Edit tour

Windows Analysis Report
hm8dCK5P5A.exe

Overview

General Information

Sample name:	hm8dCK5P5A.exe renamed because original name is a hash value
Original sample name:	858b94c98934779a31128ecef831d3234e510820209dff907d881d7413c8c549.exe
Analysis ID:	1588160
MD5:	a864d878ebd9e868265dc2bd75d85c6e
SHA1:	582bff75e2d4dfd0b761f29728cd9a2572db389a
SHA256:	858b94c98934779a31128ecef831d3234e510820209dff907d881d7413c8c549
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hm8dCK5P5A.exe (PID: 8028 cmdline: "C:\Users\user\Desktop\hm8dCK5P5A.exe" MD5: A864D878EBD9E868265DC2BD75D85C6E)

InstallUtil.exe (PID: 8108 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 7328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: hm8dCK5P5A.exe PID: 8028	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: hm8dCK5P5A.exe PID: 8028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 8108	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hm8dCK5P5A.exe.5480000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\hm8dCK5P5A.exe, ProcessId: 8028, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hm8dCK5P5A.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsSynchronized.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsSynchronized.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\IsSynchronized.exe	Virustotal: Detection: 54%			Perma Link

Multi AV Scanner detection for submitted file

Source: hm8dCK5P5A.exe	Virustotal: Detection: 54%			Perma Link
Source: hm8dCK5P5A.exe	ReversingLabs: Detection: 82%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsSynchronized.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hm8dCK5P5A.exe

Joe Sandbox ML: detected

Source: hm8dCK5P5A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hm8dCK5P5A.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb6 source: InstallUtil.exe, 00000002.00000002.2579099611.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbF source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @io.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: hm8dCK5P5A.exe, 00000000.00000002.1370589704.0000000005C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbRL source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: hm8dCK5P5A.exe, 00000000.00000002.1370589704.0000000005C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP]o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb@ source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.00000000014F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?ioC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583114036.0000000005870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbM source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbhF source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb@F source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_028D1087
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_028D1094
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 05557457h	0_2_0555741D
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 05557457h	0_2_05557118
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 05557457h	0_2_05557128
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0557CE68
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 055768A8h	0_2_05576698
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0557CE60
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 055768A8h	0_2_05576688
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 05618D88h	0_2_05618CD0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 4x nop then jmp 05618D88h	0_2_05618C9F

Source: global traffic

TCP traffic: 192.168.2.10:64502 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561A628 NtProtectVirtualMemory,	0_2_0561A628
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561CB28 NtResumeThread,	0_2_0561CB28
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561A621 NtProtectVirtualMemory,	0_2_0561A621
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561CB21 NtResumeThread,	0_2_0561CB21

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_028D0D00	0_2_028D0D00
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_028D1688	0_2_028D1688
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_028D1698	0_2_028D1698
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_028D0CF0	0_2_028D0CF0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05297D5B	0_2_05297D5B
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05293E48	0_2_05293E48
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_052963CF	0_2_052963CF
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0529F278	0_2_0529F278
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05290708	0_2_05290708
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05290718	0_2_05290718
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05293E38	0_2_05293E38
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0529C1F0	0_2_0529C1F0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_054777C8	0_2_054777C8
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05476512	0_2_05476512
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05476520	0_2_05476520
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05470040	0_2_05470040
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05477C62	0_2_05477C62
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05470006	0_2_05470006
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_054777B8	0_2_054777B8
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05555790	0_2_05555790
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05550DD8	0_2_05550DD8
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05551C08	0_2_05551C08
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0555741D	0_2_0555741D
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05555782	0_2_05555782
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05557118	0_2_05557118
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05557128	0_2_05557128
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05555D3C	0_2_05555D3C
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0555F870	0_2_0555F870
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05555822	0_2_05555822
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05550888	0_2_05550888
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0557A400	0_2_0557A400
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05572710	0_2_05572710
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05577709	0_2_05577709
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05576E50	0_2_05576E50
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05577983	0_2_05577983
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05578060	0_2_05578060
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_055754C0	0_2_055754C0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0557C4F8	0_2_0557C4F8
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0557C4E9	0_2_0557C4E9
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_055754B0	0_2_055754B0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05577767	0_2_05577767
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05576E31	0_2_05576E31
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0557A3F0	0_2_0557A3F0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05577AB2	0_2_05577AB2
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_056125D0	0_2_056125D0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05616CB0	0_2_05616CB0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_056125C0	0_2_056125C0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05616C58	0_2_05616C58
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05616CA1	0_2_05616CA1
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561D678	0_2_0561D678
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_056196A0	0_2_056196A0
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561E080	0_2_0561E080
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0561DA20	0_2_0561DA20
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05770040	0_2_05770040
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0577003B	0_2_0577003B
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0578E628	0_2_0578E628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03042DBF	2_2_03042DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03046C30	2_2_03046C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03046B9F	2_2_03046B9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03046BBD	2_2_03046BBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_030441A1	2_2_030441A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_030441B0	2_2_030441B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_032107D1	2_2_032107D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_032108A8	2_2_032108A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03210E88	2_2_03210E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_03210E98	2_2_03210E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_032108A8	2_2_032108A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1144

Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUrmxc.exe" vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe, 00000000.00000002.1370589704.0000000005C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe, 00000000.00000002.1344681194.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs hm8dCK5P5A.exe
Source: hm8dCK5P5A.exe	Binary or memory string: OriginalFilenameGwnginitnb.exe6 vs hm8dCK5P5A.exe

Source: hm8dCK5P5A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hm8dCK5P5A.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsSynchronized.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.expl.evad.winEXE@4/3@1/0

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ab75ac34-60bd-4135-9e83-15e053cfbd15

Jump to behavior

Source: hm8dCK5P5A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hm8dCK5P5A.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hm8dCK5P5A.exe	Virustotal: Detection: 54%
Source: hm8dCK5P5A.exe	ReversingLabs: Detection: 82%

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File read: C:\Users\user\Desktop\hm8dCK5P5A.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hm8dCK5P5A.exe "C:\Users\user\Desktop\hm8dCK5P5A.exe"
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1144
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hm8dCK5P5A.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hm8dCK5P5A.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hm8dCK5P5A.exe

Static file information: File size 1360384 > 1048576

Source: hm8dCK5P5A.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14b800

Source: hm8dCK5P5A.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb6 source: InstallUtil.exe, 00000002.00000002.2579099611.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbF source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @io.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: hm8dCK5P5A.exe, 00000000.00000002.1370589704.0000000005C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbRL source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: hm8dCK5P5A.exe, 00000000.00000002.1370589704.0000000005C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP]o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb@ source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.00000000014F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?ioC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583114036.0000000005870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbM source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbhF source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579035434.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb@F source: InstallUtil.exe, 00000002.00000002.2579099611.000000000149B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.hm8dCK5P5A.exe.5480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hm8dCK5P5A.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8108, type: MEMORYSTR

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_0547AE25 push ecx; iretd	0_2_0547AE26
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05472A39 push esp; retf	0_2_05472A3A
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05556CC8 push E8FFFFFFh; iretd	0_2_05556CCD
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Code function: 0_2_05772388 push E8000002h; iretd	0_2_0577238D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_032145E0 push ecx; iretd	2_2_032145EC

Source: hm8dCK5P5A.exe	Static PE information: section name: .text entropy: 7.999747707756202
Source: IsSynchronized.exe.0.dr	Static PE information: section name: .text entropy: 7.999747707756202

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File created: C:\Users\user\AppData\Roaming\IsSynchronized.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hm8dCK5P5A.exe PID: 8028, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE\|VIRTUAL\|A M I\|XENSELECT FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT\|VMWARE\|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory allocated: 4A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware\|VIRTUAL\|A M I\|Xenselect from Win32_ComputerSystem+manufacturer,model-Microsoft\|VMWare\|Virtual.john/anna0xxxxxxxx

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Code function: 0_2_0557CE68 CheckRemoteDebuggerPresent,

0_2_0557CE68

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 480000	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 482000	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11B8008	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Queries volume information: C:\Users\user\Desktop\hm8dCK5P5A.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hm8dCK5P5A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hm8dCK5P5A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hm8dCK5P5A.exe	54%	Virustotal		Browse
hm8dCK5P5A.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
hm8dCK5P5A.exe	100%	Avira	TR/Dropper.Gen
hm8dCK5P5A.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\IsSynchronized.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\IsSynchronized.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\IsSynchronized.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
C:\Users\user\AppData\Roaming\IsSynchronized.exe	54%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	hm8dCK5P5A.exe, 00000000.00000002.1365862347.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hm8dCK5P5A.exe, 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	hm8dCK5P5A.exe, 00000000.00000002.1368803907.00000000053F0000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588160
Start date and time:	2025-01-10 22:02:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hm8dCK5P5A.exe renamed because original name is a hash value
Original Sample Name:	858b94c98934779a31128ecef831d3234e510820209dff907d881d7413c8c549.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@4/3@1/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 151 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 13.95.31.18, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 8108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:03:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	247714231173424547.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	984279432356016169.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	295963673155714664.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	24928193762733825739.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	13.107.246.45
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\hm8dCK5P5A.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1360384
Entropy (8bit):	7.999240750923545
Encrypted:	true
SSDEEP:	24576:/qS8PcdwsQDBvuc1k+MJkNmIkHrro+DhK7eliZQs:LaluIrNmImhDhQelfs
MD5:	A864D878EBD9E868265DC2BD75D85C6E
SHA1:	582BFF75E2D4DFD0B761F29728CD9A2572DB389A
SHA-256:	858B94C98934779A31128ECEF831D3234E510820209DFF907D881D7413C8C549
SHA-512:	849686F42485EFED39D261AAC989B033EE4A9E07132174FEF74C36ED48D465E4492AAA6E7EAA403A51224232594A87CBDA7BC59976B22A9B0D2C18FE2B8E8416
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 54%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Xg................................. ........@.. ....................... ............`.....................................S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\|................!.............................................2r...p(....&B(....(....o....2(.....o......!...(....ra..p(.....(..........o......( ....~....:....r...p.....(....o!...s"........~.....~...........j(....r...p~....o#...t......0..i.......s......r...p(....o.....rG..p(....o.....o.......8.....(..........&......,......io...........9.....o...............5..@..........TZ....................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Cul

C:\Users\user\AppData\Roaming\IsSynchronized.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\hm8dCK5P5A.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Download File

Process:	C:\Users\user\Desktop\hm8dCK5P5A.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.885528283818913
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoMEREaKC5/GFK4Mn:FER/lFHIFiaZ5OFK7
MD5:	1312D265D0A90B48F0EDFBA78A1AC05B
SHA1:	2F87FFC45242137A4C62028D80FFD96065F659E6
SHA-256:	7D41C387F6C458AD9153E725DCCC96483EE8ED2B0F07C7A3BA5D424850D492C6
SHA-512:	F13AF40CB3145CB5093FED0BA8A272D4663AD580D5D0E81F052A97B07BC73B000EFAD29EAD687E15A10478B21DA35091A3222D28A18E758966722E348152A83B
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\IsSynchronized.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999240750923545
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	hm8dCK5P5A.exe
File size:	1'360'384 bytes
MD5:	a864d878ebd9e868265dc2bd75d85c6e
SHA1:	582bff75e2d4dfd0b761f29728cd9a2572db389a
SHA256:	858b94c98934779a31128ecef831d3234e510820209dff907d881d7413c8c549
SHA512:	849686f42485efed39d261aac989b033ee4a9e07132174fef74c36ed48d465e4492aaa6e7eaa403a51224232594a87cbda7bc59976b22a9b0d2c18fe2b8e8416
SSDEEP:	24576:/qS8PcdwsQDBvuc1k+MJkNmIkHrro+DhK7eliZQs:LaluIrNmImhDhQelfs
TLSH:	B15533D33AC2EFF8E115B0B69C7E25519510833C79716B0E39752A8E9BF28F11B6098C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Xg................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x54d7de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6758E96C [Wed Dec 11 01:22:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14d788	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14e000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x150000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14b7e4	0x14b800	e5c7029e503c8da88187495f56a94679	False	0.9993762078148567	data	7.999747707756202	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14e000	0x5b6	0x600	6e5a52cb092fb0567f9c8f849e39272f	False	0.421875	data	4.106056367531875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x150000	0xc	0x200	3fff1e606668cfc6c06a8a964aa9eae8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x14e0a0	0x32c	data			0.4248768472906404
RT_MANIFEST	0x14e3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:03:52.806077957 CET	64502	53	192.168.2.10	162.159.36.2
Jan 10, 2025 22:03:52.810903072 CET	53	64502	162.159.36.2	192.168.2.10
Jan 10, 2025 22:03:52.810983896 CET	64502	53	192.168.2.10	162.159.36.2
Jan 10, 2025 22:03:52.815812111 CET	53	64502	162.159.36.2	192.168.2.10
Jan 10, 2025 22:03:53.338908911 CET	64502	53	192.168.2.10	162.159.36.2
Jan 10, 2025 22:03:53.343986034 CET	53	64502	162.159.36.2	192.168.2.10
Jan 10, 2025 22:03:53.344055891 CET	64502	53	192.168.2.10	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:03:52.805540085 CET	53	56030	162.159.36.2	192.168.2.10
Jan 10, 2025 22:03:53.373483896 CET	61323	53	192.168.2.10	1.1.1.1
Jan 10, 2025 22:03:53.381266117 CET	53	61323	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:03:53.373483896 CET	192.168.2.10	1.1.1.1	0x656b	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:03:17.908328056 CET	1.1.1.1	192.168.2.10	0x3359	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:03:17.908328056 CET	1.1.1.1	192.168.2.10	0x3359	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:03:53.381266117 CET	1.1.1.1	192.168.2.10	0x656b	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	16:03:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\hm8dCK5P5A.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hm8dCK5P5A.exe"
Imagebase:	0x640000
File size:	1'360'384 bytes
MD5 hash:	A864D878EBD9E868265DC2BD75D85C6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1346190404.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:03:21
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xe70000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:03:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 1144
Imagebase:	0x930000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.7%
Total number of Nodes:	333
Total number of Limit Nodes:	20

Executed Functions

Function 05616CB0 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 05616DBA
{)f4, xrefs: 056171AF

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 8${)f4
API String ID: 0-4095463361
Opcode ID: c2998c907039b68e87cb12539de25bf9c1a8c2a6d69e4290e795d65de7f916f6
Instruction ID: a50fd01f0caabb069ac8d91fc4ce60b82f0fe6af7886446e8034b6fd5161368c
Opcode Fuzzy Hash: c2998c907039b68e87cb12539de25bf9c1a8c2a6d69e4290e795d65de7f916f6
Instruction Fuzzy Hash: AE52C575E002298FDB64DF69CC54AD9B7B2FF89310F1482AAD809A7355DB70AE81CF40

Function 052963CF Relevance: 2.6, Strings: 1, Instructions: 1355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 052973D6

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 2a4042a2582964375eb90ba67259a03e0116e2755583001c8fe4029dcc801a0e
Instruction ID: 546485fa18f7510bb92b55a3955fae448f6e9ca841f143d1b17a8fa1de390758
Opcode Fuzzy Hash: 2a4042a2582964375eb90ba67259a03e0116e2755583001c8fe4029dcc801a0e
Instruction Fuzzy Hash: E3E2C274A042288FDB64DF68DC9479ABBB2FF89301F1081EAE409A7355DB749E85DF40

Function 05293E48 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X[[%, xrefs: 05294225

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: X[[%
API String ID: 0-1566534104
Opcode ID: 3e665d3490b41ff63fa3cdefc71c2b3c044fe9a054b17cacf6b27f29663d2371
Instruction ID: 2ed128e587535bbbe9d3c827580de84a04eb7e30ded6a0d144d1442f9f0bf7a8
Opcode Fuzzy Hash: 3e665d3490b41ff63fa3cdefc71c2b3c044fe9a054b17cacf6b27f29663d2371
Instruction Fuzzy Hash: 3CA2A575A00228CFDB65DF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Function 0561A621 Relevance: 1.6, APIs: 1, Instructions: 108
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0561A6DD

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c00b90fec8d8ab074b0c2d721e387b263f5d2fc0aa47e4943dbfe55ff4b20a28
Instruction ID: 47c7a4769ac610a6d6979359dd462d4d1b2741eafd6cef865a1c0bfe485eb1fd
Opcode Fuzzy Hash: c00b90fec8d8ab074b0c2d721e387b263f5d2fc0aa47e4943dbfe55ff4b20a28
Instruction Fuzzy Hash: 4D4198B9D002589FCF10CFAAD880AEEFBB1BB49310F14942AE815B7300D735A945CF98

Function 0561A628 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0561A6DD

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ca4538530015343f15952eceb372aa033a78c63761609394008e496bc8fe18ad
Instruction ID: 30082e9ad382edce98fe9d7ff0c63bb65f6cf3ed4ea182bce4397e9944666616
Opcode Fuzzy Hash: ca4538530015343f15952eceb372aa033a78c63761609394008e496bc8fe18ad
Instruction Fuzzy Hash: 1E418AB9D042589FCF10CFAAD880ADEFBB1BB49310F14942AE815B7310D775A945CF98

Function 0557CE60 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0557CF02

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0a837dfe4c0a03438cffaea8b3f8ecef4389653b854fc128cd9b4eb32420d7b2
Instruction ID: 9d405a14672139372a68fb250f529c9e16eb3c035889bd359cfb0eb2a043bca7
Opcode Fuzzy Hash: 0a837dfe4c0a03438cffaea8b3f8ecef4389653b854fc128cd9b4eb32420d7b2
Instruction Fuzzy Hash: 6C41EEB5D04258DFCB10CFA9D480AEEFBF1BB49320F24942AE455B7240C778AA85CF64

Function 0557CE68 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0557CF02

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ede3e2a93cabf4553edf79e04784c559f56c3e7597fc14e3ee3193195676d21c
Instruction ID: 56d22fd8c9f7d0e33a6200ee61c081e609d2f0e7912ba312dc396261970a79dd
Opcode Fuzzy Hash: ede3e2a93cabf4553edf79e04784c559f56c3e7597fc14e3ee3193195676d21c
Instruction Fuzzy Hash: 7041EEB5D04258DFCB10CFA9D480AEEFBF1BB49310F24942AE455B7240C778AA85CF64

Function 05577AB2 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

lZU, xrefs: 05577810

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: lZU
API String ID: 0-835134359
Opcode ID: 439b1c419ea514205430db85a7ee3c4038d5717fefa80bb7abc7b74eaef5ce18
Instruction ID: 3f7f0f8da9d70a6e6d342e2969d935d7ec81ded22311e5f518c9834a2ddb6746
Opcode Fuzzy Hash: 439b1c419ea514205430db85a7ee3c4038d5717fefa80bb7abc7b74eaef5ce18
Instruction Fuzzy Hash: 4EF1E974A15228CFDBA4DF19E898BA9B7F1FB48300F1081E9E409A7395DB749E85CF44

Function 0561CB21 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0561CBB6

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6f7694443cd053f9f57f9b41831be4d4ae703c5e295137c386382eac1796e76c
Instruction ID: f72c46dc7338b4e0c22699e783b188ce15a28499e160e58b354ed129b070e5f7
Opcode Fuzzy Hash: 6f7694443cd053f9f57f9b41831be4d4ae703c5e295137c386382eac1796e76c
Instruction Fuzzy Hash: 7731CAB5D012189FDB10CFAAD980AAEFBF5FB49310F24842AE814B7300C775A945CF98

Function 0561CB28 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0561CBB6

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 25e8c805bd00dfed21cde737820dbe62d6ca2f4370cbd303becbe7082f657020
Instruction ID: ab52f4382623e6366be1773b65e57c468e58d3a04eb5855b7247a2a5e8afe819
Opcode Fuzzy Hash: 25e8c805bd00dfed21cde737820dbe62d6ca2f4370cbd303becbe7082f657020
Instruction Fuzzy Hash: 7131AAB5D012189FDB10CFAAD980AAEFBF1FB49310F24942AE815B7300D775A945CF98

Function 05577983 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

lZU, xrefs: 05577810

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: lZU
API String ID: 0-835134359
Opcode ID: 5e0060a1d8c33afaa97cc7a22b20b389bd47fa6d7b17b8975164bb4268e6f42d
Instruction ID: 870c9daaba004f823133c4929d5b5d2f77122beae4ba6a6827110d10a6b5eb53
Opcode Fuzzy Hash: 5e0060a1d8c33afaa97cc7a22b20b389bd47fa6d7b17b8975164bb4268e6f42d
Instruction Fuzzy Hash: 32F1F874A15228CFDBA4DF19E898BA9B7F1FB48300F1081E9E409A7395DB749E85CF44

Function 05555782 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

{)f4, xrefs: 055558CA

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: {)f4
API String ID: 0-3103112570
Opcode ID: c801099dfc763faefce1499461d956b4e01553c5d295816027daedc7ee8ca183
Instruction ID: 6cd0302933826f8a79ba76639f0c2d4c64b5a9b92294f3db6c7867a6d19ed216
Opcode Fuzzy Hash: c801099dfc763faefce1499461d956b4e01553c5d295816027daedc7ee8ca183
Instruction Fuzzy Hash: E1D1F874E05318CFDB54DFA9D894BADBBF2FB49314F1080AAD409AB291EB745A85CF40

Function 05555790 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

{)f4, xrefs: 055558CA

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: {)f4
API String ID: 0-3103112570
Opcode ID: 550bc4014701919d2a5699751e535981845a99f477e4f7bf8dfec3129db18d19
Instruction ID: 8f9d247961e4c7f6b4ba2195de2f5b9c37dcda00dc5e0973e1b993d45e324b05
Opcode Fuzzy Hash: 550bc4014701919d2a5699751e535981845a99f477e4f7bf8dfec3129db18d19
Instruction Fuzzy Hash: 2FD10774E05318CFDB54DFA9D854BADBBF2FB49314F1080AAE409AB291DB745A85CF40

Function 05577709 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

lZU, xrefs: 05577810

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: lZU
API String ID: 0-835134359
Opcode ID: 227a6dd6c4f5a6518f84dd38dbbaa3062a94dc902739816693a095b36e2cb685
Instruction ID: f02374c0c8b25f5abfe1d5e6f43d74f5ffae3c39623c68a82c815d7ea43708d6
Opcode Fuzzy Hash: 227a6dd6c4f5a6518f84dd38dbbaa3062a94dc902739816693a095b36e2cb685
Instruction Fuzzy Hash: 09E10874A1522CCFDBA4DF19E898BE9B7B2FB48300F1081E9D409A7291DB749E85CF44

Function 05555822 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

{)f4, xrefs: 055558CA

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: {)f4
API String ID: 0-3103112570
Opcode ID: ddd8641ece6b1dd86a7d2d38739bf392756c05bcaeee35a6e81667a52c926688
Instruction ID: d9a4cb5b12e1e4ea67252207342149fe1c41978b6af950ea8d8bf6937aacf542
Opcode Fuzzy Hash: ddd8641ece6b1dd86a7d2d38739bf392756c05bcaeee35a6e81667a52c926688
Instruction Fuzzy Hash: BAD1E674E05218CFDB54DFA9D854BADBBF2FB49314F1080AAE50AAB295DB345E85CF00

Function 05577767 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

lZU, xrefs: 05577810

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: lZU
API String ID: 0-835134359
Opcode ID: 505c981bee881bce1d6269582949ffb0472c0c47e985e363a9e326e5e783b326
Instruction ID: f8a4a89b6bba9778582d4715ac135ae4d308095bc2ba32b7606823714ca28f07
Opcode Fuzzy Hash: 505c981bee881bce1d6269582949ffb0472c0c47e985e363a9e326e5e783b326
Instruction Fuzzy Hash: A8D10674A15228CFDBA4DF19E898BE9B7F2FB48300F1081E9D409A7291DB749E85CF44

Function 05555D3C Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

{)f4, xrefs: 055558CA

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: {)f4
API String ID: 0-3103112570
Opcode ID: ede65da0c4326bba771ec4d217118419668871ea4b3017b934f7fcf368e59d90
Instruction ID: 1717887e6d8d225f7da2b81ea5b8c93c5cead7dd82a76f7a5c6cfde29861cdf1
Opcode Fuzzy Hash: ede65da0c4326bba771ec4d217118419668871ea4b3017b934f7fcf368e59d90
Instruction Fuzzy Hash: FFC1E674E05318CFDB54DFA9D854BADBBF2FB49314F1080AAE50AAB291DB745A85CF00

Function 056125C0 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

HM*p, xrefs: 0561276D

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: HM*p
API String ID: 0-952634441
Opcode ID: ca331ed3d6691fda663ee9a50f754c9be5ab7598bed7065289f82283ad2a8c72
Instruction ID: 4184670606d94cc2c004dc70c03f610189c9df7df806717c886025896e622a83
Opcode Fuzzy Hash: ca331ed3d6691fda663ee9a50f754c9be5ab7598bed7065289f82283ad2a8c72
Instruction Fuzzy Hash: F0C13B78E05218CFDF50DFA5D854BAEBBB2FB49300F14806AE809A7395DB745986CF44

Function 054777C8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

g!o?, xrefs: 05477A7D

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: g!o?
API String ID: 0-3929630244
Opcode ID: c375a5bd3edd1d3e1f94990a590fc2aabc5d669c753b81f69ecd58099258247b
Instruction ID: 50864fa556e6738589b0a4b9a60182ef6262f7bff3a336f1b3cf08e33014f334
Opcode Fuzzy Hash: c375a5bd3edd1d3e1f94990a590fc2aabc5d669c753b81f69ecd58099258247b
Instruction Fuzzy Hash: 95A1B374E05208CFDB54CFAAD884AEDBBF6FB89304F6190AAD409AB255D7309946CF50

Function 056125D0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

HM*p, xrefs: 0561276D

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: HM*p
API String ID: 0-952634441
Opcode ID: d630ebfecf09b058e11f76b8898ecbc498cf89e50b9ba45dfee242ee09e8ba93
Instruction ID: 82a351076a17544cf0ec828c7a57c22c2508f876d249ec781591249349bd57e5
Opcode Fuzzy Hash: d630ebfecf09b058e11f76b8898ecbc498cf89e50b9ba45dfee242ee09e8ba93
Instruction Fuzzy Hash: 13B10878E05218CFDF54DFA9D854BAEBBB2FB49300F108069E809A7395DB745986CF44

Function 054777B8 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

g!o?, xrefs: 05477A7D

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: g!o?
API String ID: 0-3929630244
Opcode ID: cba4dd14a2008f15f5ec25c823d3a1294632dbc5888d64839afed7c97c274e3c
Instruction ID: 47e9674503d8948d95d05f80b404c3fdb0f64367447e7fef718a9eea21dfbbcd
Opcode Fuzzy Hash: cba4dd14a2008f15f5ec25c823d3a1294632dbc5888d64839afed7c97c274e3c
Instruction Fuzzy Hash: 63A1B474E05208CFDB54CFAAD884BEDBBF2FB89304F6590AAD409AB255D7309946CF10

Function 05616C58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

h, xrefs: 05616DAE

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 3198b5f1bec3658771dbc91fd85b369d9736ad9c3c4acfad304d252fe9f185dc
Instruction ID: 533ba07c727a702ee670ae0ea6d061951775ae80bd2f53605b6171713e3bc0c2
Opcode Fuzzy Hash: 3198b5f1bec3658771dbc91fd85b369d9736ad9c3c4acfad304d252fe9f185dc
Instruction Fuzzy Hash: 4081E675E052298FDB64DF69C850AE9B7B2FF89300F1482AAD80DA7354EB705E85CF50

Function 05616CA1 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

h, xrefs: 05616DAE

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: f9c991a1501c7cf9e01f16ab5585033b081e8fea5bffe8a979ec06348dea8c8b
Instruction ID: 7986d5970a59d06d0a13c00c65d23956ac5a74e6dc8c451175d35a9c23439f49
Opcode Fuzzy Hash: f9c991a1501c7cf9e01f16ab5585033b081e8fea5bffe8a979ec06348dea8c8b
Instruction Fuzzy Hash: 6771F575E046298FEB24DF69C850AD9B7B2FF89300F1481AAD90DA7254EB705E85CF50

Function 05578060 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

'D, xrefs: 05578152

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 'D
API String ID: 0-3363548994
Opcode ID: fd843910e5c374a1941459fc4f9bc81d9c1dec2f77e8c4af224681a0858276a7
Instruction ID: b08c76e1b05e85b1d50cb1dc3221c595d19f65266a5c2d855075bc40d8e9c4bf
Opcode Fuzzy Hash: fd843910e5c374a1941459fc4f9bc81d9c1dec2f77e8c4af224681a0858276a7
Instruction Fuzzy Hash: 7F71B474A05228CFDB65DF29D898B9ABBF2FB49300F1080E9E50DA7255DB349E85CF44

Function 05572710 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71517bc1e50f784ba6e2c283da9f997c3a8b88a1ccd29f3908dba6f01d79d90
Instruction ID: 8168e94262a6bfb98be230f4f4ff65c6be66a1c09bd27ef412ae8027a7421557
Opcode Fuzzy Hash: c71517bc1e50f784ba6e2c283da9f997c3a8b88a1ccd29f3908dba6f01d79d90
Instruction Fuzzy Hash: 7A428974B003199FDB14DF69D495AAEBBF2FF88300F248529E55AD7381DB34A942CB90

Function 05297D5B Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d11ead8fc705fd707be611524e696f7fc7aafa1a07eba09b79377dfef1817
Instruction ID: d51612852f72b619e764c9879b6c293425f716c76bc94dd0d90b0f183feaa197
Opcode Fuzzy Hash: 229d11ead8fc705fd707be611524e696f7fc7aafa1a07eba09b79377dfef1817
Instruction Fuzzy Hash: E352B074A142288FDB64DF28CD98B9AB7B2FF89301F1081D9A40DA7355DB34AE81CF51

Function 05550DD8 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff4ef04d710e1fa4657ad6854fad1ec696d5ef2cb9cbccd02c33a71074c7293
Instruction ID: 822c07ee76d09661a76300315eb8e8d396536b4ae7e1c759b8612fb197167dae
Opcode Fuzzy Hash: 2ff4ef04d710e1fa4657ad6854fad1ec696d5ef2cb9cbccd02c33a71074c7293
Instruction Fuzzy Hash: BF020670D00629CFDB20CFA8C895BEDBBB1BF49310F1085AAD849B7250EB749A85CF55

Function 05551C08 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3754513ff24b51ef616be61a880d453ed6f55bb5226833691ee3264aa2ef1f
Instruction ID: f89c7d0d28c3e71651692700c8c778a6538b1455466a38fb1c14f70bd457952c
Opcode Fuzzy Hash: 7f3754513ff24b51ef616be61a880d453ed6f55bb5226833691ee3264aa2ef1f
Instruction Fuzzy Hash: AEF1F574D00629CFDB24CFA9C891BDDBBF1BF49310F1085AAD849A7250EB749985CF51

Function 0557A400 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235d12cab3ee081c60a19e6a0566270ce800a8587171b9ae2f1b235ce3d3e0ca
Instruction ID: d2bfaeba8dc461ef4a35cf0aa4e44b5c3b21304b441dcf689bbc24f0cbee482a
Opcode Fuzzy Hash: 235d12cab3ee081c60a19e6a0566270ce800a8587171b9ae2f1b235ce3d3e0ca
Instruction Fuzzy Hash: 14D1E574E0521CCFEB64DF69E884BADBBF2FB89300F2084A9D409A7295DB745985CF41

Function 0557A3F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6dee01cfb1d7848cfc5dbfb85a6db56a7dbfd563dab775023b620cc3054aa4
Instruction ID: 661a009df38f8c98c2f011a4c6dd6ef06bcc94d1861bd3240a00e15498305e81
Opcode Fuzzy Hash: be6dee01cfb1d7848cfc5dbfb85a6db56a7dbfd563dab775023b620cc3054aa4
Instruction Fuzzy Hash: 75D1D574E0521CCFEB64DF69E884BADBBF2FB89304F2080A9D409A7295DB745985CF41

Function 0529F278 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a6241905b3f0f59b675f7eb7d4dca3b5fc4c781437fc9fbef35b706eca9c67
Instruction ID: 6023b5b73c2bee08a8539be653e0ce062d36d1521904e085b3ef3ca3dd672c3e
Opcode Fuzzy Hash: d9a6241905b3f0f59b675f7eb7d4dca3b5fc4c781437fc9fbef35b706eca9c67
Instruction Fuzzy Hash: 1CB1E274A24218CBDF99DF6AD944BA9B7B2FF89300F2080A9D509E7355DB749985CF00

Function 0555F870 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d9850e58ec9398fa7213fd0b9ed5237d69c063c3bcddeb51240ad5119ee41
Instruction ID: ba3b017b2688b09b5b7a29769f604836e0d5e6d48d81b8e677e04ee77aa7d3f9
Opcode Fuzzy Hash: 1e8d9850e58ec9398fa7213fd0b9ed5237d69c063c3bcddeb51240ad5119ee41
Instruction Fuzzy Hash: 208139B4D05208DFDB14DFA9D954BADBBF2FF89320F20806AD809A7295E7745985CF40

Function 028D0CF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3bba8510289cdfed3016a07fb47ef3a59f512d10caa637165b42bc53eb199c
Instruction ID: 586fed2237df7897a604f46280897bfb662d4f20768cdba147ce37acca20757c
Opcode Fuzzy Hash: 2f3bba8510289cdfed3016a07fb47ef3a59f512d10caa637165b42bc53eb199c
Instruction Fuzzy Hash: 9D710AB4E042088FDB49EF6AEC5069EBBF2FF89300F14C12AE015973A5EB7459469F51

Function 028D0D00 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9b9efdcb01c46cc5eb13b23268de3d04fe39e7d75f08b1d435ab8b34159f31
Instruction ID: b4aa46fcc45a9bfb6d595b838b50d533b7841f479327f77cc2be930342871619
Opcode Fuzzy Hash: 2d9b9efdcb01c46cc5eb13b23268de3d04fe39e7d75f08b1d435ab8b34159f31
Instruction Fuzzy Hash: 427109B4E042098FDB49EF6AEC4068ABBF2FFC9300F14C12AE01597365EB7459469F51

Function 05576E50 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6253369d9fefe19a8b78dde5a44191e40b445c9d0cbb0935bc41ca84afaed28
Instruction ID: f1c3751081012684e953d5c231b1dc9f26721864f3e7b775aa4d02b7b386a0c0
Opcode Fuzzy Hash: f6253369d9fefe19a8b78dde5a44191e40b445c9d0cbb0935bc41ca84afaed28
Instruction Fuzzy Hash: 9F5102B0E0562DCFDB69CF1AD8447AABAF6FB89300F1084E9D50DA7255DB308A85CF44

Function 05576688 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acf57ad4dba06f940a0a720fa672a1ec68a79b2c76a9ed7276dddbbd33007c5
Instruction ID: 05b072f2775b149ed0abc7fe587bd4a0f2d0908e50057eab6bb43588b6a982f8
Opcode Fuzzy Hash: 6acf57ad4dba06f940a0a720fa672a1ec68a79b2c76a9ed7276dddbbd33007c5
Instruction Fuzzy Hash: CF5135B4E0961CDFDB14DFA9E888BEDBBF2FB49301F105029E005A7291DB749846CB44

Function 05576698 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1b5fde51bb8e95e16e6e2478c2c6ba9b10a8a565a758286679823b108f02a4
Instruction ID: a1df4f1f863333eefb36fa8fbe63ab5d39e88ab770146218359eaf563539ddd8
Opcode Fuzzy Hash: 8d1b5fde51bb8e95e16e6e2478c2c6ba9b10a8a565a758286679823b108f02a4
Instruction Fuzzy Hash: 625114B4E0961CCFDB14DFA9E848BEDBBF2FB49301F105429E405A7295DB74984ACB44

Function 05470556 Relevance: 3.8, Strings: 3, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 05471A37
r, xrefs: 05470563
2, xrefs: 05471A0B

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 2$B$r
API String ID: 0-242125962
Opcode ID: 44953cb4be6d638bffff9a99924417ebdfcfa6537e76c84d37fa547fabb57b6f
Instruction ID: 4f78fd97bde5fc507919413dcca7b04b15cff500c66ac217e8316937883281cf
Opcode Fuzzy Hash: 44953cb4be6d638bffff9a99924417ebdfcfa6537e76c84d37fa547fabb57b6f
Instruction Fuzzy Hash: 1F11B9B0D5622CCFDB65DF64D88DBEEBBB5BB04300F5002EAA54DA2241C7754A85CF44

Function 0561B1D4 Relevance: 1.8, APIs: 1, Instructions: 268
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0561B447

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7f12acdb40569a992ef92ebe6aec83f9c0dd613befa0eaaa2756a1a441e389bb
Instruction ID: 04e1641787e1558196c6caea246c5291370828954b137eb85a8cd4cfa60cc52f
Opcode Fuzzy Hash: 7f12acdb40569a992ef92ebe6aec83f9c0dd613befa0eaaa2756a1a441e389bb
Instruction Fuzzy Hash: FDA11370D003189FDB20CFA9D885BEDBBB1FF09300F18916AE859A7294DB748985CF49

Function 0561B1E0 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0561B447

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5931f8158e591946eb208722c37968266908c015cfc312a22fd86088fb114a8b
Instruction ID: 013556aa7c2e3d579225b39e7cf56276a7003a487d698c475a9ae0b7a049e856
Opcode Fuzzy Hash: 5931f8158e591946eb208722c37968266908c015cfc312a22fd86088fb114a8b
Instruction Fuzzy Hash: E9A10370D003188FDB20CFA9C885BEDBBB1FF49300F18916AE859A7294DB748985CF49

Function 0561C440 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0561C51B

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ed462c6adf1e6649b7683b89a52c43a03ecd9ac2dc64abbe9368d3d5f4c9d87e
Instruction ID: 175840fd7cd30740b8c523054deddfce5f14ee99623fb6cd915703822e0bd654
Opcode Fuzzy Hash: ed462c6adf1e6649b7683b89a52c43a03ecd9ac2dc64abbe9368d3d5f4c9d87e
Instruction Fuzzy Hash: 0B41AAB5D052589FDF10CFA9D984AEEBBF1BB49310F24902AE819B7210D374AA45CF58

Function 0561C448 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0561C51B

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ca04a8a12743ad158439028c2518cbd28194dc0200d30dae69f7d26d72de3cb0
Instruction ID: 831ef7b6f038eeeac59b58ff4c3c04ce2e9403cf63df9607930154120b3cd523
Opcode Fuzzy Hash: ca04a8a12743ad158439028c2518cbd28194dc0200d30dae69f7d26d72de3cb0
Instruction Fuzzy Hash: 9C41BCB5D012589FDF10CFA9D984AEEFBF1BB49310F14902AE815B7210D334AA45CF58

Function 0561C140 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0561C1F2

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce5f67c32795ea1e4ca6242a7c7cfbb9f1c262ac7dd528d87f56ccd92dceb546
Instruction ID: dbf78f2c2c558efa87271e600a7170ea2d43b91ea013b88f86f311385e25c395
Opcode Fuzzy Hash: ce5f67c32795ea1e4ca6242a7c7cfbb9f1c262ac7dd528d87f56ccd92dceb546
Instruction Fuzzy Hash: F131A9B9D002589FDF20CFA9D881AEEBBB1BB49310F14942AE814B7300D735A946CF58

Function 0561C148 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0561C1F2

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d4fd2b3f7342335c6974bab6851b5d2f76c0aadbabf7e2100b7f5f38a78f8ed2
Instruction ID: f97da573407df1a4f3d2f7e8e8d5d4b230f3df5243b5c0d58f49eb75dd4ed7be
Opcode Fuzzy Hash: d4fd2b3f7342335c6974bab6851b5d2f76c0aadbabf7e2100b7f5f38a78f8ed2
Instruction Fuzzy Hash: BE3188B9D042589FDF10CFA9D980AEEFBB1BB49310F14942AE815B7310D735A945CF58

Function 05556552 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 055565FC

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1d6482135017e41ec92b289c984995a66d87c731867555e91a4c59f321cdd83c
Instruction ID: 9e029df8d98e01820383d628aa105a30ef722c82c4fd4ca3736305609489f833
Opcode Fuzzy Hash: 1d6482135017e41ec92b289c984995a66d87c731867555e91a4c59f321cdd83c
Instruction Fuzzy Hash: E531B9B5D042589FCF10CFAAD884AEEFBB1BB49320F14942AE815B7210D775A945CF54

Function 05556558 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 055565FC

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cb0d68f25de7ad39fb33e5f037df761423249ff6530c401b8fd8a0db97ae6b2f
Instruction ID: 2fa1ef8c3a0f154e1e853497d6d251742c11494eb2f9c2edf66f855abe2467ae
Opcode Fuzzy Hash: cb0d68f25de7ad39fb33e5f037df761423249ff6530c401b8fd8a0db97ae6b2f
Instruction Fuzzy Hash: F631CAB5D042589FCF10CFAAD884AEEFBB1BF49320F14942AE815B7210D735A945CF54

Function 0561BA98 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0561BB4F

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 84abd0f80fb3c8d0e1fd4bd4807520c2c9e072cd35008746069a3c48045aefab
Instruction ID: 37351a46c70cd36bdd9779c675d4338cb007b7271eb7014e53dbabaa9c0b4230
Opcode Fuzzy Hash: 84abd0f80fb3c8d0e1fd4bd4807520c2c9e072cd35008746069a3c48045aefab
Instruction Fuzzy Hash: D841DCB5D002589FDB10CFAAD985AEEBBF1FB49310F14802AE818B7254D738A945CF54

Function 028DED58 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 028DEDFC

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 683e4f662728bbe3e81d3d7ff42d4e3f1e7a35cf95adc32bd6f2cbf90980170e
Instruction ID: 24665f0eb722bd41975b2be3d1d1a001c46577e82bbd003364759fc0630d5dea
Opcode Fuzzy Hash: 683e4f662728bbe3e81d3d7ff42d4e3f1e7a35cf95adc32bd6f2cbf90980170e
Instruction Fuzzy Hash: E33198B9D012589FCF14CFA9D980ADEFBB1FB49310F24942AE818B7210D775A945CF54

Function 0561BAA0 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0561BB4F

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 20a787c4af9ef7139b3479f0172df015d20343cbfdf19d46fd85682eb7e01ad0
Instruction ID: 69f74b9088ff262b478e541280cba3f07df2e955fb7ebf2e466675c53ff89d5b
Opcode Fuzzy Hash: 20a787c4af9ef7139b3479f0172df015d20343cbfdf19d46fd85682eb7e01ad0
Instruction Fuzzy Hash: CC31DCB4D002589FCB10CFAAD984AEEFBF1BF49310F24802AE814B7214D738A945CF58

Function 05554282 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 055542DE

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f72a63ed1363d0ff09e21d5fb50971db096f6fc1498c89db048042c181c5329e
Instruction ID: b7f394da43b310526e640ed8cfb9d1afb56716fb12f2f0a1663cf298bcbe9eed
Opcode Fuzzy Hash: f72a63ed1363d0ff09e21d5fb50971db096f6fc1498c89db048042c181c5329e
Instruction Fuzzy Hash: 362150B5800349CFDB20CF9AC00A79EBFF0FB48324F24841AD659A7350D7786488CBA0

Function 05554290 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 055542DE

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ebb925ef5007f7219c20ccb06441398605196fb6b3ab9d5db76a44f2cc9a3ddc
Instruction ID: 62ac1c39da21748e7af7d4e251bffa19066e62eb170a6810745e26c57e00e7b5
Opcode Fuzzy Hash: ebb925ef5007f7219c20ccb06441398605196fb6b3ab9d5db76a44f2cc9a3ddc
Instruction Fuzzy Hash: 4B211FB58043498FDB20CF9AC4497AEBFF4BB48324F24841AD559A7350C7796588CBA5

Function 05290589 Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0529062F

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea335ef5f10783fda7e7399853ad916199c909c017160baa15786a77a4fff241
Instruction ID: 672fc73560cd4ffcab8d013a89fa5eacc74903a4ffb82098658755b060e9610a
Opcode Fuzzy Hash: ea335ef5f10783fda7e7399853ad916199c909c017160baa15786a77a4fff241
Instruction Fuzzy Hash: 8931A8B9D042489FCF14CFA9D884AEEFBB1AF49310F14942AE815B7310D775A946CF54

Function 05290590 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0529062F

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89a516dffde1b8b0ea1c38cefde97e26266b590ecd984c79b6beed740149b064
Instruction ID: 6a27d8e4e3b3e6825067a6f0d495093d4c116a234b363f775a854330331bf6a7
Opcode Fuzzy Hash: 89a516dffde1b8b0ea1c38cefde97e26266b590ecd984c79b6beed740149b064
Instruction Fuzzy Hash: 4E31A7B9D002489FCF14CFAAD884A9EFBB1BF49310F24942AE814B7310D775A945CF94

Function 054701CC Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

7, xrefs: 05470202

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 1568f6cd8327df7cfb4fe9355536daaa0b569bf4c067f19f37ab6cc17141e6b3
Instruction ID: fb6257cf5c9f8d57fbe7fdb140123e4090393d080b45ca3badc35ff09a9c6493
Opcode Fuzzy Hash: 1568f6cd8327df7cfb4fe9355536daaa0b569bf4c067f19f37ab6cc17141e6b3
Instruction Fuzzy Hash: DD31AF74A1526C9FDB69EF60DC98BADB7B6FF48300F0042DAE509A7280DB355A85CF40

Function 054785C7 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

+, xrefs: 05478698

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: d4e498b29ead943ffef3367b4eba281b7acb7035c73821a81268fbafb0dc2694
Instruction ID: 9d37fc439abb5eeb4f1759466afa47efc75a407284eeb6b720587896acb80377
Opcode Fuzzy Hash: d4e498b29ead943ffef3367b4eba281b7acb7035c73821a81268fbafb0dc2694
Instruction Fuzzy Hash: 4B21AFB4A002288FCB64DF28C884BE9BBF1FB49305F4045EAE60AA7251DB305EC5DF55

Function 05472014 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

@, xrefs: 05472068

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1dc581b53a1f3e739bbd7a5ba734c68a6bb7a9303441457097588ece788f2e31
Instruction ID: 44390da2ba5bd61c511a1accd6143a6ac7c5a65d7aab8a9a8e48b87acc48c449
Opcode Fuzzy Hash: 1dc581b53a1f3e739bbd7a5ba734c68a6bb7a9303441457097588ece788f2e31
Instruction Fuzzy Hash: 9FF05F74A1222CDFDB25DF25D849BDDBBB5BB0A300F4045DAA689A2240D7B45A848F51

Function 0547A5A1 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

0, xrefs: 0547A5F4

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 30c3fe6b42b1a3016facbf9f04a9266b181f391e56e85025da71aadf55248733
Instruction ID: 28f9bcc656439be4df13965fe2b91b8eb0a5e3daacf8e891ab32c25b6f4616e3
Opcode Fuzzy Hash: 30c3fe6b42b1a3016facbf9f04a9266b181f391e56e85025da71aadf55248733
Instruction Fuzzy Hash: 68F0D47481126CCFDB65DF14DC447E9B7B6FB09306F4044EAE00AA2250C7741B89CF01

Function 052B1EA8 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368248999.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76eab661298d9745ab631b92f22983a530c7b4102bf324a1de57a44fd4ca26c4
Instruction ID: fafc728744940ecbf347b20c3d0c793cff462a10aff6cd3932f35c999ff65432
Opcode Fuzzy Hash: 76eab661298d9745ab631b92f22983a530c7b4102bf324a1de57a44fd4ca26c4
Instruction Fuzzy Hash: AE420578E2420ACFEB18DF94D488AEDB7B2FF49340F508015E516AB294CBB45982CF61

Function 052B29D0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368248999.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9450f5c07e91777059826203d24f31d2c03c970d639c85203a8885daee36308c
Instruction ID: af3c140c46a3d8d80f429019aa1e54d9cb4aaefb1a715aab45d4c68fae7aa4bd
Opcode Fuzzy Hash: 9450f5c07e91777059826203d24f31d2c03c970d639c85203a8885daee36308c
Instruction Fuzzy Hash: CEF1E234D21309DFDB18EFA4E4896ECBBB2FF49355F204429E416A7290DBB56981CF50

Function 052B26A8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368248999.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b0fb54c7773daa6c67c80d83b4ddf8c08f81078ef55ec166fd72f76e0ab451
Instruction ID: f04d9b6dd9204df5a500205adfce24a2f6eec9c916d2eb4ed2fd64a0413cf644
Opcode Fuzzy Hash: a6b0fb54c7773daa6c67c80d83b4ddf8c08f81078ef55ec166fd72f76e0ab451
Instruction Fuzzy Hash: 25A1D678E21209CFDB18DFA5E4486EDBBB2FF49351F508029E41677294CBB85982CF61

Function 05541308 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f03318086e31d292f73053d51065c3a8da669d64c981394e761dec5b71b4c98
Instruction ID: f4c4508a32acdcfe93b3cea1526ebf73105207b61c04c7bdb2e0b95204b42606
Opcode Fuzzy Hash: 3f03318086e31d292f73053d51065c3a8da669d64c981394e761dec5b71b4c98
Instruction Fuzzy Hash: 8F815835B126048FCB04DFA4E559AEDBBB2FF88215F248069E8129B390DB75D981CF60

Function 05540F90 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ced396f8279c0a241e64774c6fbcad81eed2d51515c2bc6c246b14461336cb
Instruction ID: bd57c65b2156f6649b5e053708e88229d8c9a5fbfc0d6c0d60194e54d31e0bfb
Opcode Fuzzy Hash: 27ced396f8279c0a241e64774c6fbcad81eed2d51515c2bc6c246b14461336cb
Instruction Fuzzy Hash: DF51DE35A00A16CFCB10DF58C484A6AF7B5FF89324F558265EA19AB381C731F992CBD4

Function 05789BA0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8de8ff69ce21446333787d7bdccf2c520d904f9737650a7e809ac41f2faf5a2
Instruction ID: 82c55d881053830b53f47c96c80847e79cd3342fa355a264a9ffb31d8e194554
Opcode Fuzzy Hash: d8de8ff69ce21446333787d7bdccf2c520d904f9737650a7e809ac41f2faf5a2
Instruction Fuzzy Hash: 2551E274E44218CFDB04EFA9D8986FEBBB2FB89300F14802AE516B7294DB745946DB50

Function 05540012 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9ceafc468f9de34cc126daf89955c7afaedb79fbf8b4366ae7934522ccae87
Instruction ID: 21321f68803ae1cf8c6927beddd4a1a8884c1a2e2c92b64842f0bd376ca602f6
Opcode Fuzzy Hash: 0d9ceafc468f9de34cc126daf89955c7afaedb79fbf8b4366ae7934522ccae87
Instruction Fuzzy Hash: FB51E576600110AFCB46AFA8DD44E557BB6FF8D31431A80D9E2499B372D632D822EF51

Function 05540040 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff922b34aa7eed26902cfc5d6d8a197dea982e1ad6b0ece652d71ae24334f03e
Instruction ID: e78cabbdf9164e6861c39c2a0f11c43baa176bc70d72c88f4c1d954a96f7191d
Opcode Fuzzy Hash: ff922b34aa7eed26902cfc5d6d8a197dea982e1ad6b0ece652d71ae24334f03e
Instruction Fuzzy Hash: 2E41E676600110AFCB4AAF98DC44D55BBB2FF8D31471A8098E2099B372DB32DC22EF50

Function 05541A28 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7e0116751faffb043170b964609e7f61fe7265ca256e34e3cfbd844c9ca651
Instruction ID: ee102f404be92b47d13ddf7493869d931ad9a8741e7116a39d075b7388fd1c69
Opcode Fuzzy Hash: 0d7e0116751faffb043170b964609e7f61fe7265ca256e34e3cfbd844c9ca651
Instruction Fuzzy Hash: 30415B30B00705DFDB14DB65D854BAAB7B2FF88718F14C429E8069B290EB70E881CFA0

Function 05477508 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c904e6f1f2e4386512739689071f82a061d0bbcf50eac0b9e335bdf6099b88ee
Instruction ID: 79594fd81ccc63f7a429462bb8ebd87882b9214dd1d67b09e8e194c127f4f9c5
Opcode Fuzzy Hash: c904e6f1f2e4386512739689071f82a061d0bbcf50eac0b9e335bdf6099b88ee
Instruction Fuzzy Hash: 2951C070E01208DFDB18DFA9D984AEDBBB2FF89300F60816AD415AB364DB309941CF50

Function 05541E70 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b787dd64bbebfbed4788f3b932438c815014fa1ebf4dfbd8069e744a856f0bb
Instruction ID: 02cf54a8eb23659f463b55715e4715e5f1591db2269137fa1d02c592e6ec6f1c
Opcode Fuzzy Hash: 6b787dd64bbebfbed4788f3b932438c815014fa1ebf4dfbd8069e744a856f0bb
Instruction Fuzzy Hash: B641BF35B002049FCB14DF69D850AAEBBB2FF89311F558069E906DB361DB71EC41CBA1

Function 054774F8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479e2dacc338c40650d4090905fa49d7ecf66ec71ad16fa8f8d71b0b2c6a418c
Instruction ID: d8f2c14b3e15498825e11a0f6d0884a1b2e5f1fcde8efa6d639f072ce5d00bc1
Opcode Fuzzy Hash: 479e2dacc338c40650d4090905fa49d7ecf66ec71ad16fa8f8d71b0b2c6a418c
Instruction Fuzzy Hash: 7B41B070D01208CFDB18DFA9D894AEDBBB2BF89300F60956AD415AB365DB309942CF50

Function 05541BB8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0a37e32c26c9acc9779fff73cfc890b6143ae07803d3166657f69d69ae930a
Instruction ID: b8fa61734e11d1d5efb1f0a60c7129f63adc78ea65133f40d0c51e8e8eef67db
Opcode Fuzzy Hash: 8b0a37e32c26c9acc9779fff73cfc890b6143ae07803d3166657f69d69ae930a
Instruction Fuzzy Hash: 19415971A006158FCB54CFA5DD45BBEBBB2FF88354F00842AE416E7294D7349985CF91

Function 0547F6C8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ccb41b57e04a8ce9755c1836b05ccab32480656d4ad5a1a2d9c06876f7a963
Instruction ID: 79dfd26df212174dfc1118752390374b1dc47ceb96c12a66c40d5d089979fa34
Opcode Fuzzy Hash: 43ccb41b57e04a8ce9755c1836b05ccab32480656d4ad5a1a2d9c06876f7a963
Instruction Fuzzy Hash: 6041D674E042089FDB44DFAAD844AEEBBF6FF88300F108466E405A7355D7749A4ACF50

Function 052B1E8C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368248999.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779bd80b33cd436ed14390cc0499db3676e721d0dbf628a40bb51c2af8c1a68b
Instruction ID: 2a53cd9cdaeaf48384bbd454ec9143260d66eaee418cf88d28ae92da998f6d5e
Opcode Fuzzy Hash: 779bd80b33cd436ed14390cc0499db3676e721d0dbf628a40bb51c2af8c1a68b
Instruction Fuzzy Hash: 70312734D24209CFEB15CFA5D4186EEBBB1FF45311F00806AD415A72A2D7B45A55CF51

Function 00F9D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1345692323.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54b079bc31b214c96035ee4c7c40e83379fe4e8ee0e334534183b6410fa1624
Instruction ID: e32ffc7077705ad8d69c09e04e8f0679e1f43eb580e2562c17e9cbae9fb89166
Opcode Fuzzy Hash: c54b079bc31b214c96035ee4c7c40e83379fe4e8ee0e334534183b6410fa1624
Instruction Fuzzy Hash: CB212572904244DFEF15DF14D9C4B26BBA5FB84324F34C569E90A0B25AC336D846DAB2

Function 05540380 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fceeafc4365ebbc364436f8037227340883a3a8b491058f06aedc9971a983c4
Instruction ID: 4f026b0b12f92bd707c037c259586487d20c49a12ba835c3eadbd021905e2a71
Opcode Fuzzy Hash: 1fceeafc4365ebbc364436f8037227340883a3a8b491058f06aedc9971a983c4
Instruction Fuzzy Hash: C0214C35A102199FDB149FA4D488ADE7BB6FF8C720F248129F911A7390DE719885CFA0

Function 05541BA7 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cac7117c72bbabdadbc01295972b0d3f0388737048b35dee577d7cba1577d8c
Instruction ID: 4ddcf8704d7460fe8ea8d6386b1f9ef1e8178a0f0345ddfde05da4364eee01e7
Opcode Fuzzy Hash: 4cac7117c72bbabdadbc01295972b0d3f0388737048b35dee577d7cba1577d8c
Instruction Fuzzy Hash: D92136B5A00A158FCB14DF69D984AAFBBB2FF88359F008529D816E7354E7309842CF90

Function 05477B90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746e642502d77a3fcdbaf7a069b9ede7ba9e4d264d1e6edf9e4687f71dcf4f1f
Instruction ID: bb9a70bf1d970097b63c397fdd1eb5b86b207c867f3d0f4ad3b4922d6a3469dc
Opcode Fuzzy Hash: 746e642502d77a3fcdbaf7a069b9ede7ba9e4d264d1e6edf9e4687f71dcf4f1f
Instruction Fuzzy Hash: 972126B4E0420DDFCB04DFA9D4446EEBBB6FB49300F5481AAD415A7345D7349982CF91

Function 05541E60 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959692403b0b658de52665403db20dd5ed4f24ef3990130fa2f656a72eb6eede
Instruction ID: db50bcf2c5cc579395f3220e8e5212f877d8090970b3adb914775178dd34bb58
Opcode Fuzzy Hash: 959692403b0b658de52665403db20dd5ed4f24ef3990130fa2f656a72eb6eede
Instruction Fuzzy Hash: F1219A35A042059FCB00DF69D894AAEBBB6FF85304F6180A5E905DB361DB30EC41CBA1

Function 00F9D005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1345692323.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb49ea0ccd5a21ec11c9e7b80ed703c9739e0b3ddb452ec0d59d4eece2c70682
Instruction ID: c7ed4e9ce94af9280a88431df0945dfcfcd4280704581fe0bc893d0332ecf0d2
Opcode Fuzzy Hash: bb49ea0ccd5a21ec11c9e7b80ed703c9739e0b3ddb452ec0d59d4eece2c70682
Instruction Fuzzy Hash: 8721B0754093C08FDB13CF20D994716BF71EB86324F2981EAD8458B667C33A980ADB62

Function 05540DF9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b498cf19b7e327a249718bdd8755687120ea592346afbe0b0a1e1e49ed9041ac
Instruction ID: b2e6b8c8835b7bf893de260a5a4335f88a96108f20a8ec6486e1ca6e891d82be
Opcode Fuzzy Hash: b498cf19b7e327a249718bdd8755687120ea592346afbe0b0a1e1e49ed9041ac
Instruction Fuzzy Hash: 88116D35A01209EFDB10CFA4D589BDEBBB1FF48314F248525E511AB3A0C7709A51CF90

Function 05541140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cf2da2ce71b3e820557518edd480600abe98c3245f8eb6a63837fb286bafe0
Instruction ID: 2ea1d50b934158434f831efaaf33b26f0ca59075050e79715d51d82a2b90b985
Opcode Fuzzy Hash: 86cf2da2ce71b3e820557518edd480600abe98c3245f8eb6a63837fb286bafe0
Instruction Fuzzy Hash: 01117C31B146159FCB54EF699805BBE7BF2BF88610F14442AE916DB2C0EB74C981CBA0

Function 05540EA9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fd1b50f15fd5e613d287f71f87e37a4dbc02ba9b483d83967c114c06c86ca8
Instruction ID: 60dd987ac94f557282e0c9dd114c9916c84fd8bf30aaa769735dd246a396fa49
Opcode Fuzzy Hash: 29fd1b50f15fd5e613d287f71f87e37a4dbc02ba9b483d83967c114c06c86ca8
Instruction Fuzzy Hash: A1215F79A52219AFDB04CF58D598EADBBF2BF49314B214054E506AB3A1CB34AD41CF50

Function 05473C41 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1d691f89f97a0861f58f5ce356d61a892b238a1d66cdba9ed75ba97c81d4bb
Instruction ID: dbfeabbb3b90059a15d07acc79e760469487a0a5a772829c2e59e5845bd5d838
Opcode Fuzzy Hash: 1c1d691f89f97a0861f58f5ce356d61a892b238a1d66cdba9ed75ba97c81d4bb
Instruction Fuzzy Hash: 1111E5B29092889FCB42EFB8D45C3DD3BF1EF46200F6509DBD484EB2A2D6345A45E711

Function 05541DE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf47824f88285ab42ed244ad1a64fdc89412f1504d96dcfa68b938e9bc866885
Instruction ID: bbe8fa7ec9942ed271f680a4c1bf98a592151ff02e033cadf708219de5c5e710
Opcode Fuzzy Hash: cf47824f88285ab42ed244ad1a64fdc89412f1504d96dcfa68b938e9bc866885
Instruction Fuzzy Hash: 460124376082586FDB54CAE9E040BEABFE8FB54261F24C0ABE484D7251E631D9D0CB50

Function 05540D88 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b04759107eba81d45018881d012aa9416a2990d7447b1104c8ba270eac13ad
Instruction ID: 8c69b69141baa09b3929f25b9a8f1dbfad0da12f89e4014ae7214a0f1bf26261
Opcode Fuzzy Hash: 19b04759107eba81d45018881d012aa9416a2990d7447b1104c8ba270eac13ad
Instruction Fuzzy Hash: DC014836341215AFD7108F59EC85F9A7BA9FF89721F108066FA15CF290CBB1E8158B50

Function 0547E8B8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5767f6f606341cbf0cb16f756736454986ebb690760937c05719171109f9ed
Instruction ID: ce4aef177d7c035f5cb206931b4773443f675448905494df630fe8e2c8716b85
Opcode Fuzzy Hash: db5767f6f606341cbf0cb16f756736454986ebb690760937c05719171109f9ed
Instruction Fuzzy Hash: D911CE70E0421CDBDB14DF29D8497EDBBB6EF89301F4081A6E509A3341DB745985CF11

Function 05772909 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a765eef9942a040693db237b5822a9e0844ac6794fa8c45152b6617d82bd94b6
Instruction ID: 93a3ba1b94b7ac67e7d4cffdccf99c5d794a7e9d200501287adaeb0e45a12b11
Opcode Fuzzy Hash: a765eef9942a040693db237b5822a9e0844ac6794fa8c45152b6617d82bd94b6
Instruction Fuzzy Hash: E921D3789002299FDB60DF28E858ADDBBF1EB48700F1080E9E409E7384EB349E95DF44

Function 0578F218 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87e9c5cb469ae41ea47df3a61e521150909543c81c5d486082d24cefcb459e3
Instruction ID: f97a6ce4e115066998e9e3c8c0d3d5b2c21d94b0893e0ddd7526f3ae7561ef9d
Opcode Fuzzy Hash: b87e9c5cb469ae41ea47df3a61e521150909543c81c5d486082d24cefcb459e3
Instruction Fuzzy Hash: CA11FAB4E002099FDB44EFA9C8457AEBBF1FF88300F10856AD418B7351D7745A419B91

Function 05477B80 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe4dd46d01cad4aa7984b533228481f91bd800c82d0a798c9ad27148b05118d
Instruction ID: b42f6c6166c22e16e273bbcefbd20f6d1f984dddc7f18ddbd9946763e64eec63
Opcode Fuzzy Hash: 3fe4dd46d01cad4aa7984b533228481f91bd800c82d0a798c9ad27148b05118d
Instruction Fuzzy Hash: A81109B1D082499FCB55DFB998442EEBFF1EB4A300F5591AAC409E7252D7704681CB91

Function 057772F4 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8d08d8ce727ed65d0883d8f9f0a54d9bcef6de8ff72f93776998337db3d470
Instruction ID: 193ae56eebf9b83898399f8e6fa222bf7ebdaa3bb53ad2246a9ff6d1bf7315fc
Opcode Fuzzy Hash: da8d08d8ce727ed65d0883d8f9f0a54d9bcef6de8ff72f93776998337db3d470
Instruction Fuzzy Hash: D5112874A1426CCFDB64EF58E898AE9B7B1FB45704F1080E9E8099B245DB385F84EF50

Function 05540D60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c3971784aa07ab5f381142944d0cc6dc2127d39f81504e081f6a90cd7bf95b
Instruction ID: 65f74a6d08c553e5fec0c745e8a59ae21dcb1258e73dda91bd9ce8c6c420a4c7
Opcode Fuzzy Hash: 32c3971784aa07ab5f381142944d0cc6dc2127d39f81504e081f6a90cd7bf95b
Instruction Fuzzy Hash: 24016D353053059FD704CF59E898D9ABBB9FF8A625725846AF904CB2B1CB71E9048B60

Function 055401B2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cc7b65f24b89e92d7863c77d6a6cc4318b9a1311cedb57d0c37496690a3793
Instruction ID: 36e78c4646a323cf1ae19273c6c79357c1496d4b5ab6976a6d79ed520e383465
Opcode Fuzzy Hash: d1cc7b65f24b89e92d7863c77d6a6cc4318b9a1311cedb57d0c37496690a3793
Instruction Fuzzy Hash: 33F0F676F042115FE3148B98AC0875FB7B5FBC9320F25443AE6059B390DBB1AC41C790

Function 05540218 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f142d3552a53f04de98cbbb9e5d6c018216eba0a88ee8359f47e947f1c56ea
Instruction ID: 3c3ff6b76b02f7fd2beccbcd6a97366415b72d4f2b5cb7e94dea7ec60dee1db5
Opcode Fuzzy Hash: d1f142d3552a53f04de98cbbb9e5d6c018216eba0a88ee8359f47e947f1c56ea
Instruction Fuzzy Hash: EEF0BB72F0D2904FE31647745C18329ABB1BFC6118F68449BD246DF2F2DA979846C791

Function 05477748 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c31cd6664038fbae616793c0175eda1e6ff86817c168b5cdc6b41c71e25191
Instruction ID: 1da3a9f4fd27b1fe42820e7fd07df5c757f8a90c8ae852ba170017ef03435030
Opcode Fuzzy Hash: a6c31cd6664038fbae616793c0175eda1e6ff86817c168b5cdc6b41c71e25191
Instruction Fuzzy Hash: CB01EFB4D0420CEFCB80DFA8D9443EEBBF9FB48300F6041AAD809A2250E7355A50DBA1

Function 055401C0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418d883fa3d3193a8765a02b94e8bcb9e0bd6b71f4bcac002a97e1fff0dba92b
Instruction ID: 7d8eb469949405d4326df12b2988f6ed526c6f2e3be6835ad4610f482d49a2be
Opcode Fuzzy Hash: 418d883fa3d3193a8765a02b94e8bcb9e0bd6b71f4bcac002a97e1fff0dba92b
Instruction Fuzzy Hash: 34F0B472B082115FE7188658AC14B6FF7A9FBC9720F14442AE60A9B390CBB2AC4187D0

Function 05473181 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82aa7df23db054036a8fda60ce78e07a8b8d8b60b1a8733b0076a7509b6b8a1e
Instruction ID: 6721f7e1267886b89c22d176b1df59279a17ca274d58703bed01b3bab0da2260
Opcode Fuzzy Hash: 82aa7df23db054036a8fda60ce78e07a8b8d8b60b1a8733b0076a7509b6b8a1e
Instruction Fuzzy Hash: D8F0BB71808288AFCB51CFB4D810AEDBFF4EB06210F1485C7E864C7292C2355A43DB11

Function 05540F80 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5e973e63727a983dea9e525d8a13029810447c077bd0717b8a7e5eb9e80d29
Instruction ID: ea99471af485a77e3eaeafde470617a865a933e747232acf2e22ee56b52e47b8
Opcode Fuzzy Hash: ac5e973e63727a983dea9e525d8a13029810447c077bd0717b8a7e5eb9e80d29
Instruction Fuzzy Hash: CBE02B3761451117C3148A0DD849F8A7766FFC1314F6A8435FE059B341DB74F94386D9

Function 05476CD2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c242eb846e0efa23d2aaf1629ab651887e4ece840826a18f906470024a64b84
Instruction ID: cf66666c7e29498785874acb64a8e714356d852d1605cfdd3173dbfd8518b889
Opcode Fuzzy Hash: 5c242eb846e0efa23d2aaf1629ab651887e4ece840826a18f906470024a64b84
Instruction Fuzzy Hash: 84019D74904618DFEBA8CF26E884BD9BBB2FB09304F508496E459A7394DB3459C9DF10

Function 05473190 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cb07139fa839728ee1f3e6c81f3b63fc3bb0633cddea5dbc653feda169d293
Instruction ID: 8f5f4eb44cc1b83c6667644c05bdb57776641cdb518aec2810221e90f4758776
Opcode Fuzzy Hash: e3cb07139fa839728ee1f3e6c81f3b63fc3bb0633cddea5dbc653feda169d293
Instruction Fuzzy Hash: 47F0F87490424CEFCB90DFA8D840AADBBF9EB48300F14C5EAA858D3341D6359A51EF50

Function 05773BBD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2839fd1537d8e0c304646ae3772a6079909252ca69ceb5b4d8b3559e35f3f3e4
Instruction ID: a491665c75a3aa944a397b86cde974cb48c69cbc8457f7f35cd93ac9c1186fbe
Opcode Fuzzy Hash: 2839fd1537d8e0c304646ae3772a6079909252ca69ceb5b4d8b3559e35f3f3e4
Instruction Fuzzy Hash: E4F0A430A10269CFDB60DF14E84DBED7BBAEB04300F1440E4E009A7681DBB90EC89F01

Function 0577017C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0be466b0cefecb4abcc7331483db107f5c25ff199d6137d8c834c11a8052dd3
Instruction ID: 2c42976a39a159386b5f26a4294d20d51d2b95630be97815c1b96237864c9e30
Opcode Fuzzy Hash: f0be466b0cefecb4abcc7331483db107f5c25ff199d6137d8c834c11a8052dd3
Instruction Fuzzy Hash: 5CF0B774A01218CFEBA4DF18E899E997BB1FB49304F1540D4E41997795DB349E80DF11

Function 0578A550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction ID: bd938a0cd2f32183178367b05e72513b2488650c3d2af6eb12994f1dddcbff54
Opcode Fuzzy Hash: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction Fuzzy Hash: E8E0C974D04208EFCB84DFA9D4406ADBBF5FB48310F10C1AA9819A3351D7359A55EF40

Function 0578A1D8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd561ca77aaa37191bfc9e7f3f686838dfb581740d47a5135eb1eb4c17bd1bc4
Instruction ID: 782c9bbdd9c2b3e2d20aa6dfa005e4840f9aaeaad51e8ffc672bdd0a8b1946c8
Opcode Fuzzy Hash: cd561ca77aaa37191bfc9e7f3f686838dfb581740d47a5135eb1eb4c17bd1bc4
Instruction Fuzzy Hash: CFE0C974D04208EFCB84DFA8D4406ACBBF5FB48310F10C1AA980993351D735AA51EF40

Function 0578BD80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction ID: c54a1b3c66516d91fb445e8248d71863f1b919b934733d29c37b8ef0bc31474e
Opcode Fuzzy Hash: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction Fuzzy Hash: C3E0C974D04208EFCB84DFA9D440AACBBF5FB48300F10C1AA981893351D7359A51EF50

Function 05785CF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction ID: 7938769df2a123232be477ab1086098000cd068789f1d94d9612757afc05e1cf
Opcode Fuzzy Hash: e2dd407c99df14b200780b0ae0d4bc6b3a7bf8f3b8a4ec86d40105592a527cf5
Instruction Fuzzy Hash: 66E0A574D44208EFCB84DFA8D4446ACFBF5FB48300F1081AA980993351D6359A51EF90

Function 05772A8B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08f1883be9021ddfa4a473c97daee0dde55a44f8e568986d1d79ff557f52309
Instruction ID: 8a597720eedbdd9463eb80b289b200645a4cc296a5dc044974aa38cd36c327a0
Opcode Fuzzy Hash: d08f1883be9021ddfa4a473c97daee0dde55a44f8e568986d1d79ff557f52309
Instruction Fuzzy Hash: 9FF05E30A102588BDB68EF14DC5D7AD76B2FF85300F004498904A67284CFB80E84EF51

Function 05477F8E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f2cd0ecb86a471891d2d3f37fa0b2c23dcdb4102e5de83d761e8431e4cdf3b
Instruction ID: d1df097fcf2f67519052a5d9717d27a0b99a24b332c29fb9c9960ec66c528d52
Opcode Fuzzy Hash: 45f2cd0ecb86a471891d2d3f37fa0b2c23dcdb4102e5de83d761e8431e4cdf3b
Instruction Fuzzy Hash: BBF0FFB49142AC8FDF20DF24D8487EEBBB2FB49304F4045D6D10AA3240C7B45A82CF06

Function 05789B50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b185a0c79ec5767dccf9f40f562029ef92a8f12694fa0a9ceeb89f0b9c595269
Instruction ID: ca44f778d8e14f2844b3848b333f437ae28635dfe1200cc857b5249f2bee2628
Opcode Fuzzy Hash: b185a0c79ec5767dccf9f40f562029ef92a8f12694fa0a9ceeb89f0b9c595269
Instruction Fuzzy Hash: CEE07574E44208EFCB84EFA8D5456ACBBF5FB89304F1481AA981993351D735AA41DF41

Function 0578DE78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b185a0c79ec5767dccf9f40f562029ef92a8f12694fa0a9ceeb89f0b9c595269
Instruction ID: 70bacd8c8b8a38c0aedd94c0b6cdb0ffe9ea5c4b3bc49698c1ab21f196d56841
Opcode Fuzzy Hash: b185a0c79ec5767dccf9f40f562029ef92a8f12694fa0a9ceeb89f0b9c595269
Instruction Fuzzy Hash: FDE0E574E05208EFCB94EFA8D4406ACBBF5FB88300F10C1AAC80893341D7359A02DF40

Function 0547FC10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c770c86a03b0fa93150e76ad2aa93163adf045dd3d835ae0ed4a2e9359491ebe
Instruction ID: d932a4e233a978740d793d4de09fb65187b26b288e642dd4c3f5d7ce2c0539e8
Opcode Fuzzy Hash: c770c86a03b0fa93150e76ad2aa93163adf045dd3d835ae0ed4a2e9359491ebe
Instruction Fuzzy Hash: F3E0C274E0420CEFCB84DFA8D5406ACBBF4FB88300F1081AA881893341D6359A06DF41

Function 0547DC28 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ea645664e2fd7227fe4f9c5c030df3d5650eec410455f3099946521395e91f
Instruction ID: eb8593eeb59709ea4dbadb22a1a6c007f307caea1ed0fb1ea21cf1a88b1fa746
Opcode Fuzzy Hash: b4ea645664e2fd7227fe4f9c5c030df3d5650eec410455f3099946521395e91f
Instruction Fuzzy Hash: 48E0E574D0420CEFCB44EFA8D40129DBBB5EB84300F1085AAC80892344E7745A41DF81

Function 05788B58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3371085a4fc873d488a76fa535a44cc02deecff338756155626942b8bc1d2f5b
Instruction ID: 53a42938f68caa8d556d78f0686d87ca5ee9668923f95e23cd08a4ec366f9839
Opcode Fuzzy Hash: 3371085a4fc873d488a76fa535a44cc02deecff338756155626942b8bc1d2f5b
Instruction Fuzzy Hash: 34E012B4D48208EBCB44EFA8D4406ACBBF8EB88300F1481EAC84953351CA359A02EB81

Function 0547F5B8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b2fe974fd3327ca97aa068022220664c6937dcef8f265337c797249d93b99
Instruction ID: 90ac9d94bde105c3cde0540dc5b2c3c97ea8379f460574c4a3dca95220c4b70b
Opcode Fuzzy Hash: 658b2fe974fd3327ca97aa068022220664c6937dcef8f265337c797249d93b99
Instruction Fuzzy Hash: 89E0BF7491520CEFC784DFA8D58569CBBF4EB48204F1041EA880997351DB319A45DB41

Function 057899B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da50a3c0dd113175c54e144206df403894d01a4a011c6dc7d07fc9e80fa3310
Instruction ID: 83cf4f95bfa3bc6a20226e7100590fb40f56da655fe1169ea1f976e095384481
Opcode Fuzzy Hash: 7da50a3c0dd113175c54e144206df403894d01a4a011c6dc7d07fc9e80fa3310
Instruction Fuzzy Hash: E1E0127654120CEFCB45FFF4E80876E77F9EF4A210F8005AAC50997110EA714A04AB52

Function 0578E290 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb978969c05daf7343d466e05060070dc35d265f04f1f80591fe2e1f899ee4d5
Instruction ID: 84d0e90c44110221b8f866680cb6144aeb5cf41a3f819a1f33ee956e3f8076ba
Opcode Fuzzy Hash: bb978969c05daf7343d466e05060070dc35d265f04f1f80591fe2e1f899ee4d5
Instruction Fuzzy Hash: A1E01274948208DBC744EF94E94197CBBB9FB85314F2081E9CC0917351C7319E42EB81

Function 0547DC78 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d730abdb8cb50bddf269144311b87d2ae6dc6ad40ceca0f48097f224dca68020
Instruction ID: c85bfb6fdab712393d70aec7d527ac2f4750ab23d0195403b0de5ebe2bd51975
Opcode Fuzzy Hash: d730abdb8cb50bddf269144311b87d2ae6dc6ad40ceca0f48097f224dca68020
Instruction Fuzzy Hash: 0CE0ECB4D1920CDFC784DFA8E4496DDBBF4BB08201F1041AAD80993350EB705A50DB51

Function 05473CB0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46d664b271da2ef243b36d84cff1f78e3f61f2292488bec1392e368befd83a9
Instruction ID: 4be2b05fde8b6e8fbac107d6fae7f3fa777e4ee15d257bfaa0cfbb7d5f6a035a
Opcode Fuzzy Hash: b46d664b271da2ef243b36d84cff1f78e3f61f2292488bec1392e368befd83a9
Instruction Fuzzy Hash: D0E0127654120CEFC745EFF4D40879E77F9EF4A600F9009E6C405A3210EA714A04A752

Function 05478560 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c014349df54860449be7fe617115a6f71d3a6a0ccd160ecbf37c3b7aa4d7a1e0
Instruction ID: d0f4a2a78eb1b33c2757bc09c1cd438210d3e1659dce67d03f0374055487d739
Opcode Fuzzy Hash: c014349df54860449be7fe617115a6f71d3a6a0ccd160ecbf37c3b7aa4d7a1e0
Instruction Fuzzy Hash: DFF0FAB4D0162C8FCBA4DF24DD8479DBBB1BF89241F4051EA954DA3290DB701E81CF16

Function 054770B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be497bbaf66cd4c4c7c9c08921feea788b89c65b6cff6f69e2669ed857b75f8
Instruction ID: e7e4d2daa355c8c8cb04f07b46421e82ea29c30f46b03365d17d9d0f2ae38130
Opcode Fuzzy Hash: 8be497bbaf66cd4c4c7c9c08921feea788b89c65b6cff6f69e2669ed857b75f8
Instruction Fuzzy Hash: 57F04E74E04618DFDB58CF69E884BDDB7B2FB0A301F118496E419A7360CB71A985CF11

Function 05541110 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369602166.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: true

Associated: 00000000.00000002.1369263142.0000000005480000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5480000_hm8dCK5P5A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef1630fed60e558a6dedefb328e52bbcf1f2c2e7ff7869f479197810924bcbc
Instruction ID: e3b76e5fda157fc0a209ccc6a5732aabe4df759d6e16faf618a1516900ff5271
Opcode Fuzzy Hash: bef1630fed60e558a6dedefb328e52bbcf1f2c2e7ff7869f479197810924bcbc
Instruction Fuzzy Hash: 9BC092325E21002AFAA009D0DFCFFC33A14EB00B06F681082B652E42D2DDC0F14140AA

Function 054776FA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d3a856a32d3483429fe080f5993d2a2201e1a436abe73b33b6d181194e502c
Instruction ID: 0ce823196e68bfa3c6e16311876d458d99f0ca67b6bfed288489720d414110cf
Opcode Fuzzy Hash: 05d3a856a32d3483429fe080f5993d2a2201e1a436abe73b33b6d181194e502c
Instruction Fuzzy Hash: 9EC00276E1002A9ACB00DAD9E4408DCB775EB94321B408026D214AA104D631152A8F50

Non-executed Functions

Function 05470040 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

,, xrefs: 0547010F
T, xrefs: 054710B1

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: ,$T
API String ID: 0-1408766685
Opcode ID: d3a1165d12eae6413e298b0ceaf38698b1754d1ad5922990b37fb7b5e6fff4d9
Instruction ID: 8bb5d75308ad255e56c22bca5e39b775c2ecd9c6390315e080c740359d9e8a28
Opcode Fuzzy Hash: d3a1165d12eae6413e298b0ceaf38698b1754d1ad5922990b37fb7b5e6fff4d9
Instruction Fuzzy Hash: A541BB71E156188FEB59CF2BC8446DAFAFBAFC9300F04D0EA954CA7255DB700A868F01

Function 05476520 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

X[[%, xrefs: 054767D7

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: X[[%
API String ID: 0-1566534104
Opcode ID: ce3cd7db50d2e34f6098c8112cb92a26e697e60e4f3f3d8798d1ba0b08eae4c5
Instruction ID: 964fe410b343ece6f535ed12be4b51d6929fdb1931b051e3458f35f1872ed4cc
Opcode Fuzzy Hash: ce3cd7db50d2e34f6098c8112cb92a26e697e60e4f3f3d8798d1ba0b08eae4c5
Instruction Fuzzy Hash: 5A12A170E046189BDB14CFAAC9806DEFBF2BF88304F25C16AD459AB219D734A946CF54

Function 05477C62 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

P, xrefs: 05477D70

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 4d64d8b5e940e52c5ef89c41b769bf973769c21ae845089681f8f18c1eeca859
Instruction ID: 495c5eb697bfd432205e9b4dfe50ee87cf0cf367e76c0c7b0a85291c2ea7d82a
Opcode Fuzzy Hash: 4d64d8b5e940e52c5ef89c41b769bf973769c21ae845089681f8f18c1eeca859
Instruction Fuzzy Hash: 82413D71E05A588BEB5CCF6B9C406DEFAF3AFC9201F14C1BAD44DAA265DB3049468F01

Function 05470006 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

,, xrefs: 0547010F

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 45ac462fd04633e127f4b5a612900a57c6974bbd0e0cf24703be6fecaa804fd1
Instruction ID: f61f09305b1ed8a7c1a1c4a7b50450d7de07711ee9ed3b754d03bc7fac58c5c0
Opcode Fuzzy Hash: 45ac462fd04633e127f4b5a612900a57c6974bbd0e0cf24703be6fecaa804fd1
Instruction Fuzzy Hash: BE319E71E097588FDB1ACF678C152CABBF7AFC6200F09C1FA9448AA655DB740A458F11

Function 05770040 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

s, xrefs: 057700FA

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: a6b14ba813683b7f7e0bf0e45c9129eeaf4798f1a4e530dc11b852f51c03f885
Instruction ID: 31b19a88f24fa213c0cac4d153a95f42c6decff22b2f84aaa817199020c1c91d
Opcode Fuzzy Hash: a6b14ba813683b7f7e0bf0e45c9129eeaf4798f1a4e530dc11b852f51c03f885
Instruction Fuzzy Hash: 1021A771D04619CBEB68CF6B9858399FAF7ABC8304F14D0FAD40CA6255EB740A859F10

Function 0577003B Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

s, xrefs: 057700FA

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: b55914acbe62d1d009d7199802326ca30793a58c013dbea111ffe8bb9ea7b547
Instruction ID: b055944a71457ba717267e3517d7d0105eb90e32a73187bd63b6135c94b61d29
Opcode Fuzzy Hash: b55914acbe62d1d009d7199802326ca30793a58c013dbea111ffe8bb9ea7b547
Instruction Fuzzy Hash: BF219571D047198BEB68CF6B984879ABAF7ABC8304F14D0FAD40CA6255EB740A859F10

Function 0561D678 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7a4c3fd42aafc5c464600d615155017504a775c366a605344c17f5ef114dad
Instruction ID: 35681aec0bebf89820fff01610a4eb27db6059f357ab0415c5140ac2497a2319
Opcode Fuzzy Hash: 1a7a4c3fd42aafc5c464600d615155017504a775c366a605344c17f5ef114dad
Instruction Fuzzy Hash: 32716B74A04218CFDB54EF69D854BAAB7B2FB89300F0480A9E40AE7395DB349D4ADF04

Function 05550888 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8051a84dabd08db51b7140e475ba85fdb36cb06554b34181ca2ef39bcc7c5735
Instruction ID: 2cff7e266d5bdf9f0ca04c2449cea14bf3c7c6583cb69dbd21b2e4c8a3148aef
Opcode Fuzzy Hash: 8051a84dabd08db51b7140e475ba85fdb36cb06554b34181ca2ef39bcc7c5735
Instruction Fuzzy Hash: 35E1F474D0022DCFEB24CFA8C894BDDBBB1BF49314F1081AAD809A72A0DB709985CF55

Function 05293E38 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e045a8768a044beead9a7a57af46e72a55ca22e41b93535d39cdfd3ed5651d8
Instruction ID: 5d1d0b70ed710c444f8591e2ac5b1b88c2a603dd039612ce58e4583e9596083c
Opcode Fuzzy Hash: 4e045a8768a044beead9a7a57af46e72a55ca22e41b93535d39cdfd3ed5651d8
Instruction Fuzzy Hash: 2BC16575E016588FDB58DF6AC944ADDBBF2BF89300F14C1AAD809AB365DB305A81CF50

Function 0561E080 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901103e88786ae2c7f23bb65a21dfb0e27af59240af770ee770b4a87473b5af0
Instruction ID: d06b42434ef5fbf50e74036dc77b3996d2a908bcb954f1b5a0c34f6eb2276da3
Opcode Fuzzy Hash: 901103e88786ae2c7f23bb65a21dfb0e27af59240af770ee770b4a87473b5af0
Instruction Fuzzy Hash: 28A11774A08218CFDB14DFA9D854BAEBBF6FB48300F14812AE805A7395DB759D4ACF44

Function 055754B0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293ea4ac87c8222b2056083f1fddbee529139866be29c55bf490bccc75046b43
Instruction ID: 17f4a358a1e20f2c45deb528d26616af568d58893b57da4ae09f83df86e5f505
Opcode Fuzzy Hash: 293ea4ac87c8222b2056083f1fddbee529139866be29c55bf490bccc75046b43
Instruction Fuzzy Hash: A9A1E274D0924CCBDB24CFAAE448BEDBBF2FB49304F549069D019A7291E774498ACF45

Function 055754C0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fbd29685bdf7a757c818ee010bdfa693d85a71617bcf2db6e63f860244e557
Instruction ID: f347f8bd02ff70918fce8e55da757c079cc0d882fe22a9b3355c7d905690354e
Opcode Fuzzy Hash: 81fbd29685bdf7a757c818ee010bdfa693d85a71617bcf2db6e63f860244e557
Instruction Fuzzy Hash: EFA1D274D4920CCBDB24CFAAE448BEDBBF2FB49304F549069D019A7291E778498ACF45

Function 05557118 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace52ce05d0aa1fdbbec99cbd32c18594b4999e36dcbc0e5a0ca3ac5dd80e502
Instruction ID: f6c58944fea6a8cbf295d5d0e405789e1fa665fe3843ff5a0b6446c67dc519b9
Opcode Fuzzy Hash: ace52ce05d0aa1fdbbec99cbd32c18594b4999e36dcbc0e5a0ca3ac5dd80e502
Instruction Fuzzy Hash: 12914874E18218CFDB54DFA9D894BADBBF2FB49350F10806AE40AA7355DB349986CF40

Function 05557128 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b5dc59d3399161711ec8774eca6e2d94d4f77653538af9d221e3005709cf37
Instruction ID: 9da7c1754b1b7503f0c217769ff4ba121879411bd038e96ed210f5cd4f178b5b
Opcode Fuzzy Hash: 58b5dc59d3399161711ec8774eca6e2d94d4f77653538af9d221e3005709cf37
Instruction Fuzzy Hash: C0912874E18218CFDB54DFA9D894BADBBF2FB49350F10806AE40AA7355DB349986CF40

Function 0555741D Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369654367.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5550000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513992700ea5292417aca19feb4937e6d7af2d8eafebec549762e3d7d240ba21
Instruction ID: 242af1d2ab59005c9cbf95f781f19df3e201b82adf3ea3236e18b71c45d4a492
Opcode Fuzzy Hash: 513992700ea5292417aca19feb4937e6d7af2d8eafebec549762e3d7d240ba21
Instruction Fuzzy Hash: 1F914774E18218CFDB54DFA9D894BADBBF2FB49350F10806AE40AA7355DB349986CF40

Function 0561DA20 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefcbde6282046dd1a90283b8b270c2728c9bf1adaa2b84f6899fe8fffda3e52
Instruction ID: 61951354a0e73ba808ed8d629d4cac87766690b42788a7a4c3fcc40765e88ac1
Opcode Fuzzy Hash: eefcbde6282046dd1a90283b8b270c2728c9bf1adaa2b84f6899fe8fffda3e52
Instruction Fuzzy Hash: D5716974A04218CFDB44EF69D854BAAB7B2FB89300F0480A9E40AE7395DF749D4ADF54

Function 0578E628 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370233510.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f2a30735b57acfafef24e77a0aabf52f396dbd41ac8aa3d2f9419fc7ca1c8b
Instruction ID: fa7d65123791e044599103acb51d0a57cf812d3de43e6db4138054201baf4917
Opcode Fuzzy Hash: 37f2a30735b57acfafef24e77a0aabf52f396dbd41ac8aa3d2f9419fc7ca1c8b
Instruction Fuzzy Hash: 05712E74A54218CFDB94EF69D844BADBBF6FF49300F1080A9E80AA7391DB349985DF01

Function 05476512 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369190231.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848029bd2c73cbc65144542544ed00afbd7420d6b72d316b407035a96dbcafe7
Instruction ID: 24123667441dc99b84932e981006a4930ec984083049396fca3cad08518a3e58
Opcode Fuzzy Hash: 848029bd2c73cbc65144542544ed00afbd7420d6b72d316b407035a96dbcafe7
Instruction Fuzzy Hash: A34146B5E016188BDB08CFABD94469EFBF3BFC8300F15C06AD958AB264DB3459468B54

Function 028D1087 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb83e1bd290ad893b36aafff25533dba0490cbbcb3009b66d5802b7441dd2312
Instruction ID: 0c6d21ac92931d595195668b5c16462f7c1a0e4012dd8508463fd4c8488a05c3
Opcode Fuzzy Hash: eb83e1bd290ad893b36aafff25533dba0490cbbcb3009b66d5802b7441dd2312
Instruction Fuzzy Hash: 194112B8D143489FEB10CFA9D885B9DBBF1BB09304F24942AE819AB350D7749889CF45

Function 05290718 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df36050cd990fce3956ca943b9c90b9e6bfd886cd82d303cdee9d839a63a09d
Instruction ID: f7d733c60ebfa1c20aaa03c3522a26dbc809fd2c711ec24500fcb8ba2a17573b
Opcode Fuzzy Hash: 1df36050cd990fce3956ca943b9c90b9e6bfd886cd82d303cdee9d839a63a09d
Instruction Fuzzy Hash: 9A51A5B4D1562C8FEB68DF66D8587D9BBF2BF88300F10C1AAC40DA6264DB740A85DF51

Function 028D1094 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad6cd14ebbabfd431610c4eda1f9dd6b1e40097a25cee96b970a2070fd23407
Instruction ID: e8c3173a6178d943399a165925a62e21337fbfdf3865a33b31bca1fa188b543b
Opcode Fuzzy Hash: bad6cd14ebbabfd431610c4eda1f9dd6b1e40097a25cee96b970a2070fd23407
Instruction Fuzzy Hash: 3641EFB8D1034C9FEB14CFA9D885B9DBBF1BB09304F209529E819AB250D7749889CF45

Function 028D1698 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bef6b3f4070490e763070037af4d09663c1fe46e5177e56ce3d58aab2f7af33
Instruction ID: 7a58d8139367857b3ee3bff8dd6ec2f357220da26c7b733ef62ce2b6d2fa7461
Opcode Fuzzy Hash: 6bef6b3f4070490e763070037af4d09663c1fe46e5177e56ce3d58aab2f7af33
Instruction Fuzzy Hash: 10512CB5D056588BEB68CF2B8D447CAFAF7AFC9300F54C1FA844CA6254EB700AC58E11

Function 028D1688 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346014766.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28d0000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799e933593f23c2224b87122c8d9178b1b43894cae2974c7c413ab6188d84d2b
Instruction ID: 98b94e76dff6e063a45c2667bddc54ac4e4128e155e09fbc2f9aee6c91220074
Opcode Fuzzy Hash: 799e933593f23c2224b87122c8d9178b1b43894cae2974c7c413ab6188d84d2b
Instruction Fuzzy Hash: 8A511E75D056588BEB6CCF2B8D556CAFAF3AFC9300F44C1FA944CA6254DB704AC58E11

Function 05618C9F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a514a8fe8192ff90e27c8d344fc84583b68cf70d9a6f36a83b57755260742ee
Instruction ID: cbebb411b6a9942304ae053a7825aa7c8e5e8935ce694fff321862b926eb5ad4
Opcode Fuzzy Hash: 9a514a8fe8192ff90e27c8d344fc84583b68cf70d9a6f36a83b57755260742ee
Instruction Fuzzy Hash: E13102B5C042489FCB10DFA9D884AEEFBB1FF4A310F18905AE81577211D7356905CFA4

Function 056196A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5cf8b05968bc6d6a51f89407983e90c379d328a96c6b26b088e57c59d4be8e
Instruction ID: 86a68c34a6ef722880d7af309f9b118249fec43640b80262bc968fe45b6be4a1
Opcode Fuzzy Hash: 8d5cf8b05968bc6d6a51f89407983e90c379d328a96c6b26b088e57c59d4be8e
Instruction Fuzzy Hash: 6531CA70E046188BEB58DF6AC9547AEFBF6AF88300F14C16AC409B7254DB701A81CF50

Function 05290708 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bc453aa83a96555207a572c51a6a26969dc97d93930eabc71a16c6a06012c8
Instruction ID: 239306bcc95065dea90ed2c6029252572478549454dec712764458d7c8e066e5
Opcode Fuzzy Hash: 67bc453aa83a96555207a572c51a6a26969dc97d93930eabc71a16c6a06012c8
Instruction Fuzzy Hash: 1731A8B5D156188BEB58CF6BD85878EFBF3AFC8304F14C1A9C44CA6264DB7409498F41

Function 0529C1F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1368207318.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ba6b8a2b14b1e8cb4896251c495fcd4d14b9223c3a61de49c8a015b40723ba
Instruction ID: a17bb4749817d87dfb47b6a9cd89af92054fce44d3719d10353517a7a62902b2
Opcode Fuzzy Hash: 82ba6b8a2b14b1e8cb4896251c495fcd4d14b9223c3a61de49c8a015b40723ba
Instruction Fuzzy Hash: 7321B471D146588BEB6CCFAAC9447DDFBF7AFC9300F14C0AA9409AB254DB740A858F50

Function 05618CD0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1370007095.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a966a3620b65414198636955c1fd8894cc88817314623c3787956e09ba1c34
Instruction ID: 1f40429217743a3d02a76daefa5a47efc8566fdcc4c204947f1605ba3c3e3bc4
Opcode Fuzzy Hash: 18a966a3620b65414198636955c1fd8894cc88817314623c3787956e09ba1c34
Instruction Fuzzy Hash: B121EFB5D042189FCB14CFA9D880AEEFBF1FB49310F14901AD815B7210C7356945CFA4

Function 0557C4F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e13602ef920f066a4a31187c043f94f4d0471a6de3f494fc8d00acd62c1958
Instruction ID: ab9d5aa949144599033351a1893a4213fb5b3a447636bb975ca7efb052ef5b85
Opcode Fuzzy Hash: c3e13602ef920f066a4a31187c043f94f4d0471a6de3f494fc8d00acd62c1958
Instruction Fuzzy Hash: AC21AFB1E046189BEB18CFABE9443DEBBF7BFC9300F14C0AAD509AA254DB7509458F51

Function 0557C4E9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01966ae7eee75ddd73abe91d90548a4cdb11f033dcb96b4b101f9547996a883f
Instruction ID: 5ec33c508ea74f62221af9550a04aa79af4be97dcf7b0691b85dfd9ccfe16706
Opcode Fuzzy Hash: 01966ae7eee75ddd73abe91d90548a4cdb11f033dcb96b4b101f9547996a883f
Instruction Fuzzy Hash: 8621E3B1E046189BEB18CFABD9443DEFAF7BFC8300F14C16AD409AA254DB7509458F40

Function 05576E31 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369779574.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_hm8dCK5P5A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe9ca165655771e2a33d25cdff920a9520be1945a53f26f33bda16ed271a734
Instruction ID: ccc853aaebdc63461b7921c2da18a8ca30a33ced31327ea954fbbd4e36f89f3e
Opcode Fuzzy Hash: bfe9ca165655771e2a33d25cdff920a9520be1945a53f26f33bda16ed271a734
Instruction Fuzzy Hash: A1214CB1E046198BEB29CF1BCD407DABAF7BFC9200F04C1FAC518A6255DB344A858F55

Analysis Process: InstallUtil.exePID: 8108, Parent PID: 3968COMMON

Executed Functions

Function 03042DBF Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

pB, xrefs: 03042F41

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID: pB
API String ID: 0-1406979542
Opcode ID: 01a020826adf4b1d42c117df1d0a018866abeb28907023b12041a4028b9d4c5c
Instruction ID: b5780132d7e883ee9f8213384621b30040f4d8691c25a0612b466d0505825245
Opcode Fuzzy Hash: 01a020826adf4b1d42c117df1d0a018866abeb28907023b12041a4028b9d4c5c
Instruction Fuzzy Hash: 0BA14CB8B01205CFD744CF68E598BA9B7F6FB88310F2589B5E4069B365CB749E91CB10

Function 03046C30 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27e3df9d95399170f9cac7e9dbcc2ba1de1c148d0ff7215f8788c746f031bdc
Instruction ID: b398d2470e78572d5e63425be87f36c5a20027164452bd1fd198cac963629725
Opcode Fuzzy Hash: d27e3df9d95399170f9cac7e9dbcc2ba1de1c148d0ff7215f8788c746f031bdc
Instruction Fuzzy Hash: 1AC1A1B1E0122D8FCB15CBA9C8806ADF7F1FB89300F5885A9D455E7241E735EE42CB90

Function 03044438 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296ab851c9ce0372bb53597d7030cebbd8e0f43e374927c820ed9391ef5d09f0
Instruction ID: 833a513a136b7e35f740244d152703105c76b0297165292533a98f789f385f94
Opcode Fuzzy Hash: 296ab851c9ce0372bb53597d7030cebbd8e0f43e374927c820ed9391ef5d09f0
Instruction Fuzzy Hash: B6B1ACB4A012149FCB14DF29D984A5EBBF2FF89300F1581A9E815AB3A1DB34ED05CF95

Function 03041691 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea361d6da3cc763160e190ce84cca6f4b16bbd130e8f32fafe43b635d2a779b
Instruction ID: 997b0b902b43229ac969de8cf1903bd94a0150d2c264cc253c3ef9d13490ce1f
Opcode Fuzzy Hash: 4ea361d6da3cc763160e190ce84cca6f4b16bbd130e8f32fafe43b635d2a779b
Instruction Fuzzy Hash: F951C2B4D0E3859FC726CB7899902AABFB0FF07240F5985E7C494CE192D2385A86C712

Function 03044428 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3b59c7c0d5e92d3c0c0ecedf306d485c157edfc811c40303116a4ec1767025
Instruction ID: 8d570f2a9645fd542dc015ed16fc308a230ced0052de51f73455c4fd018d553b
Opcode Fuzzy Hash: 0f3b59c7c0d5e92d3c0c0ecedf306d485c157edfc811c40303116a4ec1767025
Instruction Fuzzy Hash: B57169B4A01604DFCB14DF29D588A59BBF6FF89310B15C2A8E816AB361DB70ED41CF94

Function 030418F0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59cccb8e64603eb7f84c9648bf6b262dcb3c37850c0cb1456fc515d21293456
Instruction ID: 4c31e298de4e2764bb5d987024300163fd6e65d4e283b5edf22e3300ee4f9cf8
Opcode Fuzzy Hash: c59cccb8e64603eb7f84c9648bf6b262dcb3c37850c0cb1456fc515d21293456
Instruction Fuzzy Hash: A6518CB4701205CFD718CB69D448BAAB7F6FB88321F1885B5E4069B3A4DB75DE81CB50

Function 030418E2 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016efae081d0d11f476a9712982cd90dc3e124b85f0d636f4b2ea93fb01746ca
Instruction ID: 870c07ede7565333f3a5ef660bdcfebd659c6bb1fd04c797f7bb9de67acdab9e
Opcode Fuzzy Hash: 016efae081d0d11f476a9712982cd90dc3e124b85f0d636f4b2ea93fb01746ca
Instruction Fuzzy Hash: 975181B5701205CFD718CB68D448BA9B7F2FB88311F1885B4E4469B3A5DB75DE82CB50

Function 0164D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579664123.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_164d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5543c24b87fcbc410d7196a7b1af2f5831cb73bf7b48f4fad6ef42a2f5dda3a
Instruction ID: abf62fd493dda7f2e49488f395f74c6fdd065918059811c043fde876a0d97ed9
Opcode Fuzzy Hash: a5543c24b87fcbc410d7196a7b1af2f5831cb73bf7b48f4fad6ef42a2f5dda3a
Instruction Fuzzy Hash: EB2145B2A00200DFDB06DF94CCC0B66BB61FBA4324F24C169E9090B647C336E456CAA2

Function 03043E72 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f34423c7f5713c6906388ca96f983b9ec29c357acf4f96d66454a50af03041
Instruction ID: d0fd1e1da1e47c833ab0ec8101fc98d3686004ad7a053972705ae5ef94a15ab8
Opcode Fuzzy Hash: e3f34423c7f5713c6906388ca96f983b9ec29c357acf4f96d66454a50af03041
Instruction Fuzzy Hash: D621E1B8607245CFCB84CF69E49879877E2EF85315F09C0E9C900872A6C7789D17CB02

Function 0164D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579664123.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_164d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 9a598848d6d9896e7c2734bac98b363be549ba7fd9a25a6f196509898bc0196d
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 8F11E176905280CFCB12CF54D9C0B56BF71FB94314F24C5A9D8490B657C33AE456CBA1

Function 0304A630 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acdb78a9f44959bdc2843b6854dfa8a0cf804673a21056a9ce22f2c29713a61
Instruction ID: 4741a307b140ea60de2307c8f4857440ee5bc01cc713c7387a56a13533780c83
Opcode Fuzzy Hash: 3acdb78a9f44959bdc2843b6854dfa8a0cf804673a21056a9ce22f2c29713a61
Instruction Fuzzy Hash: 3201B5753002245FE708DA7A8C54B6B76EBFFC9610F64406DA50AEB391DD60EC0147A0

Function 03210DB8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ee0c139b39fa5de4932de59ee16760c689ecca6b66f73dc0d15534b5610d62
Instruction ID: 6a507478eb4b690533e7a75696a11b9888077e4d9fc2b2650b7d09ef78626e11
Opcode Fuzzy Hash: 12ee0c139b39fa5de4932de59ee16760c689ecca6b66f73dc0d15534b5610d62
Instruction Fuzzy Hash: 9E113A30916208EFD700DFA8DA8839EBBF5FB58314F24C0E5D50597258D7B86AD5CB91

Function 03210DC8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d51e14998409669b5c547bbc136f2e15c5c8d307c342d5b1f94e95272a415
Instruction ID: b3f85fbbfb5d41aed8990fa739fbe6e73264f484c60d70605b130105f7343d54
Opcode Fuzzy Hash: 1e8d51e14998409669b5c547bbc136f2e15c5c8d307c342d5b1f94e95272a415
Instruction Fuzzy Hash: 45112770919208DFD700EFA9DA8839EBAF6FB58314F20C0E5D50697248D7B46AD5CB91

Function 030417C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5077acb8ccce76af4a93cd0b5c2b3fd17f3759c924812c1d90efccca01c1268e
Instruction ID: 057696f80e0c9625ff85b2d315e66ec0cee991230b592dd61d680e120804619c
Opcode Fuzzy Hash: 5077acb8ccce76af4a93cd0b5c2b3fd17f3759c924812c1d90efccca01c1268e
Instruction Fuzzy Hash: 3711C9B4D06309EFDB48DFA9E68469EBBF6FB84340F10C4BAC40593600E7785B859B41

Function 03210C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772cc14c7957b9152dc50bd9ac7a5e9eec94cff9dd5b14518c6393e211820b99
Instruction ID: bf3967f9317f5facb3ca7d34d3b5db6c0526911ed27840132bc89334f52f7c42
Opcode Fuzzy Hash: 772cc14c7957b9152dc50bd9ac7a5e9eec94cff9dd5b14518c6393e211820b99
Instruction Fuzzy Hash: B5F024A660A2908FC302DBBCC8618257FE4EFAB16034980DBD846CF377DA15DD91DB61

Function 0304091D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69be0c4eec78b81d6ed2438bf196c56df959c743224f9a21db854a794f43c2a9
Instruction ID: c31bb5cd0a70bd211254cb5cac38c1a2a642ef5e823d7f6e95bbd62af2a3400d
Opcode Fuzzy Hash: 69be0c4eec78b81d6ed2438bf196c56df959c743224f9a21db854a794f43c2a9
Instruction Fuzzy Hash: BBE0C235C0F7D46FD36387B00824069BFB09D8312038D88EFC1D5DA463D0918D05CB22

Function 03042D3A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdf285aa7eee2e272fedb68575a202ef50c0dd5344f1f53dc75d330b0e9f92d
Instruction ID: 637aa2a5de30a6501a0dbd4be3311e35c2958da481d82168bbeecfeea44b8973
Opcode Fuzzy Hash: 2bdf285aa7eee2e272fedb68575a202ef50c0dd5344f1f53dc75d330b0e9f92d
Instruction Fuzzy Hash: 9CF065357052248FC744DB78D458E5577F5EF4E22435940E5F50ADB366CA35AC01CBA1

Function 03210C11 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008007d6502bfd2e34895e00da03753541a081a547f2f5434e2a4b6df9db06f7
Instruction ID: 64a530a1a869744d3d8fd13ba4b5fed19e98a6c5fe5c5fe5be85080fb1c8e5a1
Opcode Fuzzy Hash: 008007d6502bfd2e34895e00da03753541a081a547f2f5434e2a4b6df9db06f7
Instruction Fuzzy Hash: CDE0DF387052149FC704DBACD860C653BE9AF8E26430940EAE809CF362DA21EC10CBA0

Function 03042D88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f08dbf9fb9f58d2ca95937bb5330e33390284713936dd337b3733badb8a3dc
Instruction ID: d0c4cf244a5645ec81521fddc42e373c2c2fd3540fed6b74ec1eafbc6cc1ba57
Opcode Fuzzy Hash: 95f08dbf9fb9f58d2ca95937bb5330e33390284713936dd337b3733badb8a3dc
Instruction Fuzzy Hash: E6E0D8347043408FC7108BB8D4184A93BF4AF4631431440DAE445C7332C6259D21CB80

Function 03044000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf3f9bb912371c7fc7104683a2733f63aac2864e4473b362989fdbe29f0e8f6
Instruction ID: ecc22c4b2fef79ac2f1af9af8245bdeb7eadbb3f12eb59a220c0198a0059cdd7
Opcode Fuzzy Hash: fdf3f9bb912371c7fc7104683a2733f63aac2864e4473b362989fdbe29f0e8f6
Instruction Fuzzy Hash: A2F098B0900B518FC338DF2ED444516FAF2BF99620714CB6DD4AA977A1D730A9058B91

Function 03045209 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e6b7002e6f7e98e8aa1f79cf5638569906d8bc3657ea324934bde928a0807
Instruction ID: 927e2a82904bf27c5717b00f2dd4875752e1220c5dff658aee9b6dfb3bfbdd9d
Opcode Fuzzy Hash: aa3e6b7002e6f7e98e8aa1f79cf5638569906d8bc3657ea324934bde928a0807
Instruction Fuzzy Hash: 32E01A787111449FDB04DB75EA589ADB7B3EB89210B148039E91297361DA31DD059B11

Function 03210C20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5d2d347355e9aaaa1b0d619ee91e46d09e336e19103deadbd1b9245f55f0a9
Instruction ID: 140aeb341584a3d7f7e2302b902e3e7333549c70bd33800c0aa4ff976331a73d
Opcode Fuzzy Hash: db5d2d347355e9aaaa1b0d619ee91e46d09e336e19103deadbd1b9245f55f0a9
Instruction Fuzzy Hash: ACD05E357402148F8708EB7DD454C5977EAEF8D6A034540AAE90ECB375DE21EC00CBD0

Function 03041B81 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d809150db54f2abc71daff4d8022019ba9d1eedf4b36e3ec8b022902c41797f6
Instruction ID: 9fed595819fb0c8b721c5b050e09be606e1a79ce851efc91d010f3e435bc64e4
Opcode Fuzzy Hash: d809150db54f2abc71daff4d8022019ba9d1eedf4b36e3ec8b022902c41797f6
Instruction Fuzzy Hash: 93E08C6090C3C18FDF36CB30D868228BFA1EB13228F0C84DEC0C28B292E2686190D356

Function 03042D98 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e26fa4ebc152971be7aa00e134e7c48378f79576e30df853944f8a8da8adce
Instruction ID: b4c8a458768f79333529450e1f48741c7afbd9354fa44e2b7aed1c8ed2cb609c
Opcode Fuzzy Hash: e0e26fa4ebc152971be7aa00e134e7c48378f79576e30df853944f8a8da8adce
Instruction Fuzzy Hash: 61D0C9397503148FCB14ABBDE40C85E3BE9AF8A6B930040A5F50AC7734DE75AD018BD0

Function 03041C10 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b18a2d150f18403db46917b19983117f6f43ee3dba02c3340fc15f3148d1bf
Instruction ID: 65eb5e6426c30053b1f3bf2bfa64bf9d8373f5e295bc6153a3b1281c96b38b7d
Opcode Fuzzy Hash: 09b18a2d150f18403db46917b19983117f6f43ee3dba02c3340fc15f3148d1bf
Instruction Fuzzy Hash: 36D0123140A3545FCB15BBE4AD5A8AB7FBCDE46140B490CD2F848AB117C614771097F2

Function 03211922 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16a43247a2a8c80788f36631fcff5d726b64df550235951f2d1da6756a9d25f
Instruction ID: 47080254710e9619e1b74ce6a0c1e255508c94c0bd0903225e7730df1b70320a
Opcode Fuzzy Hash: c16a43247a2a8c80788f36631fcff5d726b64df550235951f2d1da6756a9d25f
Instruction Fuzzy Hash: E8D012F5F203008BCB104A34591C25875A1B795331F254B39D413E33D4FB34CD518700

Function 03047676 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bc5cf68fe58272eeead07c84496204a9d08032be512394e110ba056d1d6469
Instruction ID: f8c598df3cef8a3a692e65b5941b42fa969aa85e83973d952d78e4db439087a5
Opcode Fuzzy Hash: 84bc5cf68fe58272eeead07c84496204a9d08032be512394e110ba056d1d6469
Instruction Fuzzy Hash: 94D0C9783102008FCB00DB24E998A5837A1FF85615F0085A4E6468B371CB759D45CF42

Function 03042602 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d48da5317e4e5704927a6a640dc8a585e00b23d4298707e2f79046b7a2da41
Instruction ID: d65e756cb4a144ccbee5a45c94db80120a9c8fbac318db6a148e27d577ae68ec
Opcode Fuzzy Hash: 74d48da5317e4e5704927a6a640dc8a585e00b23d4298707e2f79046b7a2da41
Instruction Fuzzy Hash: 24C08C3020821287D31CAA28AC1872C3A16E780A44B408628C4438B364CF180D4583FB

Function 03218A30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2580200270.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3210000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339d7ded3e9f185adc0dc963f54be9fc453f098827e0287a9d2e407e34a8f9e9
Instruction ID: 51c959987242a981ec4cd4f606905d88797bca64d4b4f0524ec8f15de2bbf3f9
Opcode Fuzzy Hash: 339d7ded3e9f185adc0dc963f54be9fc453f098827e0287a9d2e407e34a8f9e9
Instruction Fuzzy Hash: 1FA02238002B0C82820032B02200223B3CC0802C0838000B8830C0CA3008F3F0F0C0C0

Function 03041C20 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcdb3046b5265a9987fb2758e69caa58f3eb80ae812a8488ad66978a3ddaf9f
Instruction ID: e4bbb545dd6f21fa21590d43ea1bfcc0300c99588edfae31fc847ebdf16ba44c
Opcode Fuzzy Hash: 7fcdb3046b5265a9987fb2758e69caa58f3eb80ae812a8488ad66978a3ddaf9f
Instruction Fuzzy Hash: 9DA0223000030C8B02083BE8320E08E3F2CC8800E838000A0E00C0000A0E00200002B3

Function 03040940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2579914733.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcc6e33904d80dbc9967eef171c98bca9f9562def92fac47930266debd59650
Instruction ID: fbceb8bb8abad3ee913776baa65d7832756d01831d044d2bc1c841ab77deb7a1
Opcode Fuzzy Hash: 7bcc6e33904d80dbc9967eef171c98bca9f9562def92fac47930266debd59650
Instruction Fuzzy Hash: 7990023204870C8B855037957809596775CA54C5377854155E50E415155A95A4504695

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hm8dCK5P5A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\IsSynchronized.exe

C:\Users\user\AppData\Roaming\IsSynchronized.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsSynchronized.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
hm8dCK5P5A.exe

Function 05616CB0 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Function 052963CF Relevance: 2.6, Strings: 1, Instructions: 1355
COMMON

Function 05293E48 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Function 0561A621 Relevance: 1.6, APIs: 1, Instructions: 108
nativeCOMMON

Function 0561A628 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Function 05470556 Relevance: 3.8, Strings: 3, Instructions: 34
COMMON

Function 0561B1D4 Relevance: 1.8, APIs: 1, Instructions: 268
processCOMMON

Function 0561B1E0 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Function 0561C440 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON