Edit tour

Windows Analysis Report
PDFONLINE.exe

Overview

General Information

Sample name:	PDFONLINE.exe
Analysis ID:	1587451
MD5:	8268f8ad872d9ca06152019676fbe0bf
SHA1:	4ad8baab93a10ced110b768a4c4cfa054262293e
SHA256:	423612aa03d476e3a3d7b21d7daf3fae2a9a5d7b6c2097961ca2df5e38958e79
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Drops large PE files

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PDFONLINE.exe (PID: 7824 cmdline: "C:\Users\user\Desktop\PDFONLINE.exe" MD5: 8268F8AD872D9CA06152019676FBE0BF)

csc.exe (PID: 8064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3221350130.0000000009880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3221125321.0000000008471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 8064	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.csc.exe.9880000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.csc.exe.84f6728.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PDFONLINE.exe, ProcessId: 7824, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StormyFierce

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PDFONLINE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PDFONLINE.exe	Virustotal: Detection: 63%			Perma Link
Source: PDFONLINE.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: PDFONLINE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source:	Binary string: Dsicg.pdb source: csc.exe, 00000003.00000002.3220609295.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000856C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.10:49866 -> 181.71.216.203:30203

Source: Joe Sandbox View

IP Address: 181.71.216.203 181.71.216.203

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net

Source: csc.exe, 00000003.00000002.3220733277.0000000007365000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.0000000007529000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: PDFONLINE.exe

Binary or memory string: GetRawInputData

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\PDFONLINE.exe

File dump: Enchanted.exe.0.dr 959567731

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05083C88	3_2_05083C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05083C83	3_2_05083C83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E7F078	3_2_06E7F078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E70990	3_2_06E70990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E7DAB2	3_2_06E7DAB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E7F068	3_2_06E7F068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E80F08	3_2_06E80F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E855E0	3_2_06E855E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8D28F	3_2_06E8D28F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E80EF7	3_2_06E80EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E80FB4	3_2_06E80FB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E80F43	3_2_06E80F43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8570C	3_2_06E8570C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E81474	3_2_06E81474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8D5C7	3_2_06E8D5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E855D1	3_2_06E855D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E83526	3_2_06E83526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E812C2	3_2_06E812C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8123C	3_2_06E8123C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E84BE8	3_2_06E84BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E813FF	3_2_06E813FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E84BD9	3_2_06E84BD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8138C	3_2_06E8138C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8E338	3_2_06E8E338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E810C0	3_2_06E810C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB1BE0	3_2_06EB1BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB27F8	3_2_06EB27F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB6FC0	3_2_06EB6FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB38E0	3_2_06EB38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB4148	3_2_06EB4148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB42E7	3_2_06EB42E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB73F2	3_2_06EB73F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB1F28	3_2_06EB1F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB38D1	3_2_06EB38D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB413A	3_2_06EB413A

Source: PDFONLINE.exe, 00000000.00000002.1577914679.0000000000D6C000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameTwseeloebf.exe" vs PDFONLINE.exe

Source: PDFONLINE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal84.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\PDFONLINE.exe

File created: C:\Users\user\Favorites\StormyFierce

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: PDFONLINE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PDFONLINE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDFONLINE.exe	Virustotal: Detection: 63%
Source: PDFONLINE.exe	ReversingLabs: Detection: 65%

Source: PDFONLINE.exe	String found in binary or memory: Transmit Start/Stop
Source: PDFONLINE.exe	String found in binary or memory: Transmit Start/Stop
Source: PDFONLINE.exe	String found in binary or memory: Application Launch Contacts/Addressbook

Source: C:\Users\user\Desktop\PDFONLINE.exe

File read: C:\Users\user\Desktop\PDFONLINE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PDFONLINE.exe "C:\Users\user\Desktop\PDFONLINE.exe"
Source: C:\Users\user\Desktop\PDFONLINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFONLINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDFONLINE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PDFONLINE.exe

Static file information: File size 4623872 > 1048576

Source: PDFONLINE.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3c9000

Source:	Binary string: Dsicg.pdb source: csc.exe, 00000003.00000002.3220609295.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000856C000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.9880000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.84f6728.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3221350130.0000000009880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3221125321.0000000008471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 8064, type: MEMORYSTR

Source: C:\Users\user\Desktop\PDFONLINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PDFONLINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: PDFONLINE.exe

Static PE information: real checksum: 0xe0dfb should be: 0x46b46e

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05084069 push 0006DD91h; retf	3_2_05084075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_05086D28 pushfd ; ret	3_2_05086D29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E356F0 push E806DE26h; iretd	3_2_06E356F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E3742F pushad ; retf	3_2_06E37437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E310B9 push es; iretd	3_2_06E310CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E30890 push es; iretd	3_2_06E310CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E76659 push ebx; retf	3_2_06E7665A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E7CA70 pushad ; iretd	3_2_06E7CA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89EC9 push eax; retf	3_2_06E89ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E83442 push es; ret	3_2_06E83458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89DE9 push 1406E583h; retf	3_2_06E89DF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89DA2 push es; iretd	3_2_06E89DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89D79 push es; iretd	3_2_06E89DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89509 push es; retf	3_2_06E89517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E84BA0 push 5D6B42D1h; ret	3_2_06E84BB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89B05 push es; retf	3_2_06E89B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E89842 push es; iretd	3_2_06E89848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06E8C900 push es; ret	3_2_06E8C9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_06EB5957 push es; retf	3_2_06EB5958

Source: C:\Users\user\Desktop\PDFONLINE.exe

File created: C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PDFONLINE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StormyFierce			Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StormyFierce			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 72D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 524000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PDFONLINE.exe

Dropped PE file which has not been started: C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 8124	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5872	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5872	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 8068	Thread sleep time: -524000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 524000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: csc.exe, 00000003.00000002.3221483756.0000000009B68000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 3_2_06E7F2C0 LdrInitializeThunk,

3_2_06E7F2C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PDFONLINE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PDFONLINE.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A60000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PDFONLINE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A60000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PDFONLINE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A60000			Jump to behavior
Source: C:\Users\user\Desktop\PDFONLINE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4C0D008			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csc.exe, 00000003.00000002.3221483756.0000000009B68000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3219832613.000000000517A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3219832613.00000000050C6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1557602545.0000000009B31000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	31 Process Injection	1 Masquerading	11 Input Capture	131 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	123 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	31 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PDFONLINE.exe	64%	Virustotal		Browse
PDFONLINE.exe	66%	ReversingLabs	Win32.Trojan.Leonem
PDFONLINE.exe	100%	Avira	HEUR/AGEN.1356008

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.3220733277.0000000007365000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.0000000007529000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000002.3221386994.00000000098E0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.0000000008885000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1773703595.000000000874E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587451
Start date and time:	2025-01-10 12:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDFONLINE.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 81% Number of executed functions: 155 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PDFONLINE.exe, PID 7824 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:02:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run StormyFierce C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe
12:02:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run StormyFierce C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
181.71.216.203	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse
	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse
	AdobePDF.exe	Get hash	malicious	Unknown	Browse
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	OTTIMAX RFQ BID1122263.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	filename.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://form.fillout.com/t/emEtLm993dus	Get hash	malicious	Unknown	Browse	13.107.246.45
	Invoice_R6GPN23V_TransactionSuccess.html.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6	Get hash	malicious	Unknown	Browse	13.107.246.45
newstaticfreepoint24.ddns-ip.net	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	ReaderPDFadobe.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobePDF.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	AdobeReaderPDFonline.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftWORD.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	PDFonlineseguro.exe	Get hash	malicious	Unknown	Browse	181.71.216.203
	MicrosoftOfficeWord.exe	Get hash	malicious	Unknown	Browse	181.71.216.203

Process:	C:\Users\user\Desktop\PDFONLINE.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	959567731
Entropy (8bit):	0.0652813896429866
Encrypted:	false
SSDEEP:
MD5:	F56CC7221C1047EE75D1F3B5564C2532
SHA1:	1DF2E795FEA113FAA56489893F1F0759E3C60282
SHA-256:	597AC5A2438E6E81D6605055FC4264689BFBFABC684322571C3B8980C26F4410
SHA-512:	F3A197684EA2E7FD74BDAE825A0F6EDAE3D23E893BA066FBDEEB8B44CE7C833A1F9FB9221C08EAB2A89A85E58EB6C02CA2C7FE2800CA538D4776EB904C326044
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Y J...............8......F..v................@..........................0Q............... ..............................p...".......<.............@............................................................................................text...............................`.P`.data...l...........................@.`..rdata..@...........................@.`@.bss.....t............................@..idata..."...p...$..................@.0..rsrc....<.......<.................@.0.................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.298308694296775
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	PDFONLINE.exe
File size:	4'623'872 bytes
MD5:	8268f8ad872d9ca06152019676fbe0bf
SHA1:	4ad8baab93a10ced110b768a4c4cfa054262293e
SHA256:	423612aa03d476e3a3d7b21d7daf3fae2a9a5d7b6c2097961ca2df5e38958e79
SHA512:	6f61224c28cd91735dafd8e24a65497c3cfef2c42742318defc5f1cf1f596128c43dc903741b0aa595fd660c06bb8f899afdc67c56b1cfc88a97b615e9b3a546
SSDEEP:	49152:B02lJK8pPNTM7Pn8keVBA8gDzh1WCrkpVgrZk1eDPPzxRjRz:/tRM7cBezWskp2rO1eD9RjRz
TLSH:	552639B5D443CC06D86B09BFE02AE8FC51163EB5E01BA53B6689FE1F727329110D8997
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Y J...............8......F..v................@..........................0Q............... ............................

File Icon


Icon Hash:	0316165c38300009

Static PE Info

General

Entrypoint:	0x4012a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A205939 [Fri May 29 21:52:57 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f539b8cfd7163416a01a457780573bcc

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 08h
mov dword ptr [esp], 00000002h
inc eax
inc ebx
call 00007FF640506481h
cwde

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x147000	0x22a8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14a000	0x3c8ed8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd9c00	0xd40	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2fba4	0x2fc00	f3a19dd5351a46ffd4a68fd24142272c	False	0.5039164757853403	data	6.419425852354698	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x31000	0x1be6c	0x1c000	2573c1642aa463c4bc52f58b5f546e74	False	0.23196847098214285	data	3.5614541661296633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4d000	0x51840	0x51a00	88526616148575c822f3e50ea377b0a0	False	0.35188253732771824	data	5.692765508385372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x9f000	0xa7498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x147000	0x22a8	0x2400	4fade12cc973756fc00928df13bc15b5	False	0.3541666666666667	data	5.3115523582028406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14a000	0x3c8ed8	0x3c9000	d0a75d3fa91d5dc4368cb201edca1889	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x14a900	0x25ac	data			0.24865201161343842
RT_CURSOR	0x14ceac	0x2ec	data			0.5133689839572193
RT_BITMAP	0x14d198	0x4a6c	PC bitmap, Windows 3.x format, 3157 x 2 x 39, image size 19635, cbSize 19052, bits offset 54			0.9246798236405627
RT_BITMAP	0x151c04	0x23f28	Device independent bitmap graphic, 920 x 40 x 32, image size 147200, resolution 3503 x 3503 px/m			0.22595082857919044
RT_BITMAP	0x175b2c	0x19f98	Device independent bitmap graphic, 782 x 34 x 32, image size 106352, resolution 3543 x 3543 px/m			0.17136626814046169
RT_BITMAP	0x18fac4	0x84800	PC bitmap, Windows 3.x format, 67983 x 2 x 38, image size 542879, cbSize 542720, bits offset 54			0.9938955630896227
RT_BITMAP	0x2142c4	0x3106e	Device independent bitmap graphic, 571 x 117 x 24, image size 200774, resolution 2834 x 2834 px/m	English	United States	0.10916569561883135
RT_ICON	0x245334	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.10497752277298
RT_ICON	0x255b5c	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0			0.33982306121845135
RT_ICON	0x297b84	0x1ae8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9520905923344948
RT_ICON	0x29966c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.16130705394190872
RT_ICON	0x29bc14	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.21177298311444653
RT_ICON	0x29ccbc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.3168032786885246
RT_ICON	0x29d644	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4175531914893617
RT_ICON	0x29daac	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.21083489681050657
RT_ICON	0x29eb54	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.34672131147540985
RT_ICON	0x29f4dc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.38652482269503546
RT_MENU	0x29f944	0xd62	data			0.4349095154699358
RT_MENU	0x2a06a8	0x7e	data	English	United States	0.6746031746031746
RT_DIALOG	0x2a0728	0x3e8	data			0.714
RT_DIALOG	0x2a0b10	0x336	data			0.6545012165450121
RT_DIALOG	0x2a0e48	0x118	data	English	United States	0.6392857142857142
RT_DIALOG	0x2a0f60	0x2f0	data	English	United States	0.4747340425531915
RT_DIALOG	0x2a1250	0x146	data	English	United States	0.6533742331288344
RT_RCDATA	0x2a1398	0x9c27a	Delphi compiled form 'TdmMain'			0.24911274057628868
RT_RCDATA	0x33d614	0x46d3b	Delphi compiled form 'TfHint'			0.2587700400197169
RT_RCDATA	0x384350	0xf7ece	Delphi compiled form 'TfPNGMessage'			0.11165807649812605
RT_RCDATA	0x47c220	0x136fe	Delphi compiled form '\016TfrmAutoTuning'			0.6008490968925063
RT_RCDATA	0x48f920	0x20b55	Delphi compiled form 'TMainForm'			0.4496726952445642
RT_RCDATA	0x4b0478	0x5fd99	Delphi compiled form '\023TOperationModeFrame\022OperationModeFrame'			0.5496929452548516
RT_MESSAGETABLE	0x510214	0x2840	data			0.31570263975155277
RT_GROUP_ICON	0x512a54	0x4c	data	English	United States	0.7894736842105263
RT_GROUP_ICON	0x512aa0	0x30	data	English	United States	0.9583333333333334
RT_VERSION	0x512ad0	0x284	data	English	United States	0.4549689440993789
RT_MANIFEST	0x512d54	0x181	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.6623376623376623

Imports

DLL	Import
ADVAPI32.DLL	CloseServiceHandle, ControlService, CreateServiceA, DeleteService, InitializeSecurityDescriptor, OpenSCManagerA, OpenServiceA, QueryServiceStatus, RegCloseKey, RegCreateKeyA, RegDeleteKeyA, RegOpenKeyA, RegQueryValueExA, RegSetValueExA, SetSecurityDescriptorDacl, StartServiceA
COMCTL32.DLL	InitCommonControlsEx
GDI32.dll	BitBlt, CombineRgn, CreateCompatibleDC, CreateDCA, CreateDIBSection, CreateFontA, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, ExtCreateRegion, GdiFlush, GetDIBits, GetObjectA, GetRegionData, SelectObject, SetBkColor, SetBkMode, SetDIBits, SetTextColor
IMAGEHLP.DLL	ImageLoad, ImageUnload, ReBaseImage
KERNEL32.dll	AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateFileA, CreateFileMappingA, CreateMutexA, CreateProcessA, CreateThread, CreateToolhelp32Snapshot, DeviceIoControl, ExitProcess, FindAtomA, FindClose, FindFirstFileA, FindNextFileA, FormatMessageA, FreeLibrary, GetAtomNameA, GetComputerNameA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDllDirectoryA, GetFileSize, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetSystemTime, GetSystemTimes, GetVersionExA, GlobalAlloc, GlobalLock, GlobalMemoryStatus, GlobalUnlock, LoadLibraryA, LoadLibraryExA, MapViewOfFile, Module32First, Module32Next, MultiByteToWideChar, OpenFileMappingA, OpenMutexA, OpenProcess, Process32First, Process32Next, ReadFile, ReadProcessMemory, RemoveVectoredExceptionHandler, ResumeThread, SetDllDirectoryA, SetEnvironmentVariableA, SetLastError, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateThread, Thread32First, Thread32Next, UnmapViewOfFile, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
OLE32.dll	CoCreateInstance, CoInitialize, CoUninitialize, CreateStreamOnHGlobal, OleInitialize, OleUninitialize
OLEAUT32.DLL	SysAllocString, SysFreeString
SHELL32.DLL	SHGetFolderPathA, Shell_NotifyIconA
SHLWAPI.DLL	UrlUnescapeA
USER32.dll	BeginDeferWindowPos, BeginPaint, CallNextHookEx, ClientToScreen, CopyIcon, CreateDialogParamA, CreateWindowExA, DefWindowProcA, DeferWindowPos, DestroyMenu, DestroyWindow, DispatchMessageA, DrawTextExA, EnableWindow, EndDeferWindowPos, EndDialog, EndPaint, EnumChildWindows, EnumDisplayDevicesA, EnumDisplayMonitors, FindWindowA, GetAsyncKeyState, GetClassNameA, GetClientRect, GetCursorPos, GetDC, GetDlgItem, GetIconInfo, GetMessageA, GetMonitorInfoA, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetRegisteredRawInputDevices, GetSubMenu, GetSystemMetrics, GetWindow, GetWindowLongA, GetWindowRect, GetWindowTextA, IntersectRect, IsDialogMessageA, IsWindow, IsWindowUnicode, LoadCursorFromFileA, LoadIconA, LoadImageA, LoadMenuA, MessageBoxA, MonitorFromRect, PeekMessageA, PostMessageA, PostMessageW, RegisterClassA, RegisterClassExA, RegisterHotKey, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseDC, ScreenToClient, SendInput, SendMessageA, SendMessageW, SetCursorPos, SetForegroundWindow, SetLayeredWindowAttributes, SetSystemCursor, SetWindowLongA, SetWindowPos, SetWindowRgn, SetWindowTextA, SetWindowsHookExA, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateLayeredWindow
WS2_32.DLL	WSAAsyncSelect, WSACleanup, WSAGetLastError, WSAStartup, accept, bind, closesocket, connect, gethostbyname, getsockname, htons, inet_ntoa, listen, ntohs, recv, send, setsockopt, socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:02:25.309658051 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:25.314553976 CET	30203	49866	181.71.216.203	192.168.2.10
Jan 10, 2025 12:02:25.314670086 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:25.363353968 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:25.368266106 CET	30203	49866	181.71.216.203	192.168.2.10
Jan 10, 2025 12:02:25.368953943 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:25.373836040 CET	30203	49866	181.71.216.203	192.168.2.10
Jan 10, 2025 12:02:46.687721014 CET	30203	49866	181.71.216.203	192.168.2.10
Jan 10, 2025 12:02:46.687982082 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:46.699052095 CET	49866	30203	192.168.2.10	181.71.216.203
Jan 10, 2025 12:02:46.703819990 CET	30203	49866	181.71.216.203	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:02:25.292830944 CET	50076	53	192.168.2.10	1.1.1.1
Jan 10, 2025 12:02:25.307832003 CET	53	50076	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 12:02:25.292830944 CET	192.168.2.10	1.1.1.1	0x8004	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 12:01:58.181866884 CET	1.1.1.1	192.168.2.10	0x3e16	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 12:01:58.181866884 CET	1.1.1.1	192.168.2.10	0x3e16	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:02:25.307832003 CET	1.1.1.1	192.168.2.10	0x8004	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:02:03
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PDFONLINE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDFONLINE.exe"
Imagebase:	0x400000
File size:	4'623'872 bytes
MD5 hash:	8268F8AD872D9CA06152019676FBE0BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:02:22
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x800000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3221350130.0000000009880000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3221125321.0000000008471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.3220733277.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 004012A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1574927524.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1574912271.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574954163.0000000000432000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574954163.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574989664.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574989664.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574989664.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1574989664.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575066362.0000000000547000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575096881.000000000054A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575111312.000000000054B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575125432.000000000054D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575140620.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575155233.000000000055B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575155233.0000000000577000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575241630.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575257970.000000000057F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575257970.0000000000647000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575491474.000000000064B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575564093.0000000000652000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575564093.0000000000656000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575564093.0000000000695000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575564093.00000000006AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1575564093.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1576503404.00000000006F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1576671080.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1576671080.0000000000754000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1576671080.0000000000757000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1577029655.000000000076A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1577067264.0000000000784000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1577067264.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1577067264.000000000081B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PDFONLINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b891f53d95835a12b9091d7e9df3d300cb2fae0ce7b337f1cc81d3f3ecba0f64
Instruction ID: a7d070fd37f96f7c44c702c407d5d7541a915b717c9ed70eb8648bb24fb8929d
Opcode Fuzzy Hash: b891f53d95835a12b9091d7e9df3d300cb2fae0ce7b337f1cc81d3f3ecba0f64
Instruction Fuzzy Hash: 4DB0121441430402D1003635480731879DC970134AF40153898D211183D57C50070296

Analysis Process: csc.exePID: 8064, Parent PID: 7824COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.6%
Total number of Nodes:	27
Total number of Limit Nodes:	5

Executed Functions

Function 06E8D28F Relevance: 16.1, Strings: 12, Instructions: 1148COMMON

Download Yara Rule

Strings

$q, xrefs: 06E8D797
$q, xrefs: 06E8D6E7
$q, xrefs: 06E8D533
$q, xrefs: 06E8DB81
,q, xrefs: 06E8DD5A
$q, xrefs: 06E8D523
4, xrefs: 06E8DC75
$q, xrefs: 06E8DBDA
$q, xrefs: 06E8D7A7
$q, xrefs: 06E8D6F7
$q, xrefs: 06E8DBCA
$q, xrefs: 06E8DB71

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-2072453518
Opcode ID: f00c38e06cdd0463b1bfc5939dd6585e5875f4f30136272b451f664cf8f525cc
Instruction ID: e4c7faf45e3ccd0207ecb1f33c529302dfdd305348a75a8ebf32f4d2984ade4b
Opcode Fuzzy Hash: f00c38e06cdd0463b1bfc5939dd6585e5875f4f30136272b451f664cf8f525cc
Instruction Fuzzy Hash: DCB2F534A00218DFDB64DFA4D894BADB7B6FF88304F149599E509AB3A5DB70AC81CF50

Function 06E8D5C7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$q, xrefs: 06E8D797
$q, xrefs: 06E8D6E7
,q, xrefs: 06E8DD5A
4, xrefs: 06E8DC75
$q, xrefs: 06E8DBCA
$q, xrefs: 06E8DB71

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q
API String ID: 0-3956183810
Opcode ID: a6ea12916337ea0772d9131bdf9af01c79063c5ac1d151a3d7f00ceea44f2695
Instruction ID: 6567183635d60404904090fe7c9c567a2a2f2449d3534343869bb2603a61416c
Opcode Fuzzy Hash: a6ea12916337ea0772d9131bdf9af01c79063c5ac1d151a3d7f00ceea44f2695
Instruction Fuzzy Hash: D822C534A00218DFDB64EFA4C994BA9B7B2FF48304F1491A9D50DAB3A5DB71AD81CF50

Function 06E70990 Relevance: 3.1, Strings: 2, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Plq, xrefs: 06E70B78
$q, xrefs: 06E70C5E

Memory Dump Source

Source File: 00000003.00000002.3220462943.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e70000_csc.jbxd

Similarity

API ID:
String ID: Plq$$q
API String ID: 0-181920578
Opcode ID: 06071ab017cd9d8b3a260bd1b27dbabad14d1bf135ce450b9be2e996dfc4a9de
Instruction ID: 447f48b2baf2e5670abe08c7695a31f0c13f737780352b05497167f47a1fcbba
Opcode Fuzzy Hash: 06071ab017cd9d8b3a260bd1b27dbabad14d1bf135ce450b9be2e996dfc4a9de
Instruction Fuzzy Hash: 4B222574B002048FDB54DF28C984AAAB7F6BF89714F2594A9E506DB371DB71EC81CB90

Function 05083C83 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'q, xrefs: 05083D27
4'q, xrefs: 05083D52

Memory Dump Source

Source File: 00000003.00000002.3219809788.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5080000_csc.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 5f7c8cbea44551afeb905d8b96a25725171ef4d3bdf5b2335ab71c43207843ab
Instruction ID: 93ac6cf31c1366712b7347d370fed1ffffe17c2b1f3b58e7ad01ed2c664f07fc
Opcode Fuzzy Hash: 5f7c8cbea44551afeb905d8b96a25725171ef4d3bdf5b2335ab71c43207843ab
Instruction Fuzzy Hash: AA5118B0E153848FE708EF6AF8466DEBFE3EBC8200F14C62DD4049B265DB7855468B55

Function 05083C88 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'q, xrefs: 05083D27
4'q, xrefs: 05083D52

Memory Dump Source

Source File: 00000003.00000002.3219809788.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5080000_csc.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 8b1d49b241f172b2e8eed883cc48475b877a94aa70aefa2dbc30e233f2d7ecd1
Instruction ID: ca32897b2c06aace40904f77bed0d0e2a70b4eb31c0c97f5ac32962088ba3f4d
Opcode Fuzzy Hash: 8b1d49b241f172b2e8eed883cc48475b877a94aa70aefa2dbc30e233f2d7ecd1
Instruction Fuzzy Hash: F45136B0E153848FE708EF6AF8466DEBFE3EBC8200F14C62DD4049B265DB7859468B55

Function 06E8138C Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D
0F<l, xrefs: 06E813B4

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: 0F<l$M*^;
API String ID: 0-3404287229
Opcode ID: b268bc91814a8c820a4bbc799eab3ebf18d346497d75d44dd85fa137942dc5d9
Instruction ID: 0467d4ecce4d41aaf180e5b79e4294463fd33717832ee9910c19c7278934b9bd
Opcode Fuzzy Hash: b268bc91814a8c820a4bbc799eab3ebf18d346497d75d44dd85fa137942dc5d9
Instruction Fuzzy Hash: AF51FA70A05204CFCB88DF78E569AAD7BF5FB58305B50806EE41ADB392DB359849CF08

Function 06E7F068 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06E7F131

Memory Dump Source

Source File: 00000003.00000002.3220462943.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e70000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 91af548531d95b635c790aef720e54f12e5db950c0c6c136feae1968b2a9070f
Instruction ID: f3fea341a9950d55c852dab1f564720fff15e66f2e6a4c3762d06186aea6d73c
Opcode Fuzzy Hash: 91af548531d95b635c790aef720e54f12e5db950c0c6c136feae1968b2a9070f
Instruction Fuzzy Hash: 17512D75B003028FC389FB68E669BB93BE6EB8D200B45506D901FDB346DE349846CB59

Function 06E7F078 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06E7F131

Memory Dump Source

Source File: 00000003.00000002.3220462943.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e70000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: be00c97fd8ab19d301c61ba8a04568a53e5ad6b693d0d42cf09619dbddbee475
Instruction ID: 4d50c5f788174077fe39aa9d2962d77bbe5c02a0da8686b60894657897ebca2e
Opcode Fuzzy Hash: be00c97fd8ab19d301c61ba8a04568a53e5ad6b693d0d42cf09619dbddbee475
Instruction Fuzzy Hash: 8E512F74B003028FC385FB78E6A9BA93BE6EB8D600F45506D941FDB346DE349846CB59

Function 06EB6FC0 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

dOt, xrefs: 06EB7056

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: dOt
API String ID: 0-1141408869
Opcode ID: b56952a51b0974498234f89afcc5f2cabf18b6d9b769d33742d36cf5fd3b8e33
Instruction ID: 26568ef9d846f129b5dc41bbd54fda86b1e031de7a898d09987b101ca0eac78e
Opcode Fuzzy Hash: b56952a51b0974498234f89afcc5f2cabf18b6d9b769d33742d36cf5fd3b8e33
Instruction Fuzzy Hash: 19E16D34A04204CFEB40CF25D598BEA7BB2FF88315F15B0A9E505ABBA5C775AC85CB44

Function 06EB73F2 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

dOt, xrefs: 06EB7056

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: dOt
API String ID: 0-1141408869
Opcode ID: 2502c93ab2a49e99f340b7b0ebe6e4a5e97ac3dd43d8c3e463ac66f74a77249e
Instruction ID: f759f8c30d244cd0ea11cfdc8c5d853ef7f02bdd85e5535d907774582f987e4c
Opcode Fuzzy Hash: 2502c93ab2a49e99f340b7b0ebe6e4a5e97ac3dd43d8c3e463ac66f74a77249e
Instruction Fuzzy Hash: E0D15D34A04205CFEB80CF25D598BEA77B3FB88314F15B0A9E505ABBA5C775AC85CB44

Function 06E812C2 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: 36437f530419a38de94d710c61809c32326cd12cb3382299c34b561f8f23e5e5
Instruction ID: bc6fba1ffcb4b3b9b5501ef5deabb87b08881c1a00066d01656dc710f9e08d6e
Opcode Fuzzy Hash: 36437f530419a38de94d710c61809c32326cd12cb3382299c34b561f8f23e5e5
Instruction Fuzzy Hash: 6B510A70A05204CFCB88DF68E5A9BAD7BF5FB18305B10806EE41ADB395DB359849CF08

Function 06E80F43 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: ba24b7930cd08e2628dd232ca9737726abee9978f8e428e5f5bccd9f86df2094
Instruction ID: 0ea09e6572d23df5db27772bbe7b3082f5a1e6a179906bdaa3acb641e7cdea89
Opcode Fuzzy Hash: ba24b7930cd08e2628dd232ca9737726abee9978f8e428e5f5bccd9f86df2094
Instruction Fuzzy Hash: 2D51FA70A05204CFCB88DF68E569BAD7BF5FB58305B50906EE41ADB391DB399849CF08

Function 06E8123C Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: d4bc6b823637de63898232dcc642da582177c714d8d1749375b18e97241ec2ac
Instruction ID: 2a0c7d9e2a6689426c1571dfe7a7f7fb63ea54c513e1455ab45d4a28ae0f5add
Opcode Fuzzy Hash: d4bc6b823637de63898232dcc642da582177c714d8d1749375b18e97241ec2ac
Instruction Fuzzy Hash: 5651D970A05204CFDB84DF68E5A9BAD7BF6FB58305B10906EE41ADB391DB359849CF08

Function 06E81474 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: 4794a60d4c6b7d9b3236ee533b8b1a0c54d3a9960f685d0d8ad646292434275b
Instruction ID: ce134aab0d4ce8431ff45efc9e4100becb1ae90557e15622e06f3c220c811372
Opcode Fuzzy Hash: 4794a60d4c6b7d9b3236ee533b8b1a0c54d3a9960f685d0d8ad646292434275b
Instruction Fuzzy Hash: 5551C870A052088FCB84DF68E569BAD7BF5FB18305F11906EE41ADB295DB399849CF08

Function 06E80FB4 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: 63f7e5c3ff85d37445325bef887b17fb6f3af2f101ff4b04dd711e8b3fafbed3
Instruction ID: 873c34b5b9f38ab1169da7ffac138016802328d06918c42d067e6146a60cf154
Opcode Fuzzy Hash: 63f7e5c3ff85d37445325bef887b17fb6f3af2f101ff4b04dd711e8b3fafbed3
Instruction Fuzzy Hash: 9B51D974A05204CFCB84DFA8E5A9BAD7BF5FB58305B50806EE41ADB391DB359849CF08

Function 06E80EF7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: 9e33ce5f1565a2fc141b6fe5477f4f963b3cc8d4153c22a7ffa60f870cfac568
Instruction ID: 307e6aaa637e47f4e992ba0ee7b9f58bb2061c2aaec820db110056de3a99b04c
Opcode Fuzzy Hash: 9e33ce5f1565a2fc141b6fe5477f4f963b3cc8d4153c22a7ffa60f870cfac568
Instruction Fuzzy Hash: E2510B70A05204CFCB84DF78E5A9AAD7BF1FB18305B21806EE41ADB391DB359849CF08

Function 06E813FF Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: 8f27608f9b5f2daa3e4545c038b991d5fb5ffcc9b7a85ee37b61ed98f6ae4317
Instruction ID: ff51ed4b7ad02b87982768fbc698cc6a9e7df044b68c60b6689360dae894fb6d
Opcode Fuzzy Hash: 8f27608f9b5f2daa3e4545c038b991d5fb5ffcc9b7a85ee37b61ed98f6ae4317
Instruction Fuzzy Hash: BF51EB70A05208CFCB84DF68E5A9AADBBF1FB58305F10906EE41ADB355DB359849CF08

Function 06E810C0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: beb6a8dbd21835ef0e9248c49efc225e9b2a2a5294efcd0c85295c5b5473b247
Instruction ID: 60758955cbf4c96c0a68ef98c1956299ad653f0f25cfea0fc3c047cc02a3deb7
Opcode Fuzzy Hash: beb6a8dbd21835ef0e9248c49efc225e9b2a2a5294efcd0c85295c5b5473b247
Instruction Fuzzy Hash: 6D51E970A01244CFCB44DF68E4A9BAD7BF1FB58305F10906EE41ADB291DB359849CF08

Function 06E80F08 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

M*^;, xrefs: 06E8117D

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: M*^;
API String ID: 0-3906143540
Opcode ID: c5e4e7c07607a44dec0ee67045cee469c10a555e612c20d9ca11e15373aff1ec
Instruction ID: 9983b3c789b93bf6c5e8f6ec1b1fd7ad16b2bdf1885b3d4bbc8dd030c6e32494
Opcode Fuzzy Hash: c5e4e7c07607a44dec0ee67045cee469c10a555e612c20d9ca11e15373aff1ec
Instruction Fuzzy Hash: 46510B70A05208CFDB84DF68E569AAD7BF5FB58305F20806EE41ADB391DB359849CF08

Function 06EB413A Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf8d966b7d5279a4de0be0137d1926593f6472d6026f6e3149c5d2cf98af2c8
Instruction ID: d60e83ce6b23f7ae9fc6e3218aa4df9c8f78c3efe4910eddb9992fc7eed06d6c
Opcode Fuzzy Hash: ebf8d966b7d5279a4de0be0137d1926593f6472d6026f6e3149c5d2cf98af2c8
Instruction Fuzzy Hash: D9C15B34A01305CFD784EFA5E654BEE77F2FB88304F14A068D016AB79ADB349981CB49

Function 06EB4148 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692e619941c729c046220abd3abc56550dbb2d2c4e8dff87605bc08a4d630a2f
Instruction ID: a395d120f3b32633f28f81e8c872e0ebc0fea851e560564535dfcc0a3618183c
Opcode Fuzzy Hash: 692e619941c729c046220abd3abc56550dbb2d2c4e8dff87605bc08a4d630a2f
Instruction Fuzzy Hash: 34B13B34A01305CFD784EBA5E554BEE77F2FB88300F10A068D416AB79ADB349981CB49

Function 06EB27F8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f879a430484058c288c2972146c4e34961605aab59cd9b7595cfbdbe69d05d4
Instruction ID: 5c56ab8e7b52d6941fdd34b5d84332861548b8aac65fb3ba8f71666bab9817df
Opcode Fuzzy Hash: 7f879a430484058c288c2972146c4e34961605aab59cd9b7595cfbdbe69d05d4
Instruction Fuzzy Hash: 10B16D70E00309CFDB50CFA9D8817EEBBF2AF48314F14A529D959AB294EB749941CB91

Function 06EB1BE0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbedfee35e11ce5a9842306070205a48441a26ef061997a2cb7de2a48a14716c
Instruction ID: e7654353b23b77cf8822dcdb8030b76a14a8e1517a61658be8ac8abfb6e8cd20
Opcode Fuzzy Hash: cbedfee35e11ce5a9842306070205a48441a26ef061997a2cb7de2a48a14716c
Instruction Fuzzy Hash: EC918F70E00309DFDB54CFA9D9917EEBBF2AF48368F14A529D404AB254EB349841CF91

Function 06EB38D1 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d347054d87412116dd5d1d1925b149392dd261c21194ca3111239bbd722cc466
Instruction ID: 21050b117be6bae509c280ea3f7a5fce3478f2c7e38280eccd1654bee85ce776
Opcode Fuzzy Hash: d347054d87412116dd5d1d1925b149392dd261c21194ca3111239bbd722cc466
Instruction Fuzzy Hash: FD91B030A00305CFDB94DB64D65ABEA77E3EB88304F25B079C006AB295DB389885CF58

Function 06E855D1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fae37ec45d0fe55b740c35b0bdafc49397d9daefa29e0bb84d0ef7079eb8edb
Instruction ID: bd7b6c299eaaaf0ec3ea3d76729eb4e754cae6718012832bc3028f18c8937875
Opcode Fuzzy Hash: 7fae37ec45d0fe55b740c35b0bdafc49397d9daefa29e0bb84d0ef7079eb8edb
Instruction Fuzzy Hash: 38919D30E11304CFEB80EF55E544BEABBB3EB84314F54A06AD40DA7695DB789885CB94

Function 06EB42E7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8f51ac0ea08819ae85f35f0b5a2061fca119bbae839392c0bb65b972351c04
Instruction ID: 05af8258f06d61e39c18b811142d83ff6e5dd9bdc90394d8d9ae3ab7239af821
Opcode Fuzzy Hash: 0f8f51ac0ea08819ae85f35f0b5a2061fca119bbae839392c0bb65b972351c04
Instruction Fuzzy Hash: 73911934A01305CFEB94DFA5E554BEA77F2FB88304F20A168D005AB79ADB34D981CB48

Function 06E855E0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b861962c2e08e32b30acb9af028408013926a981bc769347717af294fdf84d0a
Instruction ID: 7290f0f4e6aea38593b244c13ed89338a9eb322260eb651ea73fb7d14dfc11d4
Opcode Fuzzy Hash: b861962c2e08e32b30acb9af028408013926a981bc769347717af294fdf84d0a
Instruction Fuzzy Hash: 00918C30E11308CFEB80EF55E544BEABBB3EB84314F54A06AD40DA7695DF789885CB94

Function 06EB38E0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151bee5a05b45e88a251843345e2ff7ad718c49b8e52a0c7af40adc2a8cdd8b9
Instruction ID: 227b6173af1fe05ea58cdb8778e7ce60e9cb1a0591de0dca4bc83259d2f392a2
Opcode Fuzzy Hash: 151bee5a05b45e88a251843345e2ff7ad718c49b8e52a0c7af40adc2a8cdd8b9
Instruction Fuzzy Hash: 39818130A01305CFDB94DB64D65ABEA77E3EB88304F25B07DC016AB295DB789885CF58

Function 06E8570C Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2e90a0f2831742bf4e8e97d1b05fd13f8733f28e61497bb4ce567d9bcb9222
Instruction ID: 205f7ce3457f82776340a37058a0bbd828b54c61d61c1f17ab5cbabdc786cfbb
Opcode Fuzzy Hash: 9b2e90a0f2831742bf4e8e97d1b05fd13f8733f28e61497bb4ce567d9bcb9222
Instruction Fuzzy Hash: 71818B30E11305CFEBC0EF55E544BEABBB3EB84314F54A06AD40DA7685DB789885CB84

Function 06E7F2C0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220462943.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e70000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b7a0c704cbdad4c73c55dc4ac6bb7233a57d55beb7db51318651a590e3ab51
Instruction ID: ec0fa8a75145e0d2774b8c8c022d16d92653c75191946662ed6b8f33e6cdfe17
Opcode Fuzzy Hash: b1b7a0c704cbdad4c73c55dc4ac6bb7233a57d55beb7db51318651a590e3ab51
Instruction Fuzzy Hash: 6751AC30E05309CFEB94CF64E658BAD77B3EB88309F24A069D106A7254DB349C82CB56

Function 06EB5E7D Relevance: 5.3, Strings: 4, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 06EB6148
(q, xrefs: 06EB5F0F
Hq, xrefs: 06EB5F3B
(q, xrefs: 06EB6043

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: (q$(q$(q$Hq
API String ID: 0-564500637
Opcode ID: 1affe06d1cec50b25667b21ba3a4f4fa90c39818f95382596bc7a2030aea36b3
Instruction ID: 74a28a5a943b8d047d27f385a32a308d427ffd8d116525fb734735d4bfcc7e2b
Opcode Fuzzy Hash: 1affe06d1cec50b25667b21ba3a4f4fa90c39818f95382596bc7a2030aea36b3
Instruction Fuzzy Hash: E79168317043418FD7A5AB389850AAFB7A3EFC5610B28956ED50ACF391DE34DC02C7A9

Function 06E90078 Relevance: 3.1, Strings: 2, Instructions: 597COMMON

Download Yara Rule

Strings

4'q, xrefs: 06E907E0
4'q, xrefs: 06E907D4

Memory Dump Source

Source File: 00000003.00000002.3220510470.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: e28f849c20658aaee98340d8a2c045ca1c056e43e193a6a3200e4fa77aab77ff
Instruction ID: 88d6c89ca74f562a0698e9203eef590becfc3623b8723723b37ed28066d91309
Opcode Fuzzy Hash: e28f849c20658aaee98340d8a2c045ca1c056e43e193a6a3200e4fa77aab77ff
Instruction Fuzzy Hash: E102B120F103108FDFB46635A49973E26AF9FC5A54BC4662DDA46DB384DEA4CC4287F2

Function 06E8F751 Relevance: 3.0, Strings: 2, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06E8FADB
$q, xrefs: 06E8FACB

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 98d20950ab9d742f27b7aac5c20dc7fc1f6caad2ba4d01cfa9c1959b29818294
Instruction ID: a250fa71ab34e0759d5b30ddf81cdd60d90be416ca6dfb0aa6bc84a1eebdd7b0
Opcode Fuzzy Hash: 98d20950ab9d742f27b7aac5c20dc7fc1f6caad2ba4d01cfa9c1959b29818294
Instruction Fuzzy Hash: F6227B30E01319DFCB55EFA4E854AEDBBB2FF48304F149019E919AB395DB74AA41CB90

Function 06E90810 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 06E90C95
4'q, xrefs: 06E90C89

Memory Dump Source

Source File: 00000003.00000002.3220510470.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 030e7d7d63832ac8d812027ea5eba3056b59dd45ffc2c7af6d864f730ccfb6de
Instruction ID: f625a24cdcb7119b286b74e028f3851a549ca1339c5bb6c326eacd9439fcb11d
Opcode Fuzzy Hash: 030e7d7d63832ac8d812027ea5eba3056b59dd45ffc2c7af6d864f730ccfb6de
Instruction Fuzzy Hash: 30C17034B143108F8FA96B68A06817DBBF7EFC9215394582DE847CB344DF798C428BA5

Function 06E8F030 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 06E8F1C2
(q, xrefs: 06E8F133

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: bb60c9d67da7dbbcf6d823183cfdc6354261fa162d819745164866a01f88b90a
Instruction ID: dd47f41a10830dac094d18733857eb7d73e9352ccc802137d640b3b4bf454838
Opcode Fuzzy Hash: bb60c9d67da7dbbcf6d823183cfdc6354261fa162d819745164866a01f88b90a
Instruction Fuzzy Hash: 0E51CF30B003148FD7A8BF74C8546AE77B6AFC9240B24496DD50A9B3A1CF75EC46CBA5

Function 06E8B5F8 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

(q, xrefs: 06E8B720
Hq, xrefs: 06E8B74C

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: d07b4d6b333667cce9b4c516152a98ac618e70a261b3ecfca7eb1786b95e81ed
Instruction ID: 886b0b2a10719d07fec8741de1a86ca9dc4c5b36f1223fed845f81e80a443194
Opcode Fuzzy Hash: d07b4d6b333667cce9b4c516152a98ac618e70a261b3ecfca7eb1786b95e81ed
Instruction Fuzzy Hash: 795124316007418FE365AF3AD44438ABBE2AF84310F14CA2DD45E8B3A1DBB4E845CBA5

Function 06EB4DE9 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 7efb0decee47ce1985acb4cfde8850b7e0f01386ae6d892c53d900312df26f4c
Instruction ID: df698644f1532c66b6767c5d665036f210edd16372d2bf81d6f5e18134aedb1e
Opcode Fuzzy Hash: 7efb0decee47ce1985acb4cfde8850b7e0f01386ae6d892c53d900312df26f4c
Instruction Fuzzy Hash: 0F317A30E10309DBDB45DFA4E994ADEFBB6FF84300F14A529E441A7398DB749846CB81

Function 06EB50D4 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 8a6a4a00de72c0290dacf19af8905837648d37e0ebd6a9797bbe6dfa8e2b5042
Instruction ID: 49769da80e5b32f1994b7d5064790d6a1012929aef4da0e95d0d952ed3781217
Opcode Fuzzy Hash: 8a6a4a00de72c0290dacf19af8905837648d37e0ebd6a9797bbe6dfa8e2b5042
Instruction Fuzzy Hash: 40412E30E10209CFDB45EFA4E5547EEBBB2BF84300F54A518D4426B399DF789886CB96

Function 06EB4ECE Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: c991fdf224a903b31d8c135e757bae63993de01d6489c4eb8f056d8bb863777c
Instruction ID: 2a3bae51e95fd3103a6c8f72a53170d31bc4c27c47fe4c19ce8c037cad826086
Opcode Fuzzy Hash: c991fdf224a903b31d8c135e757bae63993de01d6489c4eb8f056d8bb863777c
Instruction Fuzzy Hash: DA414B30D00309CFDB56DF94E594BEEBBB2FF84310F14A618E4416B299DB749886CB45

Function 06EB4E42 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 872a9ae9de1da0727e2e10e8b8f1840d0863fb4d76bf69bd870070a3e047a642
Instruction ID: 58343c16705a8073bc09e52b2135f80679b1cc31a26fad0150022016047e5055
Opcode Fuzzy Hash: 872a9ae9de1da0727e2e10e8b8f1840d0863fb4d76bf69bd870070a3e047a642
Instruction Fuzzy Hash: 38314F30E10209CFDB45EFA4E5547DEBBB2BF84300F54A518D4426B399DF789886CB95

Function 06EB4DF8 Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 7554af2a543a36d1c53745871bec1be63ed1ba489a41a9d76e679fdfe55b4321
Instruction ID: 19b9dcc51034c2b051ea4dfde10400df803f866e03a7d8110d6ea60b5a6b95ba
Opcode Fuzzy Hash: 7554af2a543a36d1c53745871bec1be63ed1ba489a41a9d76e679fdfe55b4321
Instruction Fuzzy Hash: E6314A30E10308DBDB15EFA5E994ADEFBB6FF84300F14A529E441A7398DB749846CB91

Function 06EB4FA5 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: bb1919b39ae5b49e8665cba22d47e68c52eb3182f720451d5ac9b5f3c23b6466
Instruction ID: ff45cc3ab1f084885939a9079bac2c18472bc73945cf94ecf4d46bd84ede0ce2
Opcode Fuzzy Hash: bb1919b39ae5b49e8665cba22d47e68c52eb3182f720451d5ac9b5f3c23b6466
Instruction Fuzzy Hash: 7F314C30E00209CFDB45EF94E5947EEBBB2BF84300F14A518E4426B399DB789886CB55

Function 06EB4FE5 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: a1681ff339cb85052e48fd6da06c64766bc71cee1cded67b5c40a1d75d312075
Instruction ID: eb86a7832bcb0d2650c477935ec4dbeae25d0ec4eefd9aaed0ba3c855338c4f8
Opcode Fuzzy Hash: a1681ff339cb85052e48fd6da06c64766bc71cee1cded67b5c40a1d75d312075
Instruction Fuzzy Hash: 79313930D00309CFDB46DF94E594BEEBBB2FF44300F54A568D4416B299DB74A886CB85

Function 06EB51C8 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 6151a26b690608b6dbbe1685429133cde0565655117b6de82816f97476180a8a
Instruction ID: 5dbd2fdf8d7776535f23ddfbf0929dd54c11d0da5b0cf98b3afedd79c63cd22d
Opcode Fuzzy Hash: 6151a26b690608b6dbbe1685429133cde0565655117b6de82816f97476180a8a
Instruction Fuzzy Hash: 1C316D70E01309DFDB46EFA4E5947DEBBB2FF54300F14A568E0416B299DB74988ACB81

Function 06EB5126 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 78d0709c8d7e0f370e1fae8ea6d04902947b142545d07c7aa12726e5a8a37cf1
Instruction ID: 6399bd4af8c7b76104705767a1a3dd40625ce8389747f11daeee3a2682738135
Opcode Fuzzy Hash: 78d0709c8d7e0f370e1fae8ea6d04902947b142545d07c7aa12726e5a8a37cf1
Instruction Fuzzy Hash: 65312730E00309CFDB46DFA4E594BEEBBB2FF44304F54A568E4416B299DB749886CB41

Function 06EB50F2 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 36afef20311c8a37955fd8d03a968511d3b3927e74afe1f3db92e2d87d422849
Instruction ID: 87266e5558f6c6319142d1beec1f190833721cc4bf4969b2938bcd4332c30449
Opcode Fuzzy Hash: 36afef20311c8a37955fd8d03a968511d3b3927e74afe1f3db92e2d87d422849
Instruction Fuzzy Hash: A6311930E00209DFDB45DFA4E594BEEBBB2FF84300F18A528E4416B299DB749886CB51

Function 06EB517C Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 464fea533d9d8525fa4f308b4863e30b760f5cef0f584dbf48e96c79d1a9bb99
Instruction ID: 6de766087c4d42d0380e3cf2e297324571271fe524e848e53decc908b6dd22bc
Opcode Fuzzy Hash: 464fea533d9d8525fa4f308b4863e30b760f5cef0f584dbf48e96c79d1a9bb99
Instruction Fuzzy Hash: F8311830A01209DFDB45DFA4E594BEEBBB2FF44300F14A568E4416B299DB749886CB91

Function 06EB4E9C Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 5c2e90fe67f95a7b1fa8d435241dc433881d2da4a5d3e33044ba57331539fc0c
Instruction ID: cd063c8d292680c75a4cd25fccdd6e8bff507b2cffe62b40938c19b76ab45fbc
Opcode Fuzzy Hash: 5c2e90fe67f95a7b1fa8d435241dc433881d2da4a5d3e33044ba57331539fc0c
Instruction Fuzzy Hash: C5310730E00309CFDB55DFA4E598BDEBBB2FF44310F14A618E4416B2A9DB749886CB55

Function 06EB4FB7 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 5201829081d4501df07b23138d244ac1514fc15216750c46da3f96e6a3ddedba
Instruction ID: 2419f1f64ae012c9142853237be7153d68dfe3db5822d77bb3df628b4960d2fc
Opcode Fuzzy Hash: 5201829081d4501df07b23138d244ac1514fc15216750c46da3f96e6a3ddedba
Instruction Fuzzy Hash: BE310830E01309CFDB45EF94E5947EEBBB2FF84300F18A629E4416B299DB749886CB51

Function 06EB51B4 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: e22bd05591cef19f282565ecffbbc03c3c60ea1425cb110516a06956e12c6563
Instruction ID: 0e6809862a2c5c631a4206cb556460c0420661032ff0f59567c289306bf2ce0e
Opcode Fuzzy Hash: e22bd05591cef19f282565ecffbbc03c3c60ea1425cb110516a06956e12c6563
Instruction Fuzzy Hash: 86310730E00309CFDB56EF94E5947EEBBB2BF84300F14A529E4416B299DB749886CB51

Function 06EB5073 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 20695008a352184e1b83be804b6012a01478986e43d2dbdaef18be7625484f44
Instruction ID: 8ac0d5cc0f73fb7f42c2d0ad6c8b36dff12c0b7d61612c7df388fe26e7d9e3b0
Opcode Fuzzy Hash: 20695008a352184e1b83be804b6012a01478986e43d2dbdaef18be7625484f44
Instruction Fuzzy Hash: 40313870D00309CFDB45EF94E594BEEBBB2FF84300F14A618E4416B299DB749886CB51

Function 06EB5053 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 9140202a1e90c4c6eb2886824827fc193161ee8a4180cb72a8671af277b8ac94
Instruction ID: 107a6349e4bad0297b6d9ac05f0ba89b8457ba8d1352a9b3063ee25d74c696b2
Opcode Fuzzy Hash: 9140202a1e90c4c6eb2886824827fc193161ee8a4180cb72a8671af277b8ac94
Instruction Fuzzy Hash: 35312C30E00309CFDB45DF94E5947EEBBB2FF84300F14A529D4416B299DB749886CB51

Function 06EB5214 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 2507f2edfcaa86cf0b4d824f5d8ad7d55d42613bd21086e4c2f16d1c8e3082b6
Instruction ID: 423d11c2620b24d1f7deff7973df6bd02b58095e61a1c46ed5e472c3677b6422
Opcode Fuzzy Hash: 2507f2edfcaa86cf0b4d824f5d8ad7d55d42613bd21086e4c2f16d1c8e3082b6
Instruction Fuzzy Hash: 52312D30D00309CFDB46DF94E5947EEBBB2FF44300F14A569E4416B299DB749886CB51

Function 06EB5033 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

C@l^, xrefs: 06EB4F09
aq, xrefs: 06EB4F5D

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: aq$C@l^
API String ID: 0-4182290387
Opcode ID: 6a7b36a91b7c2bb61e8d02b85290537208a181a8dfd0b62b3a97931746a65cc7
Instruction ID: 199f4bc30bc972edf012faf9b55bafb06ecfde176fd51b4f1af3026c8a2776fb
Opcode Fuzzy Hash: 6a7b36a91b7c2bb61e8d02b85290537208a181a8dfd0b62b3a97931746a65cc7
Instruction Fuzzy Hash: EA313830D00309CFDB45EFA4E5947EEFBB2FF44300F14A628E4416A299DB749886CB51

Function 0508C198 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0508C20C

Memory Dump Source

Source File: 00000003.00000002.3219809788.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5080000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0c90fce4aaf12433130366f80c4c3b52a58e3f900407e54eb2a1af6ed157ed20
Instruction ID: 61fa2d21ad6c2dd08366e34196998076195871c0dab7ceb8d4ff20dccc055cfa
Opcode Fuzzy Hash: 0c90fce4aaf12433130366f80c4c3b52a58e3f900407e54eb2a1af6ed157ed20
Instruction Fuzzy Hash: 7611E371D003499FDB20DFAAC484BAEFBF4FB48324F14842AD459A7250C775A945CFA1

Function 06E8ABE0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

pq, xrefs: 06E8AC90

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-153521182
Opcode ID: 4358d824dfcd4c68a5fe24d67e5d943ba836749d042b2710ce727717bbd1ec1e
Instruction ID: bf74d84655d4c2eae2a185048c10d56612941685c2846f25fc42e4921668586a
Opcode Fuzzy Hash: 4358d824dfcd4c68a5fe24d67e5d943ba836749d042b2710ce727717bbd1ec1e
Instruction Fuzzy Hash: 55515176600104AFDB459FA8D804E59BFB7FF8C3147198098E209DB372DA36DC62EB51

Function 06E85CF8 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

Teq, xrefs: 06E85D62

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: b5e2b478516ed7c27c849957a65e997230e5051dc5977ff6e99b3f4a7fc7470e
Instruction ID: 52aaea37bdf29261939129a7aa0312acee4ff5545d43cd81a32905f919687db6
Opcode Fuzzy Hash: b5e2b478516ed7c27c849957a65e997230e5051dc5977ff6e99b3f4a7fc7470e
Instruction Fuzzy Hash: 5751B130B00305CFE7C4EB19E558BAA7BA3EB88305F256069D50E9B7A1CF749886CF44

Function 06E8B483 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

(q, xrefs: 06E8B4E0

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: dff1236650695c00b2b1645d9b65ae16859282b60524d97954c6633ef01927e4
Instruction ID: 17df8c4da9c10c3501f0b974e6b37d83b311d3d33df6c145f42313d1617121e3
Opcode Fuzzy Hash: dff1236650695c00b2b1645d9b65ae16859282b60524d97954c6633ef01927e4
Instruction Fuzzy Hash: 3A3124353053415FEB156FA9E840AAE7BA6EFC9260B14403AE909CB351DE759C02C7A1

Function 06EB6570 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

(q, xrefs: 06EB65D0

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 38adbe820377c5e9e232aa4eb8a3a8b47d4de03612b7a2bd560f540f926a45be
Instruction ID: 85d5a674de99f791eb3d6aa96c5306d36885bc4107c431510f90b845c0682c28
Opcode Fuzzy Hash: 38adbe820377c5e9e232aa4eb8a3a8b47d4de03612b7a2bd560f540f926a45be
Instruction Fuzzy Hash: 2821E431B002158FC758DF79A804ADFBBF6EB89610B14862EE509D7394DB30AD06CBA5

Function 06E8F687 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

p<q, xrefs: 06E8F6D2

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: 2067f6ffd1ae4a50ecd517dd2ab1c6cb7235137679fca3d3b657896d2493b70c
Instruction ID: 47b99223f181ee226e25dfd4607f564e75f649db85ab511401ac92a471d6ebdf
Opcode Fuzzy Hash: 2067f6ffd1ae4a50ecd517dd2ab1c6cb7235137679fca3d3b657896d2493b70c
Instruction Fuzzy Hash: A521CC303002849FCB559F2AC844AAA7BEAFF8D354B1540A6FD98CB2B1CA31DC51CB60

Function 06E8F698 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<q, xrefs: 06E8F6D2

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: 9c77b61319054e561204c294329cd9384ab764ad50e8ec7100d1d882674f1c06
Instruction ID: 6e6ff5ded7f1c4df021e166ebf485294b3371c74080644ac7b22bbd0e736a810
Opcode Fuzzy Hash: 9c77b61319054e561204c294329cd9384ab764ad50e8ec7100d1d882674f1c06
Instruction Fuzzy Hash: B2218E303002549FDB55DF2AC840EAA7BEAAF89344F184096FC58CB3B1C675DC51DB60

Function 0508C348 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0508C3AA

Memory Dump Source

Source File: 00000003.00000002.3219809788.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5080000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 07ed6e0ae1c64cdb5369aea024c8b2065f83f00b0a5495d9e8870d802d911f00
Instruction ID: 88e3bbec4bd1020dec95a9a63d65566cbb8aa0088a0ad9b618fccd3b593157c5
Opcode Fuzzy Hash: 07ed6e0ae1c64cdb5369aea024c8b2065f83f00b0a5495d9e8870d802d911f00
Instruction Fuzzy Hash: C1116A71D003488FDB20DFAAD4457EEFBF4EB88324F108419C459A7240CB75A941CFA4

Function 06E8153D Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdbcc1d0ab38e9b819a325e14cf53480006cd82ff6123ec1d15a5ac46383be5
Instruction ID: 9637f4b1405905021842d07ac8c62f1f2bebf2b143c1137e2d07da2edd8159cf
Opcode Fuzzy Hash: 6fdbcc1d0ab38e9b819a325e14cf53480006cd82ff6123ec1d15a5ac46383be5
Instruction Fuzzy Hash: ADA19E34A003459FC754EF69E994AA9BBF2FF88310F15856DE409AB3A1DB31EC41CB94

Function 06EB27EC Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48eef06a171ccb6857ca5acbc18b53a076c66a07f4d62423c218b3676348a02
Instruction ID: 311b954511c8f0a44ab03ff05c00c7154cc7e0450e50e87a8b395ad0513cb6ec
Opcode Fuzzy Hash: e48eef06a171ccb6857ca5acbc18b53a076c66a07f4d62423c218b3676348a02
Instruction Fuzzy Hash: 07B17C70E00309CFDB50CFA9D8817EEBBF1AF48318F14A529D958AB254EB749985CF91

Function 06EB1BD7 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363d0ed039f68aaad4f414f3e523774f30402aac4bf3dfc6513f16884ae3f13c
Instruction ID: 4a43ecbd8945fd023aa7c1335dfdffb29f8e22ea0d442ac270f530f2367a4744
Opcode Fuzzy Hash: 363d0ed039f68aaad4f414f3e523774f30402aac4bf3dfc6513f16884ae3f13c
Instruction Fuzzy Hash: 0C919070E00309CFDB60CFA8D9907EEBBF1AF48368F14A529E404AB254EB749845CF91

Function 06E8C318 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffedbc62a9c3a521532e46d4774a8d97173835578a99a6f39987b4eb9cd3dba5
Instruction ID: 8a0cf569dd02f6e65894282547b44ad7540df9da141dd7a0727dfc9ce92754bf
Opcode Fuzzy Hash: ffedbc62a9c3a521532e46d4774a8d97173835578a99a6f39987b4eb9cd3dba5
Instruction Fuzzy Hash: 7F819D35A013049FCB05EFA4E598AADBBF2EF89711F204069E919EB390CB75CD41CB60

Function 06E84FE0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74418dfd7cb7b2196defdaa2e59fb5b945792c67731de6f0669cb57f95c14763
Instruction ID: 20f8cc4d32fafa9c63f353235d3fe5d0893cf624545f23009f0ffe7c2a490f14
Opcode Fuzzy Hash: 74418dfd7cb7b2196defdaa2e59fb5b945792c67731de6f0669cb57f95c14763
Instruction Fuzzy Hash: 4A819C30A18301CFE794AB24D5587AD7BA7EB50309F006578E00E8B652EF7D9989CFC5

Function 06E84FF0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b8ab9895e68621a8bdc250c52a3feb51fbd1032b86999d05d58622d9edddf5
Instruction ID: 8b48c811fe40b8d2b7d86d4eaa8688f0adf858fb5cda8daedf73fc4a17acf3c9
Opcode Fuzzy Hash: a4b8ab9895e68621a8bdc250c52a3feb51fbd1032b86999d05d58622d9edddf5
Instruction Fuzzy Hash: 24716A30A14301CFE794AB24D1587AD7BA7EB50309F40A578E40E8B256EFBD9989CFC5

Function 06E814F8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e7702c4bdfc4e54e1898b68b137d3dafb50c86e0626706b6f43e2b48e7971f
Instruction ID: 6d6c607e95cef4d5f30a116cf3ac0e58ea511cfd8cb48dab4dd1f859807deb43
Opcode Fuzzy Hash: 31e7702c4bdfc4e54e1898b68b137d3dafb50c86e0626706b6f43e2b48e7971f
Instruction Fuzzy Hash: AC81A434A017419FC754EF29E584AD9BBF2FF49320B15865DD41AAB3A1DB30EC42CB94

Function 06E90CC8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220510470.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63c033176a6aa65c7b7ba2c04cdacd503d650ce963cc2d3daf02f3c9f22f2eb
Instruction ID: c8ff4d46f90aaa0a7a1c06424cd422274ec783674501e41fb55057dc7cb2d4ff
Opcode Fuzzy Hash: a63c033176a6aa65c7b7ba2c04cdacd503d650ce963cc2d3daf02f3c9f22f2eb
Instruction Fuzzy Hash: D9516C307003418BEB442A9AD49876FA2EFAFD5704FA4813DA706CB698DFF19C4587B5

Function 06E81548 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f811d343b74c724ba1da661ae36d0ae77e2c6a599ac2a3a758aefbeddd7ff46
Instruction ID: c387db28f604195772c592841823733314584d3386e231090e603db321bf12bf
Opcode Fuzzy Hash: 2f811d343b74c724ba1da661ae36d0ae77e2c6a599ac2a3a758aefbeddd7ff46
Instruction Fuzzy Hash: 40615B74A007058FC754EF29E588A99BBF2FF89350B15856DD409EB3A1DB31EC41CB94

Function 06EB550A Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6109c79fc21ce3981ee41b837000fd1921977fac514a43b5531d9c75b19caf50
Instruction ID: c2528ddf14c9191a1f6c7071c0eda9452476593c55b26e7b4f456c6808f46810
Opcode Fuzzy Hash: 6109c79fc21ce3981ee41b837000fd1921977fac514a43b5531d9c75b19caf50
Instruction Fuzzy Hash: 2C613B30A15305CFE7A0CF55D288BEABBB3FB44305F24B169C5129B656D3789896CF84

Function 06EB55F6 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698b4cc81a150a42b5557d15b2e197d7db9024d97cd8db3792931373b49281e8
Instruction ID: 789eac24a03f9937f86357287bbd3509532b884cf690b91fa054a2c2eaf32773
Opcode Fuzzy Hash: 698b4cc81a150a42b5557d15b2e197d7db9024d97cd8db3792931373b49281e8
Instruction Fuzzy Hash: 63614B30A15305CFE7A0CF55D288BEABBB3FB44305F24B169C5129B256D3B89896CF84

Function 06E855A8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b15a5e13bab725096d41914632915faeac067537863a9832c2a235eed412501
Instruction ID: 949d9aabb4564b8a56761103cea80f342cded4aa454d7d8a30ff5306a1ff235a
Opcode Fuzzy Hash: 3b15a5e13bab725096d41914632915faeac067537863a9832c2a235eed412501
Instruction Fuzzy Hash: 654109747186108FCB896B74E62E26D3FEAEB986027105469E84BC7395DF3C8D43CB46

Function 06E853A8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad49160824caadef0740847e8cdf24e3e4dafcc01b8bd8e63770f379ea979dbe
Instruction ID: 104784a8fbc06c85ebbb245bb543a111faa53563b4f632dbb8d26a3f4cec861a
Opcode Fuzzy Hash: ad49160824caadef0740847e8cdf24e3e4dafcc01b8bd8e63770f379ea979dbe
Instruction Fuzzy Hash: 2541E9747182118FC7896B34E62E26D3EEAEB89702B105469E84BC7395DF3C8D43CB46

Function 06EB64A8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc6be8097d5b3a5ff2332b5f89ced8175d0cf6234a9a6249d63de47c0610226
Instruction ID: d0fb22e1fa5313cfe6cefe732bfcaf2a6bd0464552a7f72aff1237d21c41e11f
Opcode Fuzzy Hash: efc6be8097d5b3a5ff2332b5f89ced8175d0cf6234a9a6249d63de47c0610226
Instruction Fuzzy Hash: 6541AC31A017448FC764CF29C984A9BBBFAFF89710B15896AE489CB752DB30F801CB50

Function 06E8C638 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8b0a415ddb3c5efd6714f42b83af193821f344fcafea930e4212c20e99c03a
Instruction ID: df3c4243b56c728c2927e8f416e5eb867ca79b3cff7ce6887549b00b2f35e09a
Opcode Fuzzy Hash: af8b0a415ddb3c5efd6714f42b83af193821f344fcafea930e4212c20e99c03a
Instruction Fuzzy Hash: 67416034A00305DFDB54AB64D854BAAB7F6FB89B14F249429E5199B380DB71E841CB60

Function 06EB7548 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2199bf091041b75c02935ea3c4567d4ff4a0d34922a1ea1492ccfca7631997
Instruction ID: 7b2dae8c76da3730c6758dd786880c36573e3fa7a25af31673a04fb55b685532
Opcode Fuzzy Hash: 9e2199bf091041b75c02935ea3c4567d4ff4a0d34922a1ea1492ccfca7631997
Instruction Fuzzy Hash: 65414930E16302CFEF94CB19D544BEB7BA2EBC4304F14B069D5169BA99D738D942CB58

Function 06EB5A81 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811e45de0fc32e3920b0b26444a08806111fecd47401b75ada01fb304d4b4676
Instruction ID: 60bb2effd4ca37e9d160c3c4058a5859fb7a29fb3aaa9321ac2c26953cb40437
Opcode Fuzzy Hash: 811e45de0fc32e3920b0b26444a08806111fecd47401b75ada01fb304d4b4676
Instruction Fuzzy Hash: 4141CC34A04300CFD750CF64D988BDABBB2FB88310F24A56AD505AB6D5CB75E881CF54

Function 06EB3B21 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af6faee2a8dace27482dd56488f311530bfdebe2c5ee00b8037c523a225fd28
Instruction ID: 3bd09cbc4d84f4dc6f6227bfd780eb3f426a31d656c087140c6584b6aed27f6b
Opcode Fuzzy Hash: 3af6faee2a8dace27482dd56488f311530bfdebe2c5ee00b8037c523a225fd28
Instruction Fuzzy Hash: 9141B230A00701CFEB94DB24D69ABEB73A3EB44305F25B178C015AB259D7389889CF18

Function 06E85F78 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e41725fbc804e25f3646d9f293ecd15805ce7cb6b2722d31429d46402f46cc
Instruction ID: 58580cf4ac40dde748d81c354fb9113eb408991c99ed4c535557bf8219384627
Opcode Fuzzy Hash: e6e41725fbc804e25f3646d9f293ecd15805ce7cb6b2722d31429d46402f46cc
Instruction Fuzzy Hash: C6316D31E153549FD361AB78D804AAA3BA9DB41330F1546B5E45DE72C2DB30CC41C7E2

Function 06E8C7C8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5fca0be156c7cc4b29e9c7e5aeaaec1a958fac6bddc25926fac44dd566dd24
Instruction ID: 602e0bc2672566e1c67ac66a7ce108557852d97c4d5ed97a4d7f547e503f52bb
Opcode Fuzzy Hash: 6b5fca0be156c7cc4b29e9c7e5aeaaec1a958fac6bddc25926fac44dd566dd24
Instruction Fuzzy Hash: CE415671E003158FDB94EFA9D844ABEBBB1FF89704F20802AD549E7291D734E945CBA0

Function 06EB5AB0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c46369ad4894d3dd46159a89d25378b9a3a82ecf6252c88906652a5f2731fbb
Instruction ID: 51b3a5b02c49d242ec001ed8b9b55ecf87846657dbb81dd92aa4e864ac1883fd
Opcode Fuzzy Hash: 1c46369ad4894d3dd46159a89d25378b9a3a82ecf6252c88906652a5f2731fbb
Instruction Fuzzy Hash: 8C415934A04300CFD750CF65E988B9BBBB3FB88311F24A169D5156B695CB75A881CF54

Function 06E8B5E9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af5530ecf0f54248fbf2cc178798fceba9787617d53ed1158ae58fa84bfdbcb
Instruction ID: d2cba87b28b86d5e0de70a1f16fe242fd685a046faee2c707029d9077b09ab48
Opcode Fuzzy Hash: 1af5530ecf0f54248fbf2cc178798fceba9787617d53ed1158ae58fa84bfdbcb
Instruction Fuzzy Hash: 4B31B071600B418FE770EF26D484756BBE2AF84314F14DB2DD49E8B6A0EBB0E484CB51

Function 06E8F020 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3250c37bdc6962734135af02c85d140629f3c854c8338d62b46783ae5b259077
Instruction ID: b5e0294d1171e4152dcaed3941f5b346bb52f4ba9b90363360fd06d840bd125a
Opcode Fuzzy Hash: 3250c37bdc6962734135af02c85d140629f3c854c8338d62b46783ae5b259077
Instruction Fuzzy Hash: 62318B30B003049FC765BF65C85496EB7B6EF85244B10996DD85A8B361DB72E846CB90

Function 06EB0040 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25808ad48abd23a80f1d9382ba09063a43a63eb9c2210e31973c9baedf847cd3
Instruction ID: 4a50dcb36ed393467f7cd28fbf072c08820f7dc47e34afba7908eaba08246ef6
Opcode Fuzzy Hash: 25808ad48abd23a80f1d9382ba09063a43a63eb9c2210e31973c9baedf847cd3
Instruction Fuzzy Hash: 9441CEB1D00349DFEB14DF99C884ADEBBB5BF48314F148429E819AB250DB75A94ACB90

Function 06E8A1A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea82bca0282fba643d3511355e1a9b1a0026a95a983a9c135507ab0a6a4bb6c
Instruction ID: d0aa6bf7cafa9d394c9ceac185643473d19db85352ba8d519c9e3b5f34b013b6
Opcode Fuzzy Hash: 9ea82bca0282fba643d3511355e1a9b1a0026a95a983a9c135507ab0a6a4bb6c
Instruction Fuzzy Hash: ED31D334A00309CFDB64EF59E548BE977B3FB88304F14917AD10DA7291C77A9885CB44

Function 06E8A1B0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b3a18be476756ddc19f4e666ff8aab8e3661355fa6c59e6f80ace2bafacb72
Instruction ID: 7758dc858bb487068cbd57d4fc2615573272008dc746e0d43103828a369abeca
Opcode Fuzzy Hash: e3b3a18be476756ddc19f4e666ff8aab8e3661355fa6c59e6f80ace2bafacb72
Instruction Fuzzy Hash: 8931A030A00309CFDB64EB5AE558BE977A3FB88304F14907AD10D67655C7BA9885CB54

Function 06E85B08 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5b70e276a42a4aa9dcfa16080b2432e157de62ccfcbcf516211c30b40f9033
Instruction ID: 77a8e61b2f11441f790a1089986df2401b24c7aadbd0f195a90cb824f96114a7
Opcode Fuzzy Hash: ce5b70e276a42a4aa9dcfa16080b2432e157de62ccfcbcf516211c30b40f9033
Instruction Fuzzy Hash: BD315671A01305DFDB84EF68C959BEDBBB2FF48304F248069E40AAB261CB759945CF90

Function 06EB76EF Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc68d3decd3b73c03dfcd38b0c93ddc71e68ee8e601e0389d90c71a9602018f
Instruction ID: 6b0b2abcea675f70e61e3e253a5e53fde15256c4762e0c8e071ab82603182e1a
Opcode Fuzzy Hash: 0cc68d3decd3b73c03dfcd38b0c93ddc71e68ee8e601e0389d90c71a9602018f
Instruction Fuzzy Hash: A4316A30E16302CFEF90CE19E644BEB77A2EBC4304F09B069D5265BA99D734D881CB59

Function 06EB7648 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b827325d588d97de4fc93e3aa22ce6b5a68216738ed9b4d7d4f33a56dc396b6b
Instruction ID: 1a0aa66cd90805c9592a86eeb7fe7480c68cd8da9e6c9715856b5800fae1ac4b
Opcode Fuzzy Hash: b827325d588d97de4fc93e3aa22ce6b5a68216738ed9b4d7d4f33a56dc396b6b
Instruction Fuzzy Hash: 56315830E16302CFEF90CA19D544BEB77A2EBC4304F09B069D5255BA99D734D881CB58

Function 06E8A17C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd289daaf1c140981dc5dd8f510cce84b8a458af7b10f454d2a02364e58d80f
Instruction ID: 624080010cc183acc258c83bcd33e48ae7b62c61fb28d2697f6b9b3708888b4c
Opcode Fuzzy Hash: 3fd289daaf1c140981dc5dd8f510cce84b8a458af7b10f454d2a02364e58d80f
Instruction Fuzzy Hash: E331C030A01309CFDBA1EF59E558BE977B3FB84304F1890BAD10C6B256C77A9888CB54

Function 06E89F20 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1fc2b7eded06591f8e518d09082dcb07e4c7cb2a99528052c5c8157501a022
Instruction ID: d50adb12c061fb9cf289caca499232cac119e8a2d2180ca137e5203fd97180bb
Opcode Fuzzy Hash: ac1fc2b7eded06591f8e518d09082dcb07e4c7cb2a99528052c5c8157501a022
Instruction Fuzzy Hash: 6B2129317053945FE305E7799C65BAF6BAEAF8A240F1944AEE049DF393CD64DC0187A0

Function 06E8EAF0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ebcb396f5b9a381c261af24b47d2e2ed1e3703935554e83397e183423386df
Instruction ID: ee9513c000371e4c7e700d1359a837608a873794b09b3790f409119dd0b0c920
Opcode Fuzzy Hash: 02ebcb396f5b9a381c261af24b47d2e2ed1e3703935554e83397e183423386df
Instruction Fuzzy Hash: FB212771E00319DFEBA0EAA8C504BEABBA5AF44254F108066D91ED7294E634CA50CB91

Function 06E8B390 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67501ff8951b4d39181e552ee3321c1be5249ed10eb97cf54f9bcb4205041fe
Instruction ID: 3fe0841fbd8ca3b998edf48c89926fbcee7718631def1ce5d481c9b409fa7feb
Opcode Fuzzy Hash: d67501ff8951b4d39181e552ee3321c1be5249ed10eb97cf54f9bcb4205041fe
Instruction Fuzzy Hash: 33218135A00209DFDB159F68C4449EE7BB3EFCC320F148229E916A7390DB759846CF91

Function 06E8A911 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c984f762153a2cda7ef4b3ab1955056ec333144e8d9460fcf6e187bea836bd
Instruction ID: 9e95671d257b42e2207684410c3de81b50aeb79e7b51df47dc8cfb4ff8e18e89
Opcode Fuzzy Hash: 43c984f762153a2cda7ef4b3ab1955056ec333144e8d9460fcf6e187bea836bd
Instruction Fuzzy Hash: 6A21C2306103059FDB54AB68E85979EBBAAEB88300F00863DD55ADB340DBF598418BE5

Function 06EB4D50 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e457a056e80e6f384fdd0bf8eba208bcef73d1346ad0674318934d07180d4591
Instruction ID: 4bcf77c5d164010ddf42a686f5599ceeb47b4100e8735f9e35b8264e22bb8e39
Opcode Fuzzy Hash: e457a056e80e6f384fdd0bf8eba208bcef73d1346ad0674318934d07180d4591
Instruction Fuzzy Hash: 22113B72B053919FCB026774E8607ED3FB19B86211B1410ABD145CB286DF38D446C781

Function 06E85D6B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23426005df25081ecacfa64519604368dab7f3273aa00e91a93006a1b622925
Instruction ID: 757098976201232132e3d253648d801884c143ba111ea3bbef8e0fab6ea82e63
Opcode Fuzzy Hash: e23426005df25081ecacfa64519604368dab7f3273aa00e91a93006a1b622925
Instruction Fuzzy Hash: C4215330A00305CFE7D4EB15D95C7AA77A3FB88305F246469D50E9B695CF785886CF48

Function 06E8B3A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c53e783b882405272f8386a63dfa5f469d561bb2344d709e4a10a35981cfddc
Instruction ID: 0bfd27db2f2018ac6eecdf2bfcd6b9c3f95a109710551a075b42a809f096ef6d
Opcode Fuzzy Hash: 9c53e783b882405272f8386a63dfa5f469d561bb2344d709e4a10a35981cfddc
Instruction Fuzzy Hash: 2E214F35A00209DFDB15EFA4C4549DEBBB7EBCC320F149129E915A7390DBB59846CB90

Function 06E8A01F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb33186495ba367125ecf35c714cf6d9419374b3e6d6d1cd8b3d094fd8dee96
Instruction ID: a9ec1176fab97aab81ddd7f484280a7f75f3cdab902420261378aa905d6f8f6b
Opcode Fuzzy Hash: 6cb33186495ba367125ecf35c714cf6d9419374b3e6d6d1cd8b3d094fd8dee96
Instruction Fuzzy Hash: EB11BE31A053018FD395DA19D984BA6B7E7FB88304F15A0BAD10D8B262EB79AC85CB44

Function 06EB3548 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b319871b3cbe054cd4b735e16921465c1300e65677c91fbe964ee2428cc2e24
Instruction ID: 53e452246e99813b806587f459d91c579de8eb2f726ff4336a1315357b16d921
Opcode Fuzzy Hash: 0b319871b3cbe054cd4b735e16921465c1300e65677c91fbe964ee2428cc2e24
Instruction Fuzzy Hash: 9121F270B01301CFD785EB64E659BEA37E3AB49300F852069D11AAF792CB34DC49CB09

Function 06EB5D9E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa205ee6b31b783649999db93d7f83413c1155cdeae8636c79d2a9b38a2f6c5
Instruction ID: 4e3983c17502f8d393d63d6d8e871d49035e1e5d59093d84947e56904cdd3156
Opcode Fuzzy Hash: 6aa205ee6b31b783649999db93d7f83413c1155cdeae8636c79d2a9b38a2f6c5
Instruction Fuzzy Hash: E211BE36A052549FDB169F24D8586EE7FE2AF89310F10449AE902AB381CB755D06CBA2

Function 06E8A030 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06d6bfcc053755e9f7f0d40c6fabe4aa45c5bc3cadcf4e504526cb0949fc4a
Instruction ID: fffd57d4db57aaf572a52099e56be3e1ab84e6438c7ac9a02bdbb1c091ad7376
Opcode Fuzzy Hash: 9e06d6bfcc053755e9f7f0d40c6fabe4aa45c5bc3cadcf4e504526cb0949fc4a
Instruction Fuzzy Hash: 6A11C1317002048FD394DA0ED948B97B7E7FBC4318F14A07EE00D8B265EB75AC85C644

Function 06E8BD41 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379ea222456ccdc38172f1a9d9e46870642d96aa618eeb37b01a6d72dbe65f0b
Instruction ID: 150451bbaab9ea9a397f1615ac27240adf66e82dd53134b7916413efb6def020
Opcode Fuzzy Hash: 379ea222456ccdc38172f1a9d9e46870642d96aa618eeb37b01a6d72dbe65f0b
Instruction Fuzzy Hash: 3111A331B10305AFDBA5AF698840BAE7BF6AF88711F144069E959DB380DB71C901CFA0

Function 06E8B991 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43a711ef9da371deded4cc609930e28944a352879e16010b8ab429bff84a12e
Instruction ID: a255e6c0f8f81d0386ee17ed54556e7b43093789bc12a9bea0c0146cf8da157a
Opcode Fuzzy Hash: e43a711ef9da371deded4cc609930e28944a352879e16010b8ab429bff84a12e
Instruction Fuzzy Hash: 96118436344354AFD7019E18EC85FAA7BAAEFC9B21F10806AFA15CB2A1C6B1D815C750

Function 06E8BD50 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697cdbab642a206e7328fb3f00e38b354adecd915679ea8da9b45790ab4608e8
Instruction ID: 24cd4ff94efc55d971c4c25cb7261c9f05c29f9349df1d87b31ad94ca353fe88
Opcode Fuzzy Hash: 697cdbab642a206e7328fb3f00e38b354adecd915679ea8da9b45790ab4608e8
Instruction Fuzzy Hash: 5A118231B10345AFDBA4AF6988547AA7BF6AF88700F144069E919DB3C0DB71C901CFA0

Function 06E8BAC1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75339ba1a7c3c32c4929a3bbc19511f01db32a9941e1e5e98bb49881f6528627
Instruction ID: 0edf008e9087c6d224be90a14963b221e58439834f869047ca5a3039125e83be
Opcode Fuzzy Hash: 75339ba1a7c3c32c4929a3bbc19511f01db32a9941e1e5e98bb49881f6528627
Instruction Fuzzy Hash: E4218E78A02219EFDB04DFA8D594EADB7F2BF49300F204058E80AAB364DB74AD41CF50

Function 06EB4CC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f3cebc9b5da332531ad7aa98d5f70c7c2af439eff679ccb1cd40ba31dba86c
Instruction ID: bf8759f0cdfa5155845d5a15593cf55ae27f06854ceed628b561527ad4b17488
Opcode Fuzzy Hash: 53f3cebc9b5da332531ad7aa98d5f70c7c2af439eff679ccb1cd40ba31dba86c
Instruction Fuzzy Hash: 2F01A271B063A04FCB563774442536E3BA26F89311B2408BED9468B281EE3DC88687C5

Function 06E307F0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9238f718b8f4cccf41fd5209da68d3f45b8b5e7723cddc395f7d151a5540dd
Instruction ID: 05d714f4e70a40b83414f9816ad8e79f98507a605095ddc13033701f98b368d3
Opcode Fuzzy Hash: dc9238f718b8f4cccf41fd5209da68d3f45b8b5e7723cddc395f7d151a5540dd
Instruction Fuzzy Hash: AFF0F432D09378AFE7558A669809AFBBBAADF85210F05807AE809D3201E67049119AD2

Function 06EB4CD8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdf9387bff46235ac5a982c581fdfcc85fec8e60d71434932fe94cf4a5ba31f
Instruction ID: d1853195654a090154d7027b2d39a43328de9085310ad8613a22b48b5d0577f5
Opcode Fuzzy Hash: cfdf9387bff46235ac5a982c581fdfcc85fec8e60d71434932fe94cf4a5ba31f
Instruction Fuzzy Hash: 0CF06231B023A15FDB66377854243AE3AE66FC9311B24087DD9468B385EE3AC88687C5

Function 06EB5DC8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2ce95d1695a7b448078b3d4b77a7233697cd24ef626ca4320e6a30b04ee69c
Instruction ID: 97853c457cb7da00da105544bad7ccd6c10c9845b453735d3caf833f6e938917
Opcode Fuzzy Hash: ca2ce95d1695a7b448078b3d4b77a7233697cd24ef626ca4320e6a30b04ee69c
Instruction Fuzzy Hash: 6E015E35600218DBDB155F65D9186AEBBF6EB88710F108469E902A7390CFB55D05CB91

Function 06E8A001 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa064f52ab5002efafe74078e1545db8b73947fa5020f7e0427a483257a5cda8
Instruction ID: 8cab8f14277972318b0e628c38a43110a85029f065ef294c5ae72675385f13f6
Opcode Fuzzy Hash: aa064f52ab5002efafe74078e1545db8b73947fa5020f7e0427a483257a5cda8
Instruction Fuzzy Hash: C7F090317043544FE30896355C50B6E6B9BAFC5610F1844A9E10ADF2E6CDA1D8018290

Function 06E82C5A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6924babed1dccb91c36fef5d84f1b6caa6f46758032ad784098dd601dce2f4de
Instruction ID: deed6bcdbd09d14b0e615693cfc6bc7023d41357743fdc0e12f61f1ff0e56543
Opcode Fuzzy Hash: 6924babed1dccb91c36fef5d84f1b6caa6f46758032ad784098dd601dce2f4de
Instruction Fuzzy Hash: 8911C535F00715CFDB88EFA4D884AADB7B5BF49280F1150A9E619AB361DB31AC41CB81

Function 06E8ADC9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d81dbd95cdba8ae724a06c7632cf36eb1cb2b51505ead7be592ce4a44bfcca
Instruction ID: 00743c54911923e7c77a7d65f05a2612d99b051401e73246f32a2255ffb16466
Opcode Fuzzy Hash: e8d81dbd95cdba8ae724a06c7632cf36eb1cb2b51505ead7be592ce4a44bfcca
Instruction Fuzzy Hash: 1DF0F632F042216FE31456189800B6BB7A6EBC8214F14403AD909AB391CAB29C82C7C0

Function 06E8AE28 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bad4edbb067ad39c87d14471e491eeecba4baaa23b1d61e2492310756273063
Instruction ID: 91b4670e3b3b4de0c408b4bd730a7a2f50085beb73b3f109ab37c919672eff01
Opcode Fuzzy Hash: 5bad4edbb067ad39c87d14471e491eeecba4baaa23b1d61e2492310756273063
Instruction Fuzzy Hash: 27F02462B0D3D14FE35227385810326BBA19BC6209F0884ABC58ACF2E2D986D882C381

Function 06EB3E51 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49873a1fd045a61cdabc431fa397ee79a60b4c4ed95a814b800bcc4b2f58c081
Instruction ID: bf16f96fa178c8cb4f03ca38c029c49d9bcdce8c8a2657e7d81ab0986e685daf
Opcode Fuzzy Hash: 49873a1fd045a61cdabc431fa397ee79a60b4c4ed95a814b800bcc4b2f58c081
Instruction Fuzzy Hash: D8F0F635B002148FDF84EAB8E5197DD37A1EF88302F04086ED006BB752DB399909CB95

Function 06E81889 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02687b1bdc187f57e8596db56717ea40f655c34d07536d3274e800bf6b992d9c
Instruction ID: b38d71abcfbd69e666602e3ab458dc970f21f0f4f4993c654a7aaccbfab5dadd
Opcode Fuzzy Hash: 02687b1bdc187f57e8596db56717ea40f655c34d07536d3274e800bf6b992d9c
Instruction Fuzzy Hash: 63F0A7313043241FD34826A56C5ABEB578EABC5550B1D856FE00ECB291CCA58C0183A0

Function 06E30800 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49353b2afa80577e7bce7d8ba2e383249dcc3bb48a99b185c50f6daa224dd4a2
Instruction ID: 6f3a9929b8f6855979703c9a47955f5d387ec0e21f1e144cf11975465e46be14
Opcode Fuzzy Hash: 49353b2afa80577e7bce7d8ba2e383249dcc3bb48a99b185c50f6daa224dd4a2
Instruction Fuzzy Hash: 33F08232E042789BE794DFA6940C6BEF7AADF89711F06C07ED909E3201D77199119BC1

Function 06E8D190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a89a4d5c655de5cf1c65c12f19fb3f29a81f27c61cffd93fb105f655b478d0
Instruction ID: f265551ce737f62ec33ade29db95e40af318797b7b5e9aaefb8c5c80e7062cf5
Opcode Fuzzy Hash: 78a89a4d5c655de5cf1c65c12f19fb3f29a81f27c61cffd93fb105f655b478d0
Instruction Fuzzy Hash: D7F0E931A04318AFDB0BDFA8D8586DDBFB2DF85214F04C49BD449D7281DB701A84CB40

Function 06E891E7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3ddbbbaf1e61cd9e5c0554ed2dc54991a1e080b522b1fd92d91a158a5e684
Instruction ID: f96bcfa74ffdf959a1a31fddb3d3a2ccc0619b24a27d3bf39c6ffa429fa2f92e
Opcode Fuzzy Hash: f8f3ddbbbaf1e61cd9e5c0554ed2dc54991a1e080b522b1fd92d91a158a5e684
Instruction Fuzzy Hash: CEF04931B002108FE795BB68E069BAC3BE9AF88250F4551B9E45FE7391DE388C02CB55

Function 06EB3E60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609010b043665cec48406688ce39c3e1e0fbd4e9728179d8c228ae7272b878fe
Instruction ID: bbdc0f39beddb5614096a373f6d999f1a9894ac007341f7b5c0b902d96cbdee9
Opcode Fuzzy Hash: 609010b043665cec48406688ce39c3e1e0fbd4e9728179d8c228ae7272b878fe
Instruction Fuzzy Hash: C5F0BE31B002288FCB80EAACE819ADE7BA5EF88300F40146AD105AB750CB39AC05CB95

Function 06E81898 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fa2681d80d1520848d75168deced32cbd615206b28e6ceb2538c4a8cf2f9ff
Instruction ID: 93afbd624269dafe4590ad9c75220c63bc8d401411933b178d6bb777502a828f
Opcode Fuzzy Hash: c7fa2681d80d1520848d75168deced32cbd615206b28e6ceb2538c4a8cf2f9ff
Instruction Fuzzy Hash: FBE048213003281BE718366B6C59BBF958FEBD5A60F18C53EA50EDB795CCA5CC4103E5

Function 06EB4020 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3e3d1b1548be9bd14f87a3d91d30ac6fc4a3aace4a7e992b74864142a0e1e4
Instruction ID: 02550395806debaa36297a9f00f595da3de01e1952d87282367df0d4cf54c073
Opcode Fuzzy Hash: 1e3e3d1b1548be9bd14f87a3d91d30ac6fc4a3aace4a7e992b74864142a0e1e4
Instruction Fuzzy Hash: 67F09A30A00345CEDF84EB74D6146EA77A1AB44215F446878852AA7286EB398906CF82

Function 06E85F76 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fa2ccadf6a2892f5800269be52294e72912949710581d045f100a71299dfdd
Instruction ID: b6b07398bacb779a7212ef91dcd1fa48c958cdb50dcc8b410a035e7f6758d27c
Opcode Fuzzy Hash: 79fa2ccadf6a2892f5800269be52294e72912949710581d045f100a71299dfdd
Instruction Fuzzy Hash: 3FF0E232A003148FC7A1AB64E144F6437A8EB54319F2A501AE80CA7240CF34E881CB91

Function 06E308F5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ce732297ca9d4cd0102f4fc38a3c972188c23447691b3aad0fdbbd4a4f5c5b
Instruction ID: 00690f1eee4a5ea088a519722b2dabe43a0e98526938635c27209f67212ff193
Opcode Fuzzy Hash: 41ce732297ca9d4cd0102f4fc38a3c972188c23447691b3aad0fdbbd4a4f5c5b
Instruction Fuzzy Hash: E2F0E231909371CFE7D49B28480C2F8B7B0EF06340B052886C86657242E720E812CFC6

Function 06EB4030 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad2f0acf7d5021a2c9ee7e079b0eda276c91699f410b882bf854d15b6d140c1
Instruction ID: 4e9e9229dd8fbb779ce0fa033cbc598aa4becd177b9f750a0fc400377f2f5259
Opcode Fuzzy Hash: 8ad2f0acf7d5021a2c9ee7e079b0eda276c91699f410b882bf854d15b6d140c1
Instruction Fuzzy Hash: 4EF01C30E00349CBDF54AA78D5146EF73A5AB44215F00687895159B281EA359406CB96

Function 06E8A858 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150cc60eb48203089de4492ffe98e16e459d9ef4b99b81c0bbec206646a73770
Instruction ID: f089af1a612b94f0f3efa95d52ed2604020d2c97ff18068d39c02cec313227c5
Opcode Fuzzy Hash: 150cc60eb48203089de4492ffe98e16e459d9ef4b99b81c0bbec206646a73770
Instruction Fuzzy Hash: 57E09271A15349EFCB40DFA4E84058C7BF5EB56200B1145ABC949D7211D6709E40CB62

Function 06E8D1A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08065277071aa169561fa1cb32dfd4a5143134500b47a5fa496bf74bb9188f4e
Instruction ID: 10ebbd9613ce8df615f485a309fd8b0bd909ae17fd94ea4eae712aece4ec2e1d
Opcode Fuzzy Hash: 08065277071aa169561fa1cb32dfd4a5143134500b47a5fa496bf74bb9188f4e
Instruction Fuzzy Hash: 7EF06531E04218AFDB0AEF58D8487DDBFB7EF84214F04C095D009D7280DBB01A85C784

Function 06EB4D99 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c2b826bc1f490316b3b9286f8dc84951b1a34f33bed9a2f99ad86fe4d08222
Instruction ID: e092d80c210c180281c39b74fbe849f07867cf60319798313c3862559ad99238
Opcode Fuzzy Hash: 77c2b826bc1f490316b3b9286f8dc84951b1a34f33bed9a2f99ad86fe4d08222
Instruction Fuzzy Hash: BEE0D8316053518FC7176728F558BE57FA1EB81714B1501BBD108DB551CBB49C4BCBD0

Function 06E336A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109b22cc91bf469a82574c2d8a322a44eca378b7a084eb05dff5b49c09fbc961
Instruction ID: f72acc410eca5c3306ad4613bd1471ab656c08aa0d9f2a096798845dc7ecb543
Opcode Fuzzy Hash: 109b22cc91bf469a82574c2d8a322a44eca378b7a084eb05dff5b49c09fbc961
Instruction Fuzzy Hash: F7F09238E00728CFDB94DF24D988A98B7B5BF09350F5510E9E90AA7361CB30AE80CF41

Function 06E8A89F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59b32e88efc88a0ee7e209424e8f4896ce096aa71c07eb031340358b41e938c
Instruction ID: 5ccd2b4f3d83b7d8fb90380249555c553f18c1b09da124b2370bf55a7bd129ca
Opcode Fuzzy Hash: e59b32e88efc88a0ee7e209424e8f4896ce096aa71c07eb031340358b41e938c
Instruction Fuzzy Hash: 9BE0D830A05348AFD745EF70AC906DD7BB2DB46204F5045D9D814DB341EA714F049792

Function 06EB2CE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416bbb724a63b1bc504fdb9c569162b3efde7394d6ed766b8e2142511764d7e9
Instruction ID: e5e6fd6b6151a2b6bc1dd440985e74391cb48c8ec974b9b5cfce3136ec80e93c
Opcode Fuzzy Hash: 416bbb724a63b1bc504fdb9c569162b3efde7394d6ed766b8e2142511764d7e9
Instruction Fuzzy Hash: 61E06D35D00645CFEF84DA54D6093FE77B0EF44706F00586AC619A3611C73C552E8F81

Function 06EB52B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b57d19a84049615a27d452e754a867b97f075b2e72b448a305da0e4601494e9
Instruction ID: c76a4551153a8fe1659877bab750c989d6962535170630b81a4919adf947568d
Opcode Fuzzy Hash: 6b57d19a84049615a27d452e754a867b97f075b2e72b448a305da0e4601494e9
Instruction Fuzzy Hash: 19E06530E02344CFEB60DE46F8487DAB3B3FBC4325F04A069E11447506E7B448958A08

Function 06E81FDD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de0674b9e594d8cb1f25ff81a795f28c92ad6d5ef5869a4e76c85911c70ad43
Instruction ID: 6fc9c2b762b38575b23fd3a4e3651a79353df097db843d003485e4d8941984df
Opcode Fuzzy Hash: 3de0674b9e594d8cb1f25ff81a795f28c92ad6d5ef5869a4e76c85911c70ad43
Instruction Fuzzy Hash: A4F0A535B04721CFDB98EB64C844A99B3A5BF49280F1554A8CA5DAB361DB31EC42CB91

Function 06E867AD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ea7b5d712c948d0a0f3adebd9fcb2ef7178adf8d367fc9a22796cd827f8a8a
Instruction ID: 3d290b5a7056dd0794bd8180e2d69dd16d5ebc50d7f792d6524d6bab02248665
Opcode Fuzzy Hash: 06ea7b5d712c948d0a0f3adebd9fcb2ef7178adf8d367fc9a22796cd827f8a8a
Instruction Fuzzy Hash: DBE09230F15318CFEB707F65E1057A9371A7B84701F189138804E662C4EE7A8841CBC6

Function 06E85CB8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce028c8eb0cd5b6b0de1d62183b48c61c53682ec34ac1a4f765618c8437e70a1
Instruction ID: 48dcef8d099962f1873535689f2ccc58b5bf83cd87cd17be2429ad48783b6e6f
Opcode Fuzzy Hash: ce028c8eb0cd5b6b0de1d62183b48c61c53682ec34ac1a4f765618c8437e70a1
Instruction Fuzzy Hash: 4BE02672909345DFC701CB70DD1159D7FB4EF0A21071504EBC445CB122FA318B00CB41

Function 06E85CC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4288f321463d3693b08a40f33ef06a13ad87e70ab77531ae865bd49185b360c
Instruction ID: 60f491bc8086705773d624aa1097b502b683206e2bc2d509a8fb49737cb29de8
Opcode Fuzzy Hash: c4288f321463d3693b08a40f33ef06a13ad87e70ab77531ae865bd49185b360c
Instruction Fuzzy Hash: FDD01232A0520CAFC750DEB4D90159AB7ACDB09115B1005E99C0DD3200FE32DA10DA90

Function 06EB4DA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee04fdc70584dc84c7fe8fd135f2a617839fab81f1eb34f625fdba661bd97263
Instruction ID: 3eb96b5d0e99e36787fdbaa02331e9a1279ab88b03e4d7fc637621ce0aa3205b
Opcode Fuzzy Hash: ee04fdc70584dc84c7fe8fd135f2a617839fab81f1eb34f625fdba661bd97263
Instruction Fuzzy Hash: 09E0C2316003195BC7157729F508BDA77DAABC0614F040139D20897640DFB4AC45C7D4

Function 06E82CA1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a75104e771bd1194bd0c897325ed2466928fcd39d37851ebbcf16ff2bc3e1
Instruction ID: f70b4076d6380abc61f381f2d27f3b028be062f944d23bf7dd030e824130630f
Opcode Fuzzy Hash: 0f0a75104e771bd1194bd0c897325ed2466928fcd39d37851ebbcf16ff2bc3e1
Instruction Fuzzy Hash: 91E0C231A00325DFEBA49B50C844B99B771AF08780F1150E8E65DAB291CB31AC468B95

Function 06EB2CF8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427476d46154471e4be77ab69f2decfefef43a20ea04ebc953892219fb50a60a
Instruction ID: fb92f05b276045668ed274c5c1918fa7561b8d5efd66930ff08d00352f44b0e2
Opcode Fuzzy Hash: 427476d46154471e4be77ab69f2decfefef43a20ea04ebc953892219fb50a60a
Instruction Fuzzy Hash: 04E04635D0060ACFDF409A59E5087FAB7B8EF84305F005465D614A3210DB3C26168F86

Function 06E8A8B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ee5ab4b718f24810ee90bfa22565d26230ff6ddb29f4a65f3c55b2a56bad30
Instruction ID: 171a82ba25529059cc22486873bb6a52644bbd9a436c5e083c88285bbbc00c4b
Opcode Fuzzy Hash: d7ee5ab4b718f24810ee90bfa22565d26230ff6ddb29f4a65f3c55b2a56bad30
Instruction Fuzzy Hash: 05E0C230B0130CEFCB00EFB0EC507ADB7B6EB44205F108598D4149B300D9B16E009B91

Function 06E30925 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30947b27115a1499a1e3c9b21e0322145b13d80158df2b35c37f6b2bac3f4ae
Instruction ID: 2ad4f500d0f2c7f8349e8e286e0427ad376349fa7571ab7d397902e0aa38f2f5
Opcode Fuzzy Hash: e30947b27115a1499a1e3c9b21e0322145b13d80158df2b35c37f6b2bac3f4ae
Instruction Fuzzy Hash: BAE0EC35A05374DFEBD4AB54894C6BD73B5EF44384F452855C92657205EB60D802CE82

Function 06E8A868 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e172e48cd97fb91889889ef795c7cc93520fe1b2445ad517a740890ac8f9f499
Instruction ID: 456da3bad0c02c27b7988a3a8ab16caa2abbdeeb5a0896e8212055ff55aceab0
Opcode Fuzzy Hash: e172e48cd97fb91889889ef795c7cc93520fe1b2445ad517a740890ac8f9f499
Instruction Fuzzy Hash: E5E01230A01208EFDB40EFA4E54469DB7F5EB48205F504599990DD7301DAB16E409B96

Function 06EB61CF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9163f716159ab8849eebc1abb3030333ada4a51c8ee31efc57844ef3374712a
Instruction ID: 58d3fe64c6d0a8b402f9ca822bb4f38292cd61993352809377b96800a4edbfa8
Opcode Fuzzy Hash: b9163f716159ab8849eebc1abb3030333ada4a51c8ee31efc57844ef3374712a
Instruction Fuzzy Hash: C1D05E351092815BC3038B20D8A09D2BFA1DF8B654B1880CAE0884B253CB329C4BCB51

Function 06EB5801 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11103880d2342f278055a6f3eb4c8ead45410745e8b0bdf2cb976f0f6d726544
Instruction ID: 0911045a16f53cda349bf997f95c81b22fb1c3fa93164b37de9efb2662f67ecd
Opcode Fuzzy Hash: 11103880d2342f278055a6f3eb4c8ead45410745e8b0bdf2cb976f0f6d726544
Instruction Fuzzy Hash: 29D0C7706043558FEB85AB5CD8587DF61B2FB80504F51A22484576B355DBB4DC468BC1

Function 06E88B38 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece72ed399c5d2228c0f4ea3ec0beb5075ea9611bbd28ed2faaa32f843fe52ab
Instruction ID: be796ef0cb1b7f3fbd365735bfa874305962991e62b5e1f69df190b40ab21120
Opcode Fuzzy Hash: ece72ed399c5d2228c0f4ea3ec0beb5075ea9611bbd28ed2faaa32f843fe52ab
Instruction Fuzzy Hash: 52D0C930D05758CFF761A750E4897DC7B21AF40314F056175944E7A290D6B44D81CF85

Function 06E8EAC0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f04b2ef954b0f79c596c44f0326aab143b69a18f7a63857f3cadd7d181ba15
Instruction ID: 0bd03b421e8280ff6e0d536f2ca305ffec083bf3955c4e275bd8df8c1eae3824
Opcode Fuzzy Hash: b6f04b2ef954b0f79c596c44f0326aab143b69a18f7a63857f3cadd7d181ba15
Instruction Fuzzy Hash: 19C0403380D3949FC7035B108E158557F715E5165071A40D3F540DB161D5645D68D796

Function 06EB51E2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e661f2376f57bf3db81e53bf0d9e32164164e69178331463a39a255a453377
Instruction ID: 5cf4f1bf5e6eaf8da1f26a3d81e8ad0866276716985f16ca09a93eca449aa072
Opcode Fuzzy Hash: 37e661f2376f57bf3db81e53bf0d9e32164164e69178331463a39a255a453377
Instruction Fuzzy Hash: 66D01239600200CFE311CB28DA48F48BBE1BB08321F258354B8218B3E5C730E840CB00

Function 06E82AAF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112a8396961a292801cce7b591debc8f5919edb330e80b6bd7f45bf03ae51469
Instruction ID: dbd65ae9399ccebe70c2fdf2fd7963f50187b45c3d4fa93fab875c055a8285a7
Opcode Fuzzy Hash: 112a8396961a292801cce7b591debc8f5919edb330e80b6bd7f45bf03ae51469
Instruction Fuzzy Hash: F1C002B5A49651CFD7949F24D54469437B0AB0A394F1150A5D60E9B221C6345A01CB86

Function 06E82B19 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54925ddd4dd193cb0e234f2300cdf2962486fcac7d81d6784af4a778db658484
Instruction ID: ced53e6c424ee495d1e2041c24eb73ee2ed58139069a2dd66403116bd4c51f63
Opcode Fuzzy Hash: 54925ddd4dd193cb0e234f2300cdf2962486fcac7d81d6784af4a778db658484
Instruction Fuzzy Hash: B0D0CA78B04624CFD750CB24C880B88B3B2BF0A300F1180E5DA0EAB321C330AE40CE82

Function 06E85C6F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79b6362be1732333efca9beff0f199b53fbc3d7d5819b5b24d7ec733462aff0
Instruction ID: 193692cf7b434a39be023a13d9975e643941fcb4866946a31f6733400798aa8f
Opcode Fuzzy Hash: d79b6362be1732333efca9beff0f199b53fbc3d7d5819b5b24d7ec733462aff0
Instruction Fuzzy Hash: D5B09237A40019868A00D688E4404DCBB30DA98232F404032C200620108620156A9660

Function 06E89F10 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc953917f9ff12cc9b1cf994b7ac91262dbea046b7a5536f3c5e507dcb881fa7
Instruction ID: 6e12abda7f0e0f6bcb1dc65731c3e80fd31b78a3c3806b7434725def2119b39f
Opcode Fuzzy Hash: fc953917f9ff12cc9b1cf994b7ac91262dbea046b7a5536f3c5e507dcb881fa7
Instruction Fuzzy Hash: 18900231058A0C8B5744279A780B55D7F5CBA445157840051F60D959015E6978114595

Function 06E8BD2F Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b0940266f491a75c246bba936c0b65817df5a9bb7f8054713d43179f44d0a3
Instruction ID: 08219359595ffe4d53de0a9cc5eb7bbe732d0cd4a04c33e29fa67e1d6fb0d363
Opcode Fuzzy Hash: 11b0940266f491a75c246bba936c0b65817df5a9bb7f8054713d43179f44d0a3
Instruction Fuzzy Hash: A4A00274B912016AEE3066B16E4BF8539255751B01F10114077195C1C189D1108089B6

Function 06E89F0E Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728638cbdd5b999b8183aea1f97c7f1adefaf3139af02648c1958554fb0e45f6
Instruction ID: 123553330d4d0e59a25b9cc318ddd0b9d35695d5e410e83e483f26307880d4b1
Opcode Fuzzy Hash: 728638cbdd5b999b8183aea1f97c7f1adefaf3139af02648c1958554fb0e45f6
Instruction Fuzzy Hash: CEA00276044404459704898AFE839183768A6412293480592B20CDA640D631A5608508

Non-executed Functions

Function 06E8E338 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

(q, xrefs: 06E8E6DC
,q, xrefs: 06E8E42E

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID: (q$,q
API String ID: 0-275420656
Opcode ID: 44a0c3c0b37341f8533513d3d81a94467143bb4f88510984ddea0d1138c60688
Instruction ID: 4bcca53c1e39129c600104a8943c0583b5ca53dd30e79d4acb0c3fced515a68a
Opcode Fuzzy Hash: 44a0c3c0b37341f8533513d3d81a94467143bb4f88510984ddea0d1138c60688
Instruction Fuzzy Hash: 4ED12A34A10204CFDB54EF69C584AA9B7F2BF88314F6595A9D90DAB362DB31EC81CB50

Function 06E7DAB2 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220462943.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e70000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c7fa49e91c109c5aeba1750427b79f5ce502c730ad526745c3337775b45704
Instruction ID: 27f411238a481d9824bac5f3439b8f5180c85b3b0759f627fa9771ebfb12dcaa
Opcode Fuzzy Hash: c1c7fa49e91c109c5aeba1750427b79f5ce502c730ad526745c3337775b45704
Instruction Fuzzy Hash: E9F16774B017168FDB98DF69C49466EFBF2FF88300F249929E55A9B340CB34A811CB95

Function 06E84BE8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0f56d21737d2a7507d912e45ae738cd36c340f3ee89fb0fd013adb978bf1dd
Instruction ID: 76a9b7762d0cfe601150a2e142e3a95bfea6264d2a5632e23d71e3a7d1ad0323
Opcode Fuzzy Hash: cc0f56d21737d2a7507d912e45ae738cd36c340f3ee89fb0fd013adb978bf1dd
Instruction Fuzzy Hash: 3BC1AD71E0022ACFDB45DBA8D9806AEF7F1FF88304F249669D019EB245D734E946CB90

Function 06EB1F28 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220550689.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6eb0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7bde9da731f0d95faed6869afdc272160d3281ab7da5821af609fd127f3ac9
Instruction ID: 39c055e59e388b067e1f811cc1ca16b5e3a870d2860dadd975168e33b9e80128
Opcode Fuzzy Hash: 9c7bde9da731f0d95faed6869afdc272160d3281ab7da5821af609fd127f3ac9
Instruction Fuzzy Hash: E2B18D70E10309CFDB50CFA9D8857EEBBF2AF88314F24A529D915EB254EB349945CB81

Function 06E83526 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfad79056f7bafa93d67f8632256d28d210de6f904dec50bfa1b3d1e6e51b22
Instruction ID: 06218fd1c4652449f13665819a02951ae6eecc61db017d35f1e650701bd2765f
Opcode Fuzzy Hash: ecfad79056f7bafa93d67f8632256d28d210de6f904dec50bfa1b3d1e6e51b22
Instruction Fuzzy Hash: 7F5153291173457E8B207BBE9C89DCF3B5C8ED62B03000B15F1BE661F2DE16558289F2

Function 06E84BD9 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3220485538.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e80000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5476a670f3ec2095b3bbbe8530dc7db787035adfa95d9a14b600ce7f793fe223
Instruction ID: 9c771be6a45667a57e63e017b29f37526b76b2ff4d55c5f42a09788c652d0c17
Opcode Fuzzy Hash: 5476a670f3ec2095b3bbbe8530dc7db787035adfa95d9a14b600ce7f793fe223
Instruction Fuzzy Hash: 6C713D71E0062ACFDB55DFA9C8806AEF7F1FB88304F149629D429EB285D734E945CB90

Function 06E3F280 Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

(oq, xrefs: 06E3F54D
(oq, xrefs: 06E3F6CB
/, xrefs: 06E3F29A
(oq, xrefs: 06E3F541
\sq, xrefs: 06E3F531

Memory Dump Source

Source File: 00000003.00000002.3220390243.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_csc.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$/$\sq
API String ID: 0-878119681
Opcode ID: 3d6380f40343b7e8decd4dc409109a4e725f851a9a54ce8612052a23db55fbcb
Instruction ID: 5efbc6f652aee35fb0166918db2dfb6b05c09aa561df3cb30c27c570280a6297
Opcode Fuzzy Hash: 3d6380f40343b7e8decd4dc409109a4e725f851a9a54ce8612052a23db55fbcb
Instruction Fuzzy Hash: 5201F930F00319DBDB505E7ED498B5ABBA6AFC8200F599526E9159B360DAB4CC41C791

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDFONLINE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Favorites\StormyFierce\Bin\Enchanted.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
PDFONLINE.exe

Function 06E70990 Relevance: 3.1, Strings: 2, Instructions: 553
COMMON

Function 06EB5E7D Relevance: 5.3, Strings: 4, Instructions: 282
COMMON

Function 06E8F751 Relevance: 3.0, Strings: 2, Instructions: 525
COMMON

Function 06E90810 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Function 06E8F030 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON