzzy Hash: 50F06530715255DBFA5C6B34915437DB2D3ABC4704F504878C5075F398EF382D46838A

Function 09673C30 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8410e54ba6a1a6bef7c89b42b92dd56d23821ea4b787238beafb91378b3cce
Instruction ID: 51428b5ef632df7f012323cb00b9cf6384366c53190bdf3c1f85fc624e0ea7c7
Opcode Fuzzy Hash: 1a8410e54ba6a1a6bef7c89b42b92dd56d23821ea4b787238beafb91378b3cce
Instruction Fuzzy Hash: 66F06D30A01349CBCF04EF78D5146AEB3B69B85315F018879D5029F341EB39984ACB81

Function 09672978 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095a688e9302eb0fd69517984b428349530974dfc399ce499b4dfb278dedd9c0
Instruction ID: 2159bd5def1e3aac5ce8c13f0c5cb22900d2ea8f775e2fdb57e773af57fb9468
Opcode Fuzzy Hash: 095a688e9302eb0fd69517984b428349530974dfc399ce499b4dfb278dedd9c0
Instruction Fuzzy Hash: 88F0393590420AEFCB44AFA9C51ABBBB7B9EB84310F41807AE156D6220D7385916CFB1

Function 09674988 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42114fb9460ad6870036f3fc638e9aac139d4d47011e9d7a32044eaecc59496
Instruction ID: 2e20746f08d564209e19cb69edd9d2453863725ce220744b3cc7f35f9d439b8e
Opcode Fuzzy Hash: e42114fb9460ad6870036f3fc638e9aac139d4d47011e9d7a32044eaecc59496
Instruction Fuzzy Hash: E0E0E5302043449FC707AB3D95056553F72AF82614B0000BAD1048B222CF7A9C95C3D0

Function 06BD2430 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecca6e790c28e3208a728768cb1a703c268066b2f5aa74b7a86a8c39b907f9db
Instruction ID: 75cba36bf52c56190bd7d11c499eab0a423423191c05cb19cc23ef8cb963a086
Opcode Fuzzy Hash: ecca6e790c28e3208a728768cb1a703c268066b2f5aa74b7a86a8c39b907f9db
Instruction Fuzzy Hash: D4F0AF75D15625CFD790DF24C884A58B7B1FF09321F1510E9D959AB360DB349D80CF41

Function 06BD45CA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9494522d41f07facb2171eb150179a59b23de69b4f6e976170c9a72d6568122
Instruction ID: 0cffcb259309abd81228454828acda6fe00fc1ce7c694712af75e8da7701d095
Opcode Fuzzy Hash: b9494522d41f07facb2171eb150179a59b23de69b4f6e976170c9a72d6568122
Instruction Fuzzy Hash: 04F0E7B8E04624CFCB64DF24C988A98B7B5FF48311F4100E9D909AB750E734AE85CF41

Function 09529252 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330436a6d767b7401014c9c0206647d7905b6180e0d6014b4277a573ba33314d
Instruction ID: 0359174a9c9fef7cd2445cd4c13b1e44f9c660c36ed4ca4f2863c623b5b87bf1
Opcode Fuzzy Hash: 330436a6d767b7401014c9c0206647d7905b6180e0d6014b4277a573ba33314d
Instruction Fuzzy Hash: CEF0E574B000108FD744EB79D56873E37E6EFCD258B1594A9D51BE7390DE34AC028B95

Function 09674C50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601f93b791d5963cedaef84f6a908654f7bdcdf0bf0947cb6d60ed64d0bef1d3
Instruction ID: 48b9c9acc5d3be55a12b4e4ec96c5010dbbf4d197ac672b676d82e8155ea1663
Opcode Fuzzy Hash: 601f93b791d5963cedaef84f6a908654f7bdcdf0bf0947cb6d60ed64d0bef1d3
Instruction Fuzzy Hash: 1DE01230315245CBEB1C9B20929837EB2E3A7C4314F558479C6174B7ACEF786C87874A

Function 09674B8B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc1f3f351ad6b2d25a9e02a7d45b6727f68814a47a0a28f056520bcf83eeb33
Instruction ID: 91c376564c4f2fe07ab7699c7cff6534a1fddb23423bfc400332e4303478780b
Opcode Fuzzy Hash: abc1f3f351ad6b2d25a9e02a7d45b6727f68814a47a0a28f056520bcf83eeb33
Instruction Fuzzy Hash: 6EE09235606210CFC3148F24D188B96F3A3EB86354F2585B5D1064B36CEBB5DC85CB85

Function 0952F2A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2d249a274b7a4da2544c64bb66ee168d996a4a481b7c9dc7dd6a4644d6be72
Instruction ID: 09da584ebb0cbe648827927e53dc530369a40cc5c428170be8ead2ffa6302181
Opcode Fuzzy Hash: 2d2d249a274b7a4da2544c64bb66ee168d996a4a481b7c9dc7dd6a4644d6be72
Instruction Fuzzy Hash: 6AE026397803248BC710A6B29C0271632A46B87741FB04865EE08DF2D0C862EC028355

Function 095215F5 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6272ba09579d63d3b55c40d1642d064a5830a0e90c002648e4587748c96e8ff6
Instruction ID: aec06fc61d5e68de00b343992e322e857c6b23214b62a00bf531ed5278ed321d
Opcode Fuzzy Hash: 6272ba09579d63d3b55c40d1642d064a5830a0e90c002648e4587748c96e8ff6
Instruction Fuzzy Hash: 3DF0F874A09548CFC748CF68E5A5BAA77F1AB4C314F504069D51BE73A0DB396C44CF14

Function 09526EDB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e567e5c7fda6e847af0e61a3540d603023a7b7f2662d77083fff2bb26f5d140
Instruction ID: 3c872ba46d30c86cfd51482079a55c1eb46f9923fdf0faad021c2902eacc08d6
Opcode Fuzzy Hash: 2e567e5c7fda6e847af0e61a3540d603023a7b7f2662d77083fff2bb26f5d140
Instruction Fuzzy Hash: A0E09234B061A9CBDB248F26E4446673766BBCA355F05843EC44AD62C8CF349C019B82

Function 09672988 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4ab09e2c14ae8c6b1c0d05baf2769c57b503e36b7aeac705b3325cd4d6fad4
Instruction ID: 19125332cd2d8d494e3c5416d8f5944eee78f59cad786a0339fe749bccbcceaa
Opcode Fuzzy Hash: fc4ab09e2c14ae8c6b1c0d05baf2769c57b503e36b7aeac705b3325cd4d6fad4
Instruction Fuzzy Hash: 07E04635E0420ADFCB00EE6AC6197BAB3B4EB84321F004475E629A7200E7382526CB92

Function 09674998 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d06f7f887b622f5eadd17fde5bfd20a7bd6ddf5fb789cbf11653bd467f5671
Instruction ID: 8c0911f4e6de77bd1170f9dae3ec88e80253708928f5acac0feeff0dc9849d36
Opcode Fuzzy Hash: 69d06f7f887b622f5eadd17fde5bfd20a7bd6ddf5fb789cbf11653bd467f5671
Instruction Fuzzy Hash: FCD0C2313002189BCA14A67EE508B5A7B9AABC1A25F001125E20487201DFBA9C81C3D0

Function 06BD1450 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76487efcd24752f1a4c9b3f335d1300cc70c0fb1b79e1bf37f7d59fc72448037
Instruction ID: 82577977336d4f2bd889ced26344cafe0ab9a3f42aa244e3d213006d2836f954
Opcode Fuzzy Hash: 76487efcd24752f1a4c9b3f335d1300cc70c0fb1b79e1bf37f7d59fc72448037
Instruction Fuzzy Hash: DDF0F838A406258FC750CF28C899A94BBB1FF4D310F1141E5E50A9B761DB345D81DF00

Function 09525F00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d921d92a971ac287790b28aa7ae1c346b581b899fa95081d56d65ce81913023b
Instruction ID: cdda7d4a1a72158140b938e337a6e6fa98281ef624ec44cba98901f5ce6674d9
Opcode Fuzzy Hash: d921d92a971ac287790b28aa7ae1c346b581b899fa95081d56d65ce81913023b
Instruction Fuzzy Hash: 1ED017B2A0120DABCB10DEB1A9418AAB3ACEB05111B1005FAAC09C7200FA369E50D6A0

Function 09674BF3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7affe5a42e2daa1f2786cd37f9ad10522790e54e032cad5b03c312097265dcca
Instruction ID: 2508dc43107cd1b4e698b39bb9243ecc54f295deab1a27ec981dc734bcc3fd3a
Opcode Fuzzy Hash: 7affe5a42e2daa1f2786cd37f9ad10522790e54e032cad5b03c312097265dcca
Instruction Fuzzy Hash: C6E01A35606200CFC704CF10D299B9AB7B3EB89314F6584A4E1054B368DB75ED85CB40

Function 0952A8F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2b04ff30e2262ef339063893c385910f8f2665530b07a68ff224b37ed3296b
Instruction ID: eeb9f3eb0edcd0c0e4b8b5450f5674a7f21c3fe6aae90d5fcfc47ac9514105bd
Opcode Fuzzy Hash: cb2b04ff30e2262ef339063893c385910f8f2665530b07a68ff224b37ed3296b
Instruction Fuzzy Hash: C9E01270A0414CEFDB00DFA4E95165DBBF9EF45314F109599D808E7300DE756E019791

Function 09674F3C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f581b06e7a2ec4afbb842e3396a929896bd7a84043c0da9e77c22badc8b6e3f
Instruction ID: e51ebee33844a1862f126ce334cb1a23c3c846a242fd3e4f5885cf3f17cce43f
Opcode Fuzzy Hash: 0f581b06e7a2ec4afbb842e3396a929896bd7a84043c0da9e77c22badc8b6e3f
Instruction Fuzzy Hash: 41E0C230608204CFD308CF64E64C71AF7A3BBC4300F04C465E00781138CF780806CD22

Function 09674D5F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42313f120c0e513b2bd1f89a3cdbcbe80c6eea8afcfa7b9cab19b4f9d7183a61
Instruction ID: e0b1faf134bf2787e1cb4fd290b3965ee9c9907b7475fb376a4555cdf9834406
Opcode Fuzzy Hash: 42313f120c0e513b2bd1f89a3cdbcbe80c6eea8afcfa7b9cab19b4f9d7183a61
Instruction Fuzzy Hash: B5D0E234619200CFC3088F14E28CBA9B7B7EB84301F15C576E402862A8DBB8AC84CE44

Function 096759D6 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eabc7894e07fe24ff8201e6725697b371b275924c0beede323960938aacad4
Instruction ID: b9752d2d5d161528d2e9802a92f9952634f93f3f7cbf83251f87b1197ff05602
Opcode Fuzzy Hash: f2eabc7894e07fe24ff8201e6725697b371b275924c0beede323960938aacad4
Instruction Fuzzy Hash: 2EC012716552906AF7194A346412B77BB6ABBD1720F18C05EF08249658CF2109518B50

Function 0952849B Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa10bebe75b85a9c12364378350b70f2556dad0ee8a6ef98a2cbd4ec211be2
Instruction ID: 6fd74f3867e8cc7391615a00ca318a4e98dcb1ad37d2e60e01ce248f50456333
Opcode Fuzzy Hash: 1baa10bebe75b85a9c12364378350b70f2556dad0ee8a6ef98a2cbd4ec211be2
Instruction Fuzzy Hash: BED05E71E021A5CBEB009B22E9547983B20FB46354F064075C446A6284CE380C469B82

Function 0952206D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8db3ddb4c100bf16d8078ab7053e326a1879b50874fda67defc4cf06ba08f06
Instruction ID: 6cb78fcc29eab153b1379cab113c3f9c4d6591e2bb04b36d33b2aafae2d8ccff
Opcode Fuzzy Hash: b8db3ddb4c100bf16d8078ab7053e326a1879b50874fda67defc4cf06ba08f06
Instruction Fuzzy Hash: A4D0E239914624CFD7A4CB10C884B5573B1BB09360F1181E5E80AA73A0C7306D85CF11

Function 09522B68 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb20b963c18e7ceea489770fde14181244a98db55312f03804884c201a3f7c9
Instruction ID: 38e4cf67e22f82b317529836353895cf55788e3711bff06c1044018c2990a137
Opcode Fuzzy Hash: 7bb20b963c18e7ceea489770fde14181244a98db55312f03804884c201a3f7c9
Instruction Fuzzy Hash: 5ED09238A04664CFD751DB28C864B897BB2BF4A214F1281D6D9899B371C7306D85CF51

Function 06BD0974 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4043254937.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6bd0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3954a178d30d18167e8b7de8e9285d0b2fa4311bd3975858c3e4321dd6e2a9c
Instruction ID: d570de64fcf0e25e9800aee7fd005a78a120a81acba07e8092fe2ea7fc5fa242
Opcode Fuzzy Hash: a3954a178d30d18167e8b7de8e9285d0b2fa4311bd3975858c3e4321dd6e2a9c
Instruction Fuzzy Hash: 10D0C9B08190159FE7943F60CE55268BAB0EB04311F0410B1E8068E216EA61C8019AC1

Function 09675E0F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6ccf39f0791006c74e5844495837ca0ba9cd98e1e5439b670910e94ef55a1d
Instruction ID: 76be0b2590f66fea0dc9729da8defe09c6011f02f8f8db0d5d6749be775b63c8
Opcode Fuzzy Hash: 5b6ccf39f0791006c74e5844495837ca0ba9cd98e1e5439b670910e94ef55a1d
Instruction Fuzzy Hash: 4DD012746004815FD744DB24C0D26D0FF61EF4220CB14C9DDC4D586207DB22A427C784

Function 0952EB40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44cb58a219dafb8a9162afda4e8fe4b34de31df62880868f19fc98a7a87e12e
Instruction ID: 93e8decc49ba4b15cae4f9a317842707418ef4520d09330e8698e6cfbd365607
Opcode Fuzzy Hash: d44cb58a219dafb8a9162afda4e8fe4b34de31df62880868f19fc98a7a87e12e
Instruction Fuzzy Hash: F9C0123141C2D58FD306CB349426044BFB0FA4130071508A2D041CA462D7245455C726

Function 0952BDA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef028dda2771817862c8685296b072a372cb47e6a2d99b5ece87e19c24c867a
Instruction ID: 9decd314f2518c1ddfce78c3c551b1984cfc1ca6d9d56dba8810e22587ef1bda
Opcode Fuzzy Hash: fef028dda2771817862c8685296b072a372cb47e6a2d99b5ece87e19c24c867a
Instruction Fuzzy Hash: 9EC08C3086D3805FCF43AAA19E2A9003F24AB03300F0500CBA040DD09380A14000EFA2

Function 09525EA7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720ddb97337a162dda699960ef07f4423d5f531543b1a7f5e68a42f42431a93e
Instruction ID: aee00cfab6fcbcc01b7c20a96a47cb3473b67e8b1c503b2e767a63ec6c7e4c1e
Opcode Fuzzy Hash: 720ddb97337a162dda699960ef07f4423d5f531543b1a7f5e68a42f42431a93e
Instruction Fuzzy Hash: F3B09237A00019868A00DA88F4404DCBB30DAD4332F004033C201620008620156A8660

Function 09529FB0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53592fbddaae8533e787d1146d96b47ebeba5dd5c566366dc91e9ef3af66a852
Instruction ID: 1e73bf359af67e3f4040fbb50e588011dd4fcc7bf7bd00161430ec9d83ad5f71
Opcode Fuzzy Hash: 53592fbddaae8533e787d1146d96b47ebeba5dd5c566366dc91e9ef3af66a852
Instruction Fuzzy Hash: 3E90223008020C8B8200338038080003B0CE8008003800000A02C000000A0838200080

Non-executed Functions

Function 0952155F Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 15bbafe0e12852838c67899645dcc433308ee09da5152d0d7a5c953f44aac78c
Instruction ID: f7225d6912470671684d349b55393a7b9560d4a10c8e56221d6f29bb1e8409fc
Opcode Fuzzy Hash: 15bbafe0e12852838c67899645dcc433308ee09da5152d0d7a5c953f44aac78c
Instruction Fuzzy Hash: F7510574A05248CFC748CFA9D656BAAB7F1BF49314F50816AE51ACB391DB38AD49CF00

Function 095213D3 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 3d3933ff751c5626f0cfb6a0699631fae6000934bef261672aaf2803bfe3f118
Instruction ID: f18ac864b095e62c4130939948e691029c129c456d104627c642df65c879f41b
Opcode Fuzzy Hash: 3d3933ff751c5626f0cfb6a0699631fae6000934bef261672aaf2803bfe3f118
Instruction Fuzzy Hash: 55510574A05248CFC748CF69E656BAAB7F1FB49314F50816AE51ACB791DB38AD48CF00

Function 09521305 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: bdfc3ce965cd4b980f21abb39900462f9eee118c78e9d0fb68e7f8cc4ee1fa9e
Instruction ID: f22057ca9fa16395757189ba299c52111e9c24a066327fd8fda0dc8caba8c1fc
Opcode Fuzzy Hash: bdfc3ce965cd4b980f21abb39900462f9eee118c78e9d0fb68e7f8cc4ee1fa9e
Instruction Fuzzy Hash: 61512974A05248CFC748CF69D656BAAB7F2FB49314F508169E81ADB791DB38AD48CF00

Function 09521464 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 06a19c18a03ae79706347888b95c34048fac63851c9f91a837094f617d994aee
Instruction ID: 59265510cd2a4f33569737e79b5d28720acee34ef56560c1022efa70735fdf31
Opcode Fuzzy Hash: 06a19c18a03ae79706347888b95c34048fac63851c9f91a837094f617d994aee
Instruction Fuzzy Hash: 38511974A05648CFC748CF69E656BAAB7F1FB49304F50816AE91ACB791DB38AD44CF00

Function 095216BA Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 8f7ddb4a1443194ab9d7dc7a90f2834ca9b2106e6ff1deaa0d8811eb421a0901
Instruction ID: 0a18eb56ff570d48d22c16b4042e6ab45a597316c997a5bea42cb96399af25cf
Opcode Fuzzy Hash: 8f7ddb4a1443194ab9d7dc7a90f2834ca9b2106e6ff1deaa0d8811eb421a0901
Instruction Fuzzy Hash: 42512774A05248CFDB48CF69D656BAEB7F2BB49314F508069E41ADB391DB38AD48CF00

Function 095210F0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 9d409ee9f791b57453becf8a71d1f4a0c34e14ccdc2e56763e454f8c5d31949c
Instruction ID: 40507fa92a63e70bc2da23fe05a3371db6b0a58a27b7abdf02862278179b07c8
Opcode Fuzzy Hash: 9d409ee9f791b57453becf8a71d1f4a0c34e14ccdc2e56763e454f8c5d31949c
Instruction Fuzzy Hash: 37414874A04248CFDB48CF69D656BAEB7F2BB49314F508069E91ADB391DB38AD44CF00

Function 0952112B Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 2e2a43a0209cdaf41864fde8b015febeb60daddc1a815d88df6f73ee014d968f
Instruction ID: 49535a050b167d985e7384ad51d1782405ffd5da0e4221a6c417a8d76bd29333
Opcode Fuzzy Hash: 2e2a43a0209cdaf41864fde8b015febeb60daddc1a815d88df6f73ee014d968f
Instruction Fuzzy Hash: 2E413774A04248CFDB48CF69E556AAEB7F1FB49314F508069E41ADB390DB38AD45CF00

Function 095214F1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: a3d3acc01fcd46225ac67a35d5ce995fb3f4d1132bc278474eb40d01c72f7661
Instruction ID: fe6ebb575cee462e697d2542112680431e6830cc6330fd3043e8f79f25572049
Opcode Fuzzy Hash: a3d3acc01fcd46225ac67a35d5ce995fb3f4d1132bc278474eb40d01c72f7661
Instruction Fuzzy Hash: 55415A74A05648CFC748CF69D656BAAB7F1BF49314F5080AAE41ACB791DB38AD48CF00

Function 09521254 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 0b4943795b36d34d5be4281189e898f6c63304e418ff6446399a4d2b53fc9c44
Instruction ID: d51222c5fc24b23914fb3c1ef7cd8f11bd2223ce4e14dc4ed9912b02ff7d96f6
Opcode Fuzzy Hash: 0b4943795b36d34d5be4281189e898f6c63304e418ff6446399a4d2b53fc9c44
Instruction Fuzzy Hash: F5413A74A05648CFDB48CF69D656BAAB7F1BF49314F508069E41ACB791DB38AD48CF00

Function 095211D0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

v2*, xrefs: 095212B4

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: v2*
API String ID: 0-216269080
Opcode ID: 45f4c1d87fc4298e83cb03f6ff7af40b4162cc25419fd3880526f322b7bfa903
Instruction ID: 5567f543f11010bd200b832da4b601d9a90f576fda98cbd03e6e84ce7b297b38
Opcode Fuzzy Hash: 45f4c1d87fc4298e83cb03f6ff7af40b4162cc25419fd3880526f322b7bfa903
Instruction Fuzzy Hash: B3411974A05648CFCB48CF69D656BAEB7F1BB49314F50806AE51ACB791DB38AD48CF00

Function 096AD8F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044235664.00000000096A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_96a0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5dab30baffdda68b312699017ac206506aa0a733ac65627a44febb4fc8a2ea
Instruction ID: 8de3c7ac3aa2f575cce41006a9efda5fc1f61926ffaccab419ff198853d59b07
Opcode Fuzzy Hash: bd5dab30baffdda68b312699017ac206506aa0a733ac65627a44febb4fc8a2ea
Instruction Fuzzy Hash: 6BF15674B006168FDB09DF69C4A467EFBF2BF88304F648529E55697790CB34AD42CB90

Function 0952E350 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6ee60901a0eeb5b7810655a90d1e28932128abaca353a80b8b5c1df571f524
Instruction ID: 2b939df9320b1dc07859ec65971ee224719610596355cda0cacf4f0d9072d465
Opcode Fuzzy Hash: 2c6ee60901a0eeb5b7810655a90d1e28932128abaca353a80b8b5c1df571f524
Instruction Fuzzy Hash: 40E15D34A00255CFDB15CF69C585A6DBBF2BF89310F6984A9E805EB3A1DB34EC46CB50

Function 09671BB8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044219749.0000000009670000.00000040.00000800.00020000.00000000.sdmp, Offset: 09670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9670000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30675fde10e024cf117d7ed0f012d2ae13b6da5aba2a45207b351a294926351a
Instruction ID: 0842054e316bd39a347898c6af00c19702492da5cab42b698e0902ccfc37e4c6
Opcode Fuzzy Hash: 30675fde10e024cf117d7ed0f012d2ae13b6da5aba2a45207b351a294926351a
Instruction Fuzzy Hash: CFB12770E043098FDB14CFA9C8857AEFBF2AF89714F15812AE815A7394EB749845CF81

Function 0952A71F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f91c84a57f0deb421bd482b3669c60429ca0ff9963d1f6336fd4d3e43ef90f
Instruction ID: 992c105e4ba640b279be78f90c4bb5621ffecf8c27a2a34be0c7a793b6a9e339
Opcode Fuzzy Hash: d5f91c84a57f0deb421bd482b3669c60429ca0ff9963d1f6336fd4d3e43ef90f
Instruction Fuzzy Hash: A44169366142A0CFC619EF78E8D55C5BFA0FFAA310B49245AC2998F112DB71A425CFC9

Function 09523D08 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

Rq=, xrefs: 09523E21
RN=, xrefs: 09523E31
R)=, xrefs: 09523E4D
R)=, xrefs: 09523E39
R)=, xrefs: 09523E41
R)=, xrefs: 09523E15

Memory Dump Source

Source File: 00000005.00000002.4044093454.0000000009520000.00000040.00000800.00020000.00000000.sdmp, Offset: 09520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9520000_csc.jbxd

Similarity

API ID:
String ID: R)=$R)=$R)=$R)=$RN=$Rq=
API String ID: 0-401994086
Opcode ID: ef2874eb5c452b790d90fe50865c57af9e5cc65443982009befd9195e92f6f2c
Instruction ID: 0e66eab823c936a6aa7f5075f15f256c057fbc786b69cc1d604ba101269e315f
Opcode Fuzzy Hash: ef2874eb5c452b790d90fe50865c57af9e5cc65443982009befd9195e92f6f2c
Instruction Fuzzy Hash: 945172353152109FD748AF3BC49496ABBB6FF86B5475648AEE206CB2B1CB34DC018B51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ReaderPDFadobe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
ReaderPDFadobe.exe

Function 096AEEB8 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 096A07C8 Relevance: .6, Instructions: 553
COMMON

Function 0509C1D8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 0509C388 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON