Edit tour

Windows Analysis Report
GcA5z6ZWRK.exe

Overview

General Information

Sample name:	GcA5z6ZWRK.exe renamed because original name is a hash value
Original sample name:	29af573d5e1b642841691e783db2da86911450d5a24d6c6814a24c84c05202a7.exe
Analysis ID:	1587842
MD5:	8c44c88488296fc18ae7c99764dde430
SHA1:	41b27e11f1a3c98ea76f86249935d205f1665577
SHA256:	29af573d5e1b642841691e783db2da86911450d5a24d6c6814a24c84c05202a7
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

AI detected suspicious sample

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

GcA5z6ZWRK.exe (PID: 8016 cmdline: "C:\Users\user\Desktop\GcA5z6ZWRK.exe" MD5: 8C44C88488296FC18AE7C99764DDE430)

InstallUtil.exe (PID: 8108 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 7316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1388036536.0000000005220000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: GcA5z6ZWRK.exe PID: 8016	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: GcA5z6ZWRK.exe PID: 8016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 8108	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.GcA5z6ZWRK.exe.5220000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\GcA5z6ZWRK.exe, ProcessId: 8016, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GcA5z6ZWRK.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bag.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bag.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\bag.exe	Virustotal: Detection: 70%			Perma Link

Multi AV Scanner detection for submitted file

Source: GcA5z6ZWRK.exe	Virustotal: Detection: 70%			Perma Link
Source: GcA5z6ZWRK.exe	ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bag.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: GcA5z6ZWRK.exe

Joe Sandbox ML: detected

Source: GcA5z6ZWRK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: GcA5z6ZWRK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\InstallUtil.pdbE source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: GcA5z6ZWRK.exe, 00000000.00000002.1389890592.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.00000000016C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: GcA5z6ZWRK.exe, 00000000.00000002.1389890592.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb( source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb6 source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @go.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbx source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP[o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ((.pdb"s( source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?goC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 4x nop then jmp 05F1C190h		0_2_05F1C0D0
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 4x nop then jmp 05F1C190h		0_2_05F1C0D8

Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp, GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F1D998 NtProtectVirtualMemory,		0_2_05F1D998
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F1D990 NtProtectVirtualMemory,		0_2_05F1D990

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_025CBE20	0_2_025CBE20
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_025C87BF	0_2_025C87BF
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_025C7E30	0_2_025C7E30
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_025C7E21	0_2_025C7E21
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F1A590	0_2_05F1A590
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F12F78	0_2_05F12F78
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F1A582	0_2_05F1A582
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F12F77	0_2_05F12F77
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F1CAB0	0_2_05F1CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01742D60	2_2_01742D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01746B10	2_2_01746B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_01742D50	2_2_01742D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_017441C0	2_2_017441C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_017441B9	2_2_017441B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03361068	2_2_03361068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03361059	2_2_03361059

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1148

Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002C23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWzvqjmgvaw.exe" vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe, 00000000.00000002.1363309740.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe, 00000000.00000002.1389890592.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe, 00000000.00000002.1387704032.0000000005140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJmxinbigz.exe4 vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs GcA5z6ZWRK.exe
Source: GcA5z6ZWRK.exe	Binary or memory string: OriginalFilenameJmxinbigz.exe4 vs GcA5z6ZWRK.exe

Source: GcA5z6ZWRK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: GcA5z6ZWRK.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bag.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.expl.evad.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c56e911-5e03-4d16-97ae-efa274dd0c7d

Jump to behavior

Source: GcA5z6ZWRK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GcA5z6ZWRK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GcA5z6ZWRK.exe	Virustotal: Detection: 70%
Source: GcA5z6ZWRK.exe	ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File read: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GcA5z6ZWRK.exe "C:\Users\user\Desktop\GcA5z6ZWRK.exe"
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1148
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GcA5z6ZWRK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GcA5z6ZWRK.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GcA5z6ZWRK.exe

Static file information: File size 1361408 > 1048576

Source: GcA5z6ZWRK.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14bc00

Source: GcA5z6ZWRK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\InstallUtil.pdbE source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: GcA5z6ZWRK.exe, 00000000.00000002.1389890592.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.00000000016C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: GcA5z6ZWRK.exe, 00000000.00000002.1389890592.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb( source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb6 source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbz source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @go.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbx source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP[o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ((.pdb"s( source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606999082.0000000001619000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?goC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2606677995.0000000001368000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.GcA5z6ZWRK.exe.5220000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1388036536.0000000005220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GcA5z6ZWRK.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8108, type: MEMORYSTR

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_025C7B8B push ds; retf	0_2_025C7B9A
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Code function: 0_2_05F12F6A push ss; retf	0_2_05F12F76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_033643B8 push edx; iretd	2_2_033643BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03364801 push es; retf	2_2_03364807

Source: GcA5z6ZWRK.exe	Static PE information: section name: .text entropy: 7.999700185013848
Source: bag.exe.0.dr	Static PE information: section name: .text entropy: 7.999700185013848

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File created: C:\Users\user\AppData\Roaming\bag.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: GcA5z6ZWRK.exe PID: 8016, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE\|VIRTUAL\|A M I\|XENSELECT FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT\|VMWARE\|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory allocated: 4710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1980000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware\|VIRTUAL\|A M I\|Xenselect from Win32_ComputerSystem+manufacturer,model-Microsoft\|VMWare\|Virtual.john/anna0xxxxxxxx

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 480000	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 482000	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 108F008	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Queries volume information: C:\Users\user\Desktop\GcA5z6ZWRK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GcA5z6ZWRK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GcA5z6ZWRK.exe	70%	Virustotal		Browse
GcA5z6ZWRK.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Crysan
GcA5z6ZWRK.exe	100%	Avira	TR/Dropper.Gen
GcA5z6ZWRK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bag.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\bag.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\bag.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Crysan
C:\Users\user\AppData\Roaming\bag.exe	70%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp, GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GcA5z6ZWRK.exe, 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	GcA5z6ZWRK.exe, 00000000.00000002.1388931153.0000000005340000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587842
Start date and time:	2025-01-10 18:28:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GcA5z6ZWRK.exe renamed because original name is a hash value
Original Sample Name:	29af573d5e1b642841691e783db2da86911450d5a24d6c6814a24c84c05202a7.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 64 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 8108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:29:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Unconfirmed 287374.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	13.107.246.45
	17048156412338914445.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	251443863021115246.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	12662108703247616042.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	wN7EPNiHSM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	334130052300215064.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	489131343024428850.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\GcA5z6ZWRK.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.74554721719143
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoMEREaKC5k9dAnHn:FER/lFHIFiaZ5km
MD5:	2425098FB2AD39B91CA315DBDE0EC345
SHA1:	E753C583F2E7AF535364FE8A71707181D8C28419
SHA-256:	26E983C048E4C71EA62945557B16FA5ED2026D79E89AEAC7202A99711DAA0EEA
SHA-512:	55ED42FD61468C1DA02EE35063EF6DBC20A4D84ACAF2B2A8D73B22918D80431C98217EF982D3A5B151E4CB66077FB3112D7A8E7110A250147CBC51345410D7BE
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\bag.exe"""

C:\Users\user\AppData\Roaming\bag.exe

Download File

Process:	C:\Users\user\Desktop\GcA5z6ZWRK.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1361408
Entropy (8bit):	7.99918044482795
Encrypted:	true
SSDEEP:	24576:TDLMJn8nEIEZRPylkbEhMw9s6dGVoMlZnjUPqFNNzYzdynHUdz9zv7yuJQTry9iP:TDIN8nE7Oa2/dgpHj7ShoHUdJz5J6W9+
MD5:	8C44C88488296FC18AE7C99764DDE430
SHA1:	41B27E11F1A3C98EA76F86249935D205F1665577
SHA-256:	29AF573D5E1B642841691E783DB2DA86911450D5A24D6C6814A24C84C05202A7
SHA-512:	D6ADB7AA356E9E770B15159D3DD92B8A65CB6C276BC2294298491720F362B0B37D8AD8F66DE0A1FD4D3AE27587073EFA383B12E6BB2BDDB5CF89FD043F4C1541
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 70%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.cg................................. ........@.. ....................... ............`.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................!...............................................($....~....:....r...p.....(%...o&...s'........~.....~...........j(....r...p~....o(...t......&...(%....r...p().........o...&.0............8.......(..........&...9....s......r...p(....o.....r3..p(....o.....o........io...........9.....o.....(.....o.......(....:j....o....(...+........83.......o....o ...rM..p(!...9........o......8.......X......o"...2....(#...:......(......X....?......................

C:\Users\user\AppData\Roaming\bag.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\GcA5z6ZWRK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.99918044482795
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GcA5z6ZWRK.exe
File size:	1'361'408 bytes
MD5:	8c44c88488296fc18ae7c99764dde430
SHA1:	41b27e11f1a3c98ea76f86249935d205f1665577
SHA256:	29af573d5e1b642841691e783db2da86911450d5a24d6c6814a24c84c05202a7
SHA512:	d6adb7aa356e9e770b15159d3dd92b8a65cb6c276bc2294298491720f362b0b37d8ad8f66de0a1fd4d3ae27587073efa383b12e6bb2bddb5cf89fd043f4c1541
SSDEEP:	24576:TDLMJn8nEIEZRPylkbEhMw9s6dGVoMlZnjUPqFNNzYzdynHUdz9zv7yuJQTry9iP:TDIN8nE7Oa2/dgpHj7ShoHUdJz5J6W9+
TLSH:	7F55331C4A1456B4DE9E8DF5EEB17D128A1A93CC18A2B73C0C7726BE1363493BD35CA1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.cg................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x54dace
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6763A77B [Thu Dec 19 04:56:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14da78	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14e000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x150000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14bad4	0x14bc00	a935e602e90576307fa3f092b6f026e6	False	0.9991500153070837	data	7.999700185013848	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14e000	0x5a6	0x600	6aefd71f938a57eba7f97a30f6edc182	False	0.41796875	data	4.0991029503669845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x150000	0xc	0x200	d6317c53578daa34b7eb47b3aac2f7f4	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x14e0a0	0x31c	data			0.43090452261306533
RT_MANIFEST	0x14e3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:29:15.788992882 CET	1.1.1.1	192.168.2.10	0x70da	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:29:15.788992882 CET	1.1.1.1	192.168.2.10	0x70da	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:29:19
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\GcA5z6ZWRK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GcA5z6ZWRK.exe"
Imagebase:	0x2f0000
File size:	1'361'408 bytes
MD5 hash:	8C44C88488296FC18AE7C99764DDE430
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1388036536.0000000005220000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1365927589.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:29:21
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xfd0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:29:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1148
Imagebase:	0xa90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	228
Total number of Limit Nodes:	16

Executed Functions

Function 025CBE20 Relevance: 3.5, Strings: 2, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!"AQ, xrefs: 025CC1FD
TJq, xrefs: 025CBFC2

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: !"AQ$TJq
API String ID: 0-3212949648
Opcode ID: 763bdca81b56ac009977ea71888bb6ba839ace7232a69022602674d7bd579016
Instruction ID: 587eae3524561f3727a0dc67bcec34bed92f7e0444aeb2ffc4a5f522572fc97c
Opcode Fuzzy Hash: 763bdca81b56ac009977ea71888bb6ba839ace7232a69022602674d7bd579016
Instruction Fuzzy Hash: 54A2C275A00228CFDB65CF69C884A99BBB2FF89305F1581E9D50DAB321DB319E81CF40

Function 05F1A590 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 05F1A69A
fq, xrefs: 05F1A6AD

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: fq$8
API String ID: 0-1651916650
Opcode ID: 9852e5b8985bab011bbf0d5e44a9d89e7788488ee65c8487182fe952f3c7af92
Instruction ID: 07c9db0cc8707478d1c4bc126263037b3781799c42e17a2e8ef47c761d4f8c80
Opcode Fuzzy Hash: 9852e5b8985bab011bbf0d5e44a9d89e7788488ee65c8487182fe952f3c7af92
Instruction Fuzzy Hash: B652D575E016288FDB65DF69C850AD9B7B2FB89300F1085EAD949A7344DB34AE81CF90

Function 05F1A582 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 05F1A68E
fq, xrefs: 05F1A6AD

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: fq$h
API String ID: 0-152923806
Opcode ID: 1cd4d6c0936d152fcb95ec07ef9ceb3665dd25ab9486b83afcd3de3024b6930b
Instruction ID: 9c3fdc412a99e97c9bbfc91a392a40dc4eb3bb6bc81701542a5bf604293cf754
Opcode Fuzzy Hash: 1cd4d6c0936d152fcb95ec07ef9ceb3665dd25ab9486b83afcd3de3024b6930b
Instruction Fuzzy Hash: BB710A75D016288BEB64DF69C840BDAB7B2FF89300F1082AAC90DB7254DB345E81CF90

Function 05F1D990 Relevance: 1.6, APIs: 1, Instructions: 108
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05F1DA4D

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 72f5c7b685040af9205005c8023849ac6a4c30670bb7a385d1e8fde87ba6cdc7
Instruction ID: 81663ef0476a7f9ca4d5b8b03f3a0caa473b11a1a4135ed8d2ee0ea4112e0350
Opcode Fuzzy Hash: 72f5c7b685040af9205005c8023849ac6a4c30670bb7a385d1e8fde87ba6cdc7
Instruction Fuzzy Hash: 84418AB5D042589FCF10CFAAD880ADEFBB5FB49310F14942AE819B7210D779A946CF64

Function 05F1D998 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05F1DA4D

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 19481c8dbbec073567e962f3d428ed00405ebfd0950e6b355b1e9662ab1b103d
Instruction ID: 594150d3b1835c08fc7ba4e6d8963e4ed3bc5c3de5cae16fdd0b1c3da95f7d1c
Opcode Fuzzy Hash: 19481c8dbbec073567e962f3d428ed00405ebfd0950e6b355b1e9662ab1b103d
Instruction Fuzzy Hash: EB418AB5D042589FCF10CFAAD880ADEFBB5BB49310F14942AE815B7200D735A945CF64

Function 05F12F78 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

q]\#, xrefs: 05F130BF

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: q]\#
API String ID: 0-583714348
Opcode ID: de6c101cd8e659a33ae5dc08edd817915f4a10a03c488efb927b23e0d127c046
Instruction ID: 81d2575f458fb6fc8c513072e72b06398f07598396c1cdabe774a3b94a45f7a0
Opcode Fuzzy Hash: de6c101cd8e659a33ae5dc08edd817915f4a10a03c488efb927b23e0d127c046
Instruction Fuzzy Hash: 4BC1F271E04218CFDB54DFAAD444BADBBF6FF49304F1085AAD809AB285DB785885CF18

Function 05F12F77 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

q]\#, xrefs: 05F130BF

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: q]\#
API String ID: 0-583714348
Opcode ID: 8a423b2d38bbc503a1c41fddaabac2a160ed599320ba2f860a352ffd1cbf792b
Instruction ID: a8fe6d8ffa65e062ba9e0d09db2b1af057ea43dcf2738483cff4d5ab95f23c1f
Opcode Fuzzy Hash: 8a423b2d38bbc503a1c41fddaabac2a160ed599320ba2f860a352ffd1cbf792b
Instruction Fuzzy Hash: FEC1F175E04208CFDB54DFAAD444BADBBF2FF49304F1085AAD809AB285DB785985CF14

Function 05F1E544 Relevance: 1.8, APIs: 1, Instructions: 263
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F1E7B7

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 57ef4c2965ac40bd533198e81ecd38dca5af6e265da7b95b66063fc5a64991f2
Instruction ID: 7fbdcefc5f8c4a492bbb6438a0f7dbccb986d7c712195f66a369c81db111bc19
Opcode Fuzzy Hash: 57ef4c2965ac40bd533198e81ecd38dca5af6e265da7b95b66063fc5a64991f2
Instruction Fuzzy Hash: 16A11274D00318CFDB20CFA9C885BEEBBB5FB09310F149569E859A7240DB789985CF55

Function 05F1E550 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F1E7B7

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c4bd962fd5c355fedf05517806f521b37d8fc5efa48c325f7d6b8c8fe05f9bb8
Instruction ID: 31e7babd7b1b593254f366863c06c3767f72e865a0d9d3d2ef74361f2940fb22
Opcode Fuzzy Hash: c4bd962fd5c355fedf05517806f521b37d8fc5efa48c325f7d6b8c8fe05f9bb8
Instruction Fuzzy Hash: 92A10270D00318CFDB20CFA9C885BEEBBB5FB09310F149569E959A7280DB789985CF59

Function 05F141E4 Relevance: 1.7, APIs: 1, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?,?,?), ref: 05F1436B

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 982b68c97c8092818a6ba2d9374057893d8dde936a9564fc92e59820df1f2e01
Instruction ID: 3c144b1255b3c2687dd03345fe5477a19dcc16e17d82942fd2a58633b6a52cdb
Opcode Fuzzy Hash: 982b68c97c8092818a6ba2d9374057893d8dde936a9564fc92e59820df1f2e01
Instruction Fuzzy Hash: 27612470D003598FDF14CFA9C9897EDBBB1FB48310F248229E815AB280DB788985DF45

Function 05F141F0 Relevance: 1.7, APIs: 1, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?,?,?), ref: 05F1436B

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1615758ce6a6805ccbcef32c87844a24abc6f5a10993252a9f93af576917247a
Instruction ID: 0e89d451a695351ff0d06586a311840d658945b6e571bf989c6f3759b2129686
Opcode Fuzzy Hash: 1615758ce6a6805ccbcef32c87844a24abc6f5a10993252a9f93af576917247a
Instruction Fuzzy Hash: 16611370D003589FDF14CFA9C8897EDBBB1FB89310F248129E815AB280DB789985DF55

Function 05F1FBB9 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F1FC93

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae7003f2735f2629525e9c1038c1546f342502025f16b0be89945344ccee0c39
Instruction ID: 25945e42c247f703b50b6f672c4931f0440d919b519caae397f69da65c19e072
Opcode Fuzzy Hash: ae7003f2735f2629525e9c1038c1546f342502025f16b0be89945344ccee0c39
Instruction Fuzzy Hash: 32419AB5D012589FCF10DFA9D984ADEFBF1BB49310F14942AE819B7200D739AA45CF68

Function 05F1FBC0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F1FC93

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b3b7f84c10cde907cd126e2159cdb58aeef109ecc4ec964ce7d280822b157f4f
Instruction ID: 1f042b7421a69998d8f77581877f2c9cfd80bfa7abc19fd573011fc60d4e8f59
Opcode Fuzzy Hash: b3b7f84c10cde907cd126e2159cdb58aeef109ecc4ec964ce7d280822b157f4f
Instruction Fuzzy Hash: 76419AB5D012589FCF10DFA9D984ADEFBF1BB49310F14942AE819B7200D739AA45CF68

Function 05F1F4B0 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F1F562

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76d8ce073e8629199612efb93f22efe4a294dd307974f817dfbe19507d9c55e4
Instruction ID: c0b1b171134005891f2c90dc0d686b36e3700e153864b28fbc943d0c022fc1a7
Opcode Fuzzy Hash: 76d8ce073e8629199612efb93f22efe4a294dd307974f817dfbe19507d9c55e4
Instruction Fuzzy Hash: 7C318AB9D042589FCF10CFA9D980ADEFBB5FB49320F14941AE815B7210D739A946CF64

Function 05F1F4B8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F1F562

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1cabef2f6114a45b6962684214af8de982f2a7c87827edae4492d11391060f0a
Instruction ID: 84b765534b702c78d992dce5414c87e0f474099b7c5ec36d9171f4b62778520d
Opcode Fuzzy Hash: 1cabef2f6114a45b6962684214af8de982f2a7c87827edae4492d11391060f0a
Instruction Fuzzy Hash: C53165B9D042589FCF10CFA9D980ADEFBB5BB49310F14942AE815B7210D739A946CF68

Function 05F1EDF8 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05F1EEAF

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9048f7fc070675b79ec09c1ce5a482beadf5c6f54253351a2056e8c5db00d09b
Instruction ID: db24e1c22a8f2ec3130553e3f8d8ba17f2c1569de3fcacc6d0a0ac8e28ad905a
Opcode Fuzzy Hash: 9048f7fc070675b79ec09c1ce5a482beadf5c6f54253351a2056e8c5db00d09b
Instruction Fuzzy Hash: 5241ACB5D012589FDB10DFA9D884AEEFBF5BB48320F24842AE815B7240D778A945CF64

Function 05F1EE00 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05F1EEAF

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dc9383c1f7e887cfcbc2133d6a930dfd2687ddef75fad692458245f26efc58aa
Instruction ID: 25f98814f5dc91e151e41f86c8f9033a84c16aca31a5a91317bad6c38c3f8ce0
Opcode Fuzzy Hash: dc9383c1f7e887cfcbc2133d6a930dfd2687ddef75fad692458245f26efc58aa
Instruction Fuzzy Hash: B531BEB5D012589FDB10CFA9D884AEEFBF5BF48310F14842AE815B7240D738A945CF64

Function 025CFCE0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

TJq, xrefs: 025CFE32

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 537a67214978c9506e1ae2c275e5ef72878f3d91c7fd928f7d268538c80c6229
Instruction ID: 9f51edab12aaffef9078605f57d237a514aca749ed3fe1a0d7a25108e74e4bfe
Opcode Fuzzy Hash: 537a67214978c9506e1ae2c275e5ef72878f3d91c7fd928f7d268538c80c6229
Instruction Fuzzy Hash: 5671A375E00208DFDB45EFA9E4546AEBBF2FB89301F20846AE506A7358EB385D45CF50

Function 025C0817 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

toq, xrefs: 025C087E

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: toq
API String ID: 0-207910900
Opcode ID: f58d959cfa029962808771214fa01962896399c754d88c1e5b4e264ebe242362
Instruction ID: 735eb76119ef609f7bb4e461e645fb294f1809990544649d4e29558b3326b49d
Opcode Fuzzy Hash: f58d959cfa029962808771214fa01962896399c754d88c1e5b4e264ebe242362
Instruction Fuzzy Hash: 2F217E71A04244CFD7059B7CC8A8BED7FB1BF8D314F258499D041AB3A1DA748C45CB55

Function 025C0848 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

toq, xrefs: 025C087E

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: toq
API String ID: 0-207910900
Opcode ID: 7ddd217fc7463c77c37538a3807e6be66992d0e9ebc4ab24de9ee47a238eab44
Instruction ID: 7e0cc7731596514c56a16786650ed9cf09be51514d9e4a2caca05ff5052f7c25
Opcode Fuzzy Hash: 7ddd217fc7463c77c37538a3807e6be66992d0e9ebc4ab24de9ee47a238eab44
Instruction Fuzzy Hash: 73213A35E40108CFDB08DFA9D458AEDBBF1FB8C315F248469E506A73A0DB309844CBA4

Function 025C086D Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

toq, xrefs: 025C087E

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID: toq
API String ID: 0-207910900
Opcode ID: 7f3c4f46f934b8f5f0da55be62256922292ec0d167b19c81a762012df0407a60
Instruction ID: a243ce557675d4be947c3c6a2ee8882fc408d37786ba7b35437a2947412d5af6
Opcode Fuzzy Hash: 7f3c4f46f934b8f5f0da55be62256922292ec0d167b19c81a762012df0407a60
Instruction Fuzzy Hash: 1D110674A40204CFDB08DFA8D458BAD7BB1BB4C715F258859E102EB3A1DB709840CF55

Function 025C0907 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b09cb925bb5045e50bf3951ecb63b2bd38b0fd8b266f642c55ea62caa8b2e9
Instruction ID: 53e7eac406817b82895cb3d55ce28fc08dc7f85ce512ee93280e1cf9f1792747
Opcode Fuzzy Hash: 92b09cb925bb5045e50bf3951ecb63b2bd38b0fd8b266f642c55ea62caa8b2e9
Instruction Fuzzy Hash: C531B635704241CFD718DB78C494A68BBB2FF8535472684A9D986DB3A2EB35EC02CB94

Function 025CCE50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f855faad6c58ed727ca0bc8727b6440e3dc4cb1591ea74b7a35cc45eac108c
Instruction ID: 33471dc55aca9be3dbf4a3a943647cfc2c32019e862ecd67b00a67ece2a93bbc
Opcode Fuzzy Hash: 00f855faad6c58ed727ca0bc8727b6440e3dc4cb1591ea74b7a35cc45eac108c
Instruction Fuzzy Hash: 39313CF0D042099FDB05EFAAD8446AEBBB6BB86301F20C86AC019A7244E7784545CF45

Function 025C7CD8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8750e8287654ba4d958da616cf464e74c669e22bcf854a4a74da838452361b
Instruction ID: 58f95b49d58c828a29e654d110630ade9f294666458c124d8fcf33a63761519d
Opcode Fuzzy Hash: af8750e8287654ba4d958da616cf464e74c669e22bcf854a4a74da838452361b
Instruction Fuzzy Hash: 0B3136B0D05208DFDB41EFA9C0487ADBBF5FB49301F6085AAC506A7684E7784A46CF55

Function 025C7CE8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788dd9901a4ba4a6245d0f24872f25be37b9b4489ffb0b09582861d0051b6de5
Instruction ID: 0cd65e33fbd4c8b2eb1306ac7bcb998e4d381e318136fcb6f9223525c408bc26
Opcode Fuzzy Hash: 788dd9901a4ba4a6245d0f24872f25be37b9b4489ffb0b09582861d0051b6de5
Instruction Fuzzy Hash: F73138B0D05208DFDB40EFA9C0487ADFBF9FB48305F6084AAC40AA7684EB784A45CF55

Function 024FD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364957288.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fd000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27411cdc6e804c2c6f50364b52768ef326ef6488d66ed48466911b837a35bb51
Instruction ID: d9d5d304615bc5ab61c9f77fb748dcb1723881e08f98226ddcae73b498393661
Opcode Fuzzy Hash: 27411cdc6e804c2c6f50364b52768ef326ef6488d66ed48466911b837a35bb51
Instruction Fuzzy Hash: 8A21D371904244DFDB55DF14D9C4B17BBA5EBC4318F24C56AEA090B642C336D447CAA2

Function 024FD006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1364957288.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fd000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef37239f6771f28b17ab3ec451f69e1a166b90b82affe300979a20102e314c70
Instruction ID: 9423becdd1ed7df2ab43e8e6f43d4531f759ac0d921bba045f13e967812ee180
Opcode Fuzzy Hash: ef37239f6771f28b17ab3ec451f69e1a166b90b82affe300979a20102e314c70
Instruction Fuzzy Hash: B121B0755093C0CFCB02CF20D994716BF71EB86214F2881DBD9458B653C33A980ACB62

Function 025CD020 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26676209e5e679b92ea42e87dddf4a560617df51a25586bb9a54804405de1196
Instruction ID: a10dc97644971edc84bb0e22310e67405061d3458106544e7be9ba26dc6615bf
Opcode Fuzzy Hash: 26676209e5e679b92ea42e87dddf4a560617df51a25586bb9a54804405de1196
Instruction Fuzzy Hash: E51112B0D05209DFDB04CFAAD4446FEBBB6FB88320F20842AD915B3250E7755956CBA8

Function 025C0951 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5495e3d470e6e91221de7849a6b55ee1c2a25424b346307a0dcc60c54a7059aa
Instruction ID: 56915bdde6d0a83ecf2c9813ab8a21990fdb5249d53b349b95ad172ebec58cf9
Opcode Fuzzy Hash: 5495e3d470e6e91221de7849a6b55ee1c2a25424b346307a0dcc60c54a7059aa
Instruction Fuzzy Hash: F7015231700201CFDB18DBA4C484A68F7B2FF84358B61C4ADD556AB295EB35EC12CB98

Function 025C0A28 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827f620e4dab2038c6b41f92a3840e5a4062fd496c6959ba71cced80206607b
Instruction ID: 0656681ea75a1febbbc4387db375a895d6cf8199178c355726ef5e00d3975d45
Opcode Fuzzy Hash: f827f620e4dab2038c6b41f92a3840e5a4062fd496c6959ba71cced80206607b
Instruction Fuzzy Hash: 73F0E2352005408FE706EBBCA860BA93BF5EF8E2417858499D1858B26ADB649C86CF81

Function 025C7C89 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce78bbae60d456885822d74206a81bbbf33b65589f1425c9c0eebf475088318
Instruction ID: 4c9044e0b72fa2b7f15c1a8a8c489dca2878d7392cdf77bbe19b966d0c5926f7
Opcode Fuzzy Hash: 6ce78bbae60d456885822d74206a81bbbf33b65589f1425c9c0eebf475088318
Instruction Fuzzy Hash: 09F0A0327042905FD71A977958507B92FB2AFCA610B1905EED285CB2A2ED968C02C780

Function 025C0A38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48d229129cad2a496b3852b492d90c88bbccd7ed119d90a9eb28a5f98d40973
Instruction ID: 0551a3fb84f64add19515e2644f46054a69c10f9f9c0d11ea00a3327ea82abae
Opcode Fuzzy Hash: e48d229129cad2a496b3852b492d90c88bbccd7ed119d90a9eb28a5f98d40973
Instruction Fuzzy Hash: 70E092356001008FEB05EBBDE440B2A77E9EB8C681B51C068D20587369EB69DD458F90

Function 025C09E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3c3b9bc9cc906a8c9bb7246a516b49720c4524e75488fca270e64bdaa9edb5
Instruction ID: 56262d5de21dd93fb0687596be5f8ae92b8cf8e7d3709fc5cdf23d242a99e6fd
Opcode Fuzzy Hash: 0e3c3b9bc9cc906a8c9bb7246a516b49720c4524e75488fca270e64bdaa9edb5
Instruction Fuzzy Hash: A4E04F392046805FC7569B78E4A5AE83FB2EF8A65431548D5E885CB326D9218C57CB00

Function 025CCDF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39af4ff857f91d92891be14c1afa8267bc6c8fdca59a14565a01ab657c03b7da
Instruction ID: 5417e667a503977eda83c1df28ffc57bea305033e55dfc4dd19092040370c66d
Opcode Fuzzy Hash: 39af4ff857f91d92891be14c1afa8267bc6c8fdca59a14565a01ab657c03b7da
Instruction Fuzzy Hash: DBF01574D04208EFCB84DFA8C440AACBBB4FB49300F10C0AA981897341D7329A61DF44

Function 025C7C98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72327f5a56dc8fa4d25c4cbbff5730af47120ba6165c21891552a1552ed4b328
Instruction ID: 853ca8663d56016fe117547ee5ce3cc048e3a2599473a950428aa7e6602ea943
Opcode Fuzzy Hash: 72327f5a56dc8fa4d25c4cbbff5730af47120ba6165c21891552a1552ed4b328
Instruction Fuzzy Hash: EBE086327402245FD708E66D9800B7A37EAABCC750F1944E9E609DB3A1DEA5DC4187D1

Function 025CBDD0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa100d38ea8b0ab20f521beddb301f030b33d6afbea703e6ef494eb8dac94e44
Instruction ID: f52a84ec4be871afc5a2bda618fcf478fb29c484297002e35db70686a2b4bf06
Opcode Fuzzy Hash: fa100d38ea8b0ab20f521beddb301f030b33d6afbea703e6ef494eb8dac94e44
Instruction Fuzzy Hash: 0BE0EC71900208AFDB44EBB1D80879E7BB8EB4A245F1045A59509A3250EE765A509B9A

Function 025CFCA8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8634b54b3bffa863ab448921a30cbe108bf10051c17bda757ec5dfaffa961573
Instruction ID: 399d5941b3a999845f5b8b2e11239b90ca7bebee750fa493689600e863faa32a
Opcode Fuzzy Hash: 8634b54b3bffa863ab448921a30cbe108bf10051c17bda757ec5dfaffa961573
Instruction Fuzzy Hash: 81D05E74648108EFC744CB94D400A69B7BDEB46208F20849E8C0853341DB729D11CB88

Non-executed Functions

Function 025C7E21 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80ddc796a83b64a8749779c428423172ab53a4c7cab3bc3d0e3dd4880ee1cca
Instruction ID: d25d52851d0bd3600a75bc04a11876fb5c60ce6dd089899002a8b9347346516b
Opcode Fuzzy Hash: c80ddc796a83b64a8749779c428423172ab53a4c7cab3bc3d0e3dd4880ee1cca
Instruction Fuzzy Hash: B0712E71E002488FEB4AEF6BE54069A7BF3BFC9300F14C569C145AB269EB745916CF41

Function 025C7E30 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd0320212bf7f6dda4ee2fa8a35170ae200e187b94eb9922eae014f34902061
Instruction ID: f5d41f0e06d194568aac8c50457db056cfd1199be85f983e610304b87569f5ad
Opcode Fuzzy Hash: bcd0320212bf7f6dda4ee2fa8a35170ae200e187b94eb9922eae014f34902061
Instruction Fuzzy Hash: A3710C71E002488FEB4AEF6BE540A9ABBF3BFC9300F14C569C145AB269EB745915CF41

Function 05F1CAB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a763247c7ced0ca44ad39543492da071f6958cacc6cc352357ec22c602e288
Instruction ID: 8ee6b08d6c4ef3314fad5f5fd8716bc3c533b20c6f21ed76f584851118baa4b8
Opcode Fuzzy Hash: c3a763247c7ced0ca44ad39543492da071f6958cacc6cc352357ec22c602e288
Instruction Fuzzy Hash: D331D4B1E046288BEB18CFABC9447AEFBF6AF88300F14C16AC809B7254DB741941CF54

Function 05F1C0D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd870a9c4e2da37fee63c7563b742d935965caf8686ee281c3d20938cb5d5bd
Instruction ID: c3b5cbf379d49579236f854946d38d3360cc9eded0d29af04aed4a8a690836dd
Opcode Fuzzy Hash: acd870a9c4e2da37fee63c7563b742d935965caf8686ee281c3d20938cb5d5bd
Instruction Fuzzy Hash: 2E21FEB5D042189FDB14CFA9D981AEEBBF1BF49310F14945AE809B7210C739A905CFA4

Function 05F1C0D8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390069910.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f10000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2644dafc6b76cd395cb43722fa611ba60c3a5360e1122cc98036bd624f2ee186
Instruction ID: 197c1dae18590c1bd69e769360e0e874767b354e9c034a9acbedc0354b749a0d
Opcode Fuzzy Hash: 2644dafc6b76cd395cb43722fa611ba60c3a5360e1122cc98036bd624f2ee186
Instruction Fuzzy Hash: 5721C0B5D042189FDB14CFA9D980AEEFBF5FB49310F14941AE815B7210CB39A945CFA4

Function 025C87BF Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365499751.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_GcA5z6ZWRK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fc91ddf881cbaa8509e362a02d3a4ecb77eb1e78bec0f0d15e30a920674488
Instruction ID: 988e20a08989df9fd458f1388fad349207974158e6815fe0b5ec540c24057b28
Opcode Fuzzy Hash: 54fc91ddf881cbaa8509e362a02d3a4ecb77eb1e78bec0f0d15e30a920674488
Instruction Fuzzy Hash: 5B217AB1D016188BEB58CF6BC94978EFBF7AFC9304F14C1A9C40CA6264EB7509458F51

Analysis Process: InstallUtil.exePID: 8108, Parent PID: 3968COMMON

Executed Functions

Function 01746B10 Relevance: 2.6, Strings: 1, Instructions: 1369COMMON

Download Yara Rule

Strings

TJq, xrefs: 0174A1CC

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 928b56027982ac98c517189dc3d1d7e3d4cbc986616ac92e2cd2b10abc26c55f
Instruction ID: d30e28f4526c14a2e266a4746f8a11d55d1eaee24a543e05fa620cf4f0d6119f
Opcode Fuzzy Hash: 928b56027982ac98c517189dc3d1d7e3d4cbc986616ac92e2cd2b10abc26c55f
Instruction Fuzzy Hash: 8BB200B2D443658FD776CF6CC4445AAFFB1BF5A328B1841ADD2419B667E3329802CB84

Function 01742D50 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

qkB, xrefs: 01742ED4

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID: qkB
API String ID: 0-3030993317
Opcode ID: c9cb0493652ec75124326fbe1cb6408f5d9ab8b6a85fb31c2b83e83ec90e405c
Instruction ID: 6a4429394ec105cddbe13ef0db587773c831a028875f829ddd1ff5d622b6faf0
Opcode Fuzzy Hash: c9cb0493652ec75124326fbe1cb6408f5d9ab8b6a85fb31c2b83e83ec90e405c
Instruction Fuzzy Hash: BFA16F34A00105DFE724DF68E548BA9B7B3FB89310F6980A5F5169B766CB759C91CF00

Function 01742D60 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

qkB, xrefs: 01742ED4

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID: qkB
API String ID: 0-3030993317
Opcode ID: f1639970880acf99b1f4071b7292a1472f5aa86039da9a0da2a07449dd637330
Instruction ID: 1cf1d50bbfac55436e1ae68992c6f3c5ac7072df1613e843949c7365211d8ac0
Opcode Fuzzy Hash: f1639970880acf99b1f4071b7292a1472f5aa86039da9a0da2a07449dd637330
Instruction Fuzzy Hash: C6915E34A00105DFE724DF68E548BA9B7B3FB89310F6980A5F51A9B76ACB759C91CF00

Function 01744448 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

Dq, xrefs: 017444E3

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 5edad5aac7058c38fce533686035ed956cd541ab6994a082e830dd44098e5489
Instruction ID: 30eed1eb619c6dc7e5e8d38740a08bbce6226b4d65ad239f65ff01726d6ab914
Opcode Fuzzy Hash: 5edad5aac7058c38fce533686035ed956cd541ab6994a082e830dd44098e5489
Instruction Fuzzy Hash: 86B1AA30A006049FDB25DF28D584B5AFBF6FF89310F5581A9E816AB3A1DB35ED01CB91

Function 01744438 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

Dq, xrefs: 017444E3

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 0166ba903dd049c96ab571f65397b94e7a340ac88159cce709bd88376b589d56
Instruction ID: 4a0ba195e5c50e49e56cf8304a827e69ef0038287cafb436005ef9b9c46c4901
Opcode Fuzzy Hash: 0166ba903dd049c96ab571f65397b94e7a340ac88159cce709bd88376b589d56
Instruction Fuzzy Hash: 7271BB74A006009FDB24DF28C584A59FBF2FF89310B6681A8D816AB362DB35EC41CF80

Function 03360CF8 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607908758.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3360000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449fc576408434691b9206ae84e424e1d305871d63d0aaf4ae2db43f6ff5d434
Instruction ID: 4d3f66da44e1b031bbac2d8d27f4769f707a55134ca26d066a7dedfeac872b4e
Opcode Fuzzy Hash: 449fc576408434691b9206ae84e424e1d305871d63d0aaf4ae2db43f6ff5d434
Instruction Fuzzy Hash: AC219A74D0C2489FDB15CFA8D49939CBFB9FB46304F6480E6D0499F28AC7B84988CB41

Function 017418E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37c7d076ba9458339d186834934a95ea49c07b472b5b9af53c5ad26c3d1a331
Instruction ID: 49c124d84ba63497e2ae7c5eb822ac9039ec82bb071e484e91b1aaec18124c54
Opcode Fuzzy Hash: d37c7d076ba9458339d186834934a95ea49c07b472b5b9af53c5ad26c3d1a331
Instruction Fuzzy Hash: EC31B134740210CFE310DF68C484B6AB7B6FBC9320F6681AAE5469B766C771EC82CB50

Function 0174A2C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440891a45368a9a0cb1cb5bf43c73067d87ce1056247ad3f2ac7a4a36beb2460
Instruction ID: 5dd7a752975654bea4059560903b3619d3d32817ae7dc878aba95f2a74b24652
Opcode Fuzzy Hash: 440891a45368a9a0cb1cb5bf43c73067d87ce1056247ad3f2ac7a4a36beb2460
Instruction Fuzzy Hash: 4C01D8303402145FE358EA7A8C54F6F66EEFFCC650F144069B10AEB391DDA59C0087A4

Function 03360F70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607908758.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3360000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abdfeca623d53f2585d3daf74464e59f6e865c148ec249dbb23350b6d801905
Instruction ID: dc128d5f9b11a7471d7919ed6d4e7d9406f8f6e963685350a23318b635edbd79
Opcode Fuzzy Hash: 7abdfeca623d53f2585d3daf74464e59f6e865c148ec249dbb23350b6d801905
Instruction Fuzzy Hash: 32114974D08208DFEB54DFA9D49939DBBFAFB48308F9081A5D0499F688C7B849848B41

Function 01740912 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973f797c5f74fef59f591b42ca2265ef5e070683508342f6862063edc7c961b6
Instruction ID: bb2ae32da29ec156cc719c2b8b989a8b54d6ffee80f98d6c96cb93c060a801ca
Opcode Fuzzy Hash: 973f797c5f74fef59f591b42ca2265ef5e070683508342f6862063edc7c961b6
Instruction Fuzzy Hash: 84F02B2518E7C44FC75687A06CE85A07FB09A8717172A00EBD895CF1A7D19E288EA732

Function 01741780 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5431bab80e3872c4cdb671266c9859b0dd83da9326096070598b2386a5027b
Instruction ID: 2ff4b020eea029a429f2b789823687d992992b32f5925b95121291029be7d4b5
Opcode Fuzzy Hash: fe5431bab80e3872c4cdb671266c9859b0dd83da9326096070598b2386a5027b
Instruction Fuzzy Hash: 35014B301493418FD353DB24E4853A47BB1EB52324FAA81E3C805CB166E3BE68CACB11

Function 01742CC9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96d1bd7df96a4fc8ff2fab43b2f74b4b363e3ae07cc275654767c0e43559c2f
Instruction ID: 8e676298f080941d6009aaf897d29e3709a2acdb5f494a091d4dc717e01bd2a8
Opcode Fuzzy Hash: d96d1bd7df96a4fc8ff2fab43b2f74b4b363e3ae07cc275654767c0e43559c2f
Instruction Fuzzy Hash: F4F02E317182804FC35587B8F4589A87BF5AF4B12071640E7E90ADF363EB25CC04CB62

Function 01742C70 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91d2f6a81cc6a0064f651781ca457ab2b282200eadd90b63dc0946decffa2ee
Instruction ID: 5dae4deba4f19385bc8fe74884bc5cafab613c4d2c1ecac0dccdf47d71e79638
Opcode Fuzzy Hash: d91d2f6a81cc6a0064f651781ca457ab2b282200eadd90b63dc0946decffa2ee
Instruction Fuzzy Hash: 00F08235B000508FC764DFA8E08866577E6FB88224B1141A6E90ACF356DB26DC058B51

Function 01742D19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b05ca813ff5f75dbb489c269edcc29b54c3ee5ff511e366fb0e0b882bd9134
Instruction ID: ff0bb7c539ff720a8c9d2bbe4542bfe7ea98563c2dc8282c0f5e0321dc9ffbb4
Opcode Fuzzy Hash: b3b05ca813ff5f75dbb489c269edcc29b54c3ee5ff511e366fb0e0b882bd9134
Instruction Fuzzy Hash: 3CE06D35A5A3804FC7575B78B4144BC7FB0AE8726531500DBE886CB263DB295C55CBA1

Function 017417A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e15d7d4acc13a39ed3349f5df166bbc57b56965c5c06e4a21fcf2f8ae7e0c8
Instruction ID: 0b3decbbf2064e4f4e33e0ae6da6533474096bdf1687cb6e3f05385ad25d91ab
Opcode Fuzzy Hash: 55e15d7d4acc13a39ed3349f5df166bbc57b56965c5c06e4a21fcf2f8ae7e0c8
Instruction Fuzzy Hash: 5AE09230100105CFE366EB24E048775B3B6E794318FD5C2B1D4194A609D7BA78C4CB40

Function 03365345 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607908758.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3360000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6990af10ebd710336a50ec4d4feef161141834ff8eb0d82f7626114a9e5fc4
Instruction ID: 17f88365243d1400b1b299b505664ebd2849f7ffaab4c08e8308e7867e40981f
Opcode Fuzzy Hash: 8c6990af10ebd710336a50ec4d4feef161141834ff8eb0d82f7626114a9e5fc4
Instruction Fuzzy Hash: A1F03075E022028BD7A0CF34D8D93A97BA5FB88201F0584659416C7649EB759544EB00

Function 01747062 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b1e648329d7253da49e2438a04236b6cc4ac18e7621f89d1f3bab6642db7a2
Instruction ID: c4d036ebb7536f1b33ad2eb54bdef2a1da6ef74cb5e4e8fc9301bbbf12d181f6
Opcode Fuzzy Hash: 89b1e648329d7253da49e2438a04236b6cc4ac18e7621f89d1f3bab6642db7a2
Instruction Fuzzy Hash: 24E09A7890120ACFCB388F60C8587ADF331AB06304F1088E9D10AA6292CB764AC9CF41

Function 01742CD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a57cd00e9675c7c2cdc7df18ab8b649b8db995ab1ba41f46b056594e77a19b1
Instruction ID: a52c0bf27ef11accf6dc4134a65ef7ed7c2f26fbf792ddbffab449c5b30ec11d
Opcode Fuzzy Hash: 3a57cd00e9675c7c2cdc7df18ab8b649b8db995ab1ba41f46b056594e77a19b1
Instruction Fuzzy Hash: 0DE086347001148FC354DBB9E048A6577EAFB8D21071240A6E90EDB315DE35DC048B91

Function 01741850 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ed303fd5670d33121e746d0eef300680738b7fbcc0ace8a385fd374e6c9d22
Instruction ID: 3103d2cf5fe1cbcecaa95a4d50b2c97d3c7be49535a8ef96291d1f9c9a7505a8
Opcode Fuzzy Hash: 31ed303fd5670d33121e746d0eef300680738b7fbcc0ace8a385fd374e6c9d22
Instruction Fuzzy Hash: 12E012315853414FCBE657B464941D93BF0FB473747520496D841CF052E76E2C8AE722

Function 01743BF1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a80338b8c7b7f75f79a06cfd5eebac5b3ffda0129dd28ee54f1ded28536669
Instruction ID: 391f9114a142f37ef42dbeb4bafdabc7ace4cd3ab1760634f3576393c8e4dcd4
Opcode Fuzzy Hash: 27a80338b8c7b7f75f79a06cfd5eebac5b3ffda0129dd28ee54f1ded28536669
Instruction Fuzzy Hash: D7E0B634600100CFC794DF64D599A597BF6FF4C300B6200A5E416DB769DB35DC01CB10

Function 017427B2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5110caa26cf5d75eb98705550cab8cee474ec60e4a9a721fa0f33367c48b8ce5
Instruction ID: 269006dae125af820a93cf75ae418770290fd18a2b827ff64fd13600769866da
Opcode Fuzzy Hash: 5110caa26cf5d75eb98705550cab8cee474ec60e4a9a721fa0f33367c48b8ce5
Instruction Fuzzy Hash: 73D01232728141DBD3369634A45536DBAA54744990F544550D52B86346E7185F889781

Function 03361CE5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607908758.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3360000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f043ccc2dc25023cda6b7485d7b9aa120d7f6e97e859e139feb73f57aaba883
Instruction ID: 711f779f4353567362a3cbfb5df9bd28e692a256b06bde0e414651c73c7be4dc
Opcode Fuzzy Hash: 8f043ccc2dc25023cda6b7485d7b9aa120d7f6e97e859e139feb73f57aaba883
Instruction Fuzzy Hash: 91C08071F115014BCFD08F74885D26D37E0F744110F044A25A433C7BC4EF7984445B40

Function 01742732 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85e9ecaa1c7d7c6bb6b9971f76ed505a8ebf6cbeccabef1d7725d9d8f22499c
Instruction ID: 108cb126a140c7f63a78e6e9320190bda674f5478c9d41b82feb5e848456b2bf
Opcode Fuzzy Hash: f85e9ecaa1c7d7c6bb6b9971f76ed505a8ebf6cbeccabef1d7725d9d8f22499c
Instruction Fuzzy Hash: C6C08C702201028BD2B96634A09021C62A6FB80500B808524C1228F380FF189F080382

Function 01744ADA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749c4935727f21907deee2b2c73b42f5eda3d7e278bb367f94441bbfd7e1f72e
Instruction ID: 355819c0c95855c93f22f6785a4954c39abfeb4480f7b0ee816bc30d16e35202
Opcode Fuzzy Hash: 749c4935727f21907deee2b2c73b42f5eda3d7e278bb367f94441bbfd7e1f72e
Instruction Fuzzy Hash: 11C08C30A01009FFCF85ABD0F880AAEB6B3FF84300F004014F8026A270CF220C00AB01

Function 01741A50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba82b64526175ebff1a51bdcca12394e035477b54706176d5dbb38acb80ce9e
Instruction ID: 421ffc73a4dbe214d89ede179faba3e91ca3b70576cd77540634704e52754eb1
Opcode Fuzzy Hash: aba82b64526175ebff1a51bdcca12394e035477b54706176d5dbb38acb80ce9e
Instruction Fuzzy Hash: 7FA0223008820C8B80C033E0380EAC8F38C8880032B800000F22C0000A2F202008C2A2

Function 03368810 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607908758.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3360000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf1748436078cc065959f295114633e9c2446c023e53536e623e44ad2acd8f3
Instruction ID: fa4a8e69cb4a1814ba5be2ae416150af382516559c012ee1f7bb372d111fa9cf
Opcode Fuzzy Hash: 8bf1748436078cc065959f295114633e9c2446c023e53536e623e44ad2acd8f3
Instruction Fuzzy Hash: 9DA0223000AB0C8E8208B2B02202020338C0800008BA000B8820C0CA200833E0A08088

Function 01740960 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2607649899.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1740000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8180b15232a3330ddd956574152951e2e0036ea3fc7841bc71e1cc7367b1ed0
Instruction ID: 42e8ab9fdfd7c877c5b40efe43b92e0d2ef0046b11664c64af4526a31ccb685c
Opcode Fuzzy Hash: c8180b15232a3330ddd956574152951e2e0036ea3fc7841bc71e1cc7367b1ed0
Instruction Fuzzy Hash: 3890023204860C8F49E027957489695779CA5485267860051E51E456065AA564589696

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GcA5z6ZWRK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bag.vbs

C:\Users\user\AppData\Roaming\bag.exe

C:\Users\user\AppData\Roaming\bag.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
GcA5z6ZWRK.exe

Function 025CBE20 Relevance: 3.5, Strings: 2, Instructions: 983
COMMON

Function 05F1A590 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Function 05F1A582 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Function 05F1D990 Relevance: 1.6, APIs: 1, Instructions: 108
nativeCOMMON

Function 05F1D998 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Function 05F1E544 Relevance: 1.8, APIs: 1, Instructions: 263
processCOMMON

Function 05F1E550 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Function 05F141E4 Relevance: 1.7, APIs: 1, Instructions: 172
fileCOMMON

Function 05F141F0 Relevance: 1.7, APIs: 1, Instructions: 169
fileCOMMON

Function 05F1FBB9 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 05F1FBC0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON