Edit tour

Windows Analysis Report
8qQwTWK3jx.exe

Overview

General Information

Sample name:	8qQwTWK3jx.exe renamed because original name is a hash value
Original sample name:	f35ce728a584e05ae638cee5ed5a109d2911a79d96244357b52be848cc0308f8.exe
Analysis ID:	1588167
MD5:	01b0429b0912380fd5d2df6de3ee9e06
SHA1:	ff819ec87fc8a86e4081b9b916884952a70f19f4
SHA256:	f35ce728a584e05ae638cee5ed5a109d2911a79d96244357b52be848cc0308f8
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

AI detected suspicious sample

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8qQwTWK3jx.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\8qQwTWK3jx.exe" MD5: 01B0429B0912380FD5D2DF6DE3EE9E06)

InstallUtil.exe (PID: 7928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 8064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1388208463.00000000050D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 8qQwTWK3jx.exe PID: 7844	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 8qQwTWK3jx.exe PID: 7844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 7928	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8qQwTWK3jx.exe.50d0000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\8qQwTWK3jx.exe, ProcessId: 7844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Current.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\Current.exe	Virustotal: Detection: 66%			Perma Link

Multi AV Scanner detection for submitted file

Source: 8qQwTWK3jx.exe	ReversingLabs: Detection: 82%
Source: 8qQwTWK3jx.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Current.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8qQwTWK3jx.exe

Joe Sandbox ML: detected

Source: 8qQwTWK3jx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8qQwTWK3jx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb>>< source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb) source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdba source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000910000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1 source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 8qQwTWK3jx.exe, 00000000.00000002.1389792878.00000000056F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 8qQwTWK3jx.exe, 00000000.00000002.1389792878.00000000056F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbn source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000910000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbk source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbd source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb. source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdba8 source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb(M source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 7vlUtil.pdbl source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP}o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xsymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A7106F
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A7107C
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then jmp 052576A6h	0_2_05257300
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then jmp 052576A6h	0_2_05257310
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then jmp 053C9030h	0_2_053C8F78
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 4x nop then jmp 053C9030h	0_2_053C8F70

Source: global traffic	TCP traffic: 192.168.2.9:53353 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.9:61036 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp, 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053CD1C0 NtResumeThread,	0_2_053CD1C0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053CA8B8 NtProtectVirtualMemory,	0_2_053CA8B8
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053CD1BF NtResumeThread,	0_2_053CD1BF
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053CD1B8 NtResumeThread,	0_2_053CD1B8
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053CA8B0 NtProtectVirtualMemory,	0_2_053CA8B0

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_00A70CE8	0_2_00A70CE8
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_00A70CDC	0_2_00A70CDC
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_00A71673	0_2_00A71673
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D73C98	0_2_04D73C98
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D76228	0_2_04D76228
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D7E3F0	0_2_04D7E3F0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D77B9B	0_2_04D77B9B
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D7F490	0_2_04D7F490
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D7C090	0_2_04D7C090
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D7C080	0_2_04D7C080
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D73854	0_2_04D73854
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D702E0	0_2_04D702E0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D70350	0_2_04D70350
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D70360	0_2_04D70360
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050B2CB0	0_2_050B2CB0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050B42B8	0_2_050B42B8
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050B2FD7	0_2_050B2FD7
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C7AD0	0_2_050C7AD0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C6468	0_2_050C6468
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C0039	0_2_050C0039
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C0040	0_2_050C0040
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_05251DE0	0_2_05251DE0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_0525ECC8	0_2_0525ECC8
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_05257300	0_2_05257300
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_05257310	0_2_05257310
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_0525ECBB	0_2_0525ECBB
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_05250FB0	0_2_05250FB0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_05250A60	0_2_05250A60
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053C6FB0	0_2_053C6FB0
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053C6FAB	0_2_053C6FAB
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053C0620	0_2_053C0620
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053C0610	0_2_053C0610
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053EE598	0_2_053EE598
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053D0006	0_2_053D0006
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053D0040	0_2_053D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B16D30	2_2_00B16D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B12E81	2_2_00B12E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B141E0	2_2_00B141E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B141D1	2_2_00B141D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B13234	2_2_00B13234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B16CCD	2_2_00B16CCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B12E81	2_2_00B12E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B908B8	2_2_04B908B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B900B1	2_2_04B900B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B90EB0	2_2_04B90EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B908B8	2_2_04B908B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B900ED	2_2_04B900ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B90EC0	2_2_04B90EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B90428	2_2_04B90428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B907B6	2_2_04B907B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B9037E	2_2_04B9037E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B9036B	2_2_04B9036B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1144

Source: 8qQwTWK3jx.exe, 00000000.00000002.1387295556.0000000004F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKikwrpte.exe2 vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUrmxc.exe" vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1371696849.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUrmxc.exe" vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe, 00000000.00000002.1389792878.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 8qQwTWK3jx.exe
Source: 8qQwTWK3jx.exe	Binary or memory string: OriginalFilenameKikwrpte.exe2 vs 8qQwTWK3jx.exe

Source: 8qQwTWK3jx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8qQwTWK3jx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Current.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8qQwTWK3jx.exe, Current.exe.0.dr	Binary or memory string: .sln
Source: 8qQwTWK3jx.exe, Current.exe.0.dr	Binary or memory string: .csproj.css
Source: 8qQwTWK3jx.exe, Current.exe.0.dr	Binary or memory string: .vbproj.vbs

Source: classification engine

Classification label: mal100.expl.evad.winEXE@4/3@1/0

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5b526191-c28d-4efd-beaa-951bc0a7aab9

Jump to behavior

Source: 8qQwTWK3jx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8qQwTWK3jx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8qQwTWK3jx.exe	ReversingLabs: Detection: 82%
Source: 8qQwTWK3jx.exe	Virustotal: Detection: 66%

Source: 8qQwTWK3jx.exe

String found in binary or memory: .aiff.airwapplication/vnd.adobe.air-application-installer-package+zip

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File read: C:\Users\user\Desktop\8qQwTWK3jx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8qQwTWK3jx.exe "C:\Users\user\Desktop\8qQwTWK3jx.exe"
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1144
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 8qQwTWK3jx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8qQwTWK3jx.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 8qQwTWK3jx.exe

Static file information: File size 1522688 > 1048576

Source: 8qQwTWK3jx.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x173200

Source: 8qQwTWK3jx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb>>< source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb) source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdba source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000910000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1 source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 8qQwTWK3jx.exe, 00000000.00000002.1389792878.00000000056F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 8qQwTWK3jx.exe, 00000000.00000002.1389792878.00000000056F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbn source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000910000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbk source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2614829887.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\InstallUtil.pdbd source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb. source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdba8 source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb(M source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 7vlUtil.pdbl source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP}o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xsymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2609969864.0000000000588000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2610479189.0000000000988000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.8qQwTWK3jx.exe.50d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1388208463.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8qQwTWK3jx.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_00A76580 push esp; iretd	0_2_00A7658E
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_00A75543 push esp; iretd	0_2_00A75544
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_04D79B7E push esp; iretd	0_2_04D79B7F
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050B80A8 push ss; iretd	0_2_050B80AA
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050B8203 push ss; iretd	0_2_050B820C
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050BD9E1 push 78051B0Dh; iretd	0_2_050BD9ED
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C4785 push ss; iretd	0_2_050C478C
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050CB146 push ecx; iretd	0_2_050CB149
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C2A23 push BA007D6Dh; ret	0_2_050C2A2D
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_050C02EA push BA007D6Dh; retn 0002h	0_2_050C02EF
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_0525D7A2 push cs; ret	0_2_0525D7C1
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053D3DFA push ss; ret	0_2_053D3E00
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053D3C01 push ss; iretd	0_2_053D3C03
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Code function: 0_2_053D3BF4 push ss; iretd	0_2_053D3BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B11132 push ss; iretd	2_2_00B11133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B17BC3 push esp; iretd	2_2_00B17BC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B15513 push esp; iretd	2_2_00B15514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00B15F08 push esp; iretd	2_2_00B15F2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B92E8D push ecx; iretd	2_2_04B92E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B92ED7 push ecx; iretd	2_2_04B92ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B94608 push ecx; iretd	2_2_04B94614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_04B93536 push esp; iretd	2_2_04B93537

Source: 8qQwTWK3jx.exe	Static PE information: section name: .text entropy: 7.912171078573269
Source: Current.exe.0.dr	Static PE information: section name: .text entropy: 7.912171078573269

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File created: C:\Users\user\AppData\Roaming\Current.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 8qQwTWK3jx.exe PID: 7844, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE\|VIRTUAL\|A M I\|XENSELECT FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT\|VMWARE\|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory allocated: A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware\|VIRTUAL\|A M I\|Xenselect from Win32_ComputerSystem+manufacturer,model-Microsoft\|VMWare\|Virtual.john/anna0xxxxxxxx

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5C0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5C0000	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5C2000	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 640000	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 29C008	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Queries volume information: C:\Users\user\Desktop\8qQwTWK3jx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8qQwTWK3jx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8qQwTWK3jx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8qQwTWK3jx.exe	83%	ReversingLabs	Win32.Trojan.Leonem
8qQwTWK3jx.exe	66%	Virustotal		Browse
8qQwTWK3jx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Current.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Current.exe	83%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\Current.exe	66%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
206.23.85.13.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp, 8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	8qQwTWK3jx.exe, 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	8qQwTWK3jx.exe, 00000000.00000002.1387855327.0000000005050000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588167
Start date and time:	2025-01-10 22:08:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8qQwTWK3jx.exe renamed because original name is a hash value
Original Sample Name:	f35ce728a584e05ae638cee5ed5a109d2911a79d96244357b52be848cc0308f8.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@4/3@1/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 194 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 13.85.23.206, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 7928 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:09:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	1018617432866721695.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hm8dCK5P5A.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	247714231173424547.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	984279432356016169.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	295963673155714664.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\8qQwTWK3jx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1522688
Entropy (8bit):	7.908860553294325
Encrypted:	false
SSDEEP:	24576:McibFgl+c4d5+kNfG+AEkS37V6xdPdZyb+VJs2CYGm7qnedhlvAfhCP0KF:QbQ+c4PNzkS37kPdob+VJgYGcq26fO0g
MD5:	01B0429B0912380FD5D2DF6DE3EE9E06
SHA1:	FF819EC87FC8A86E4081B9B916884952A70F19F4
SHA-256:	F35CE728A584E05AE638CEE5ED5A109D2911A79D96244357B52BE848CC0308F8
SHA-512:	BDD55D69B0B927C54B7E0FB70C4CEDDD4BFFD5C03D26D216FCFDE9743995FEB89871F1FE04549A02EEBC1EE7ECE55B6E1F142FD51D1B9711712C7DCCE79E8A16
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 66%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nDYg.................2...........Q... ...`....@.. ....................................`..................................P..S....`............................................................................... ............... ..H............text...41... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H....... ....Y..........DJ..................................................0.w,a..Q....m...jp5.c.d.2......y.......+L...\|.~.-.....d.... .jHq...A..}......mQ.....V.l...kdz.b...e.O\...l.cc=....... n;^.iL.A`.rqg....<G..K....k......5l..B...@....l.2u\.E....Y=..0.&:..Q.Q...a....!#.V...........(..._....$....\|o/.LhX..a.=-f..A.v.q... .*....q......3....x4............j.-=m..ld..\c..Qkkbal..0e.N.b...l{.......W.....eP....\|......bI-...\|.eL..Xa.M.Q.:t....0..A..J..=

C:\Users\user\AppData\Roaming\Current.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\8qQwTWK3jx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Download File

Process:	C:\Users\user\Desktop\8qQwTWK3jx.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.6440691826834986
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoqLTVSREaKC5+kAHn:FER/lFHIqLTwiaZ5+JH
MD5:	7A9C721233C7B9A637FC673E7C6554AC
SHA1:	B0C75DB5DCCE7E0A796763D5B37C79647336FDB5
SHA-256:	FDCFA96844580356F970A9E76F2D7051A26EA1737C62242923F325E4C98FD215
SHA-512:	78C9F1A33E5D962DFB7237E69048A0A37B7CDF3FA345A176ACC28E1D40969B5B8DFF236F8C9043D847C3A65FE7BFF29A01D27C77BFBECF29C0FD278B8C366FC1
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Current.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.908860553294325
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	8qQwTWK3jx.exe
File size:	1'522'688 bytes
MD5:	01b0429b0912380fd5d2df6de3ee9e06
SHA1:	ff819ec87fc8a86e4081b9b916884952a70f19f4
SHA256:	f35ce728a584e05ae638cee5ed5a109d2911a79d96244357b52be848cc0308f8
SHA512:	bdd55d69b0b927c54b7e0fb70c4ceddd4bffd5c03d26d216fcfde9743995feb89871f1fe04549a02eebc1ee7ece55b6e1f142fd51d1b9711712c7dcce79e8a16
SSDEEP:	24576:McibFgl+c4d5+kNfG+AEkS37V6xdPdZyb+VJs2CYGm7qnedhlvAfhCP0KF:QbQ+c4PNzkS37kPdob+VJgYGcq26fO0g
TLSH:	1265121872EDC767E2E7AFBD946231028B7A7846D453CF990C9950CD04B37488A63B7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nDYg.................2...........Q... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x57512e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6759446E [Wed Dec 11 07:51:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1750d8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x176000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x178000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x173134	0x173200	a858ac6367c23143a03b17bea74703f8	False	0.933347718086898	data	7.912171078573269	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x176000	0x5a6	0x600	b3d1156a301fd573df29be1923d4ee57	False	0.416015625	data	4.081668690532946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x178000	0xc	0x200	a32a967665be12d6a00b866004c77f96	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1760a0	0x31c	data			0.42839195979899497
RT_MANIFEST	0x1763bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:09:41.783160925 CET	53353	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:09:41.788014889 CET	53	53353	1.1.1.1	192.168.2.9
Jan 10, 2025 22:09:41.788171053 CET	53353	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:09:41.793016911 CET	53	53353	1.1.1.1	192.168.2.9
Jan 10, 2025 22:09:42.233401060 CET	53353	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:09:42.238404989 CET	53	53353	1.1.1.1	192.168.2.9
Jan 10, 2025 22:09:42.238648891 CET	53353	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:09:56.298695087 CET	61036	53	192.168.2.9	162.159.36.2
Jan 10, 2025 22:09:56.303705931 CET	53	61036	162.159.36.2	192.168.2.9
Jan 10, 2025 22:09:56.303837061 CET	61036	53	192.168.2.9	162.159.36.2
Jan 10, 2025 22:09:56.309010029 CET	53	61036	162.159.36.2	192.168.2.9
Jan 10, 2025 22:09:56.749730110 CET	61036	53	192.168.2.9	162.159.36.2
Jan 10, 2025 22:09:56.754790068 CET	53	61036	162.159.36.2	192.168.2.9
Jan 10, 2025 22:09:56.754842997 CET	61036	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:09:41.782686949 CET	53	53748	1.1.1.1	192.168.2.9
Jan 10, 2025 22:09:56.297955036 CET	53	50892	162.159.36.2	192.168.2.9
Jan 10, 2025 22:09:56.771651983 CET	60967	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:09:56.778961897 CET	53	60967	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:09:56.771651983 CET	192.168.2.9	1.1.1.1	0x5eeb	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:09:18.929588079 CET	1.1.1.1	192.168.2.9	0x612d	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:09:18.929588079 CET	1.1.1.1	192.168.2.9	0x612d	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:09:56.778961897 CET	1.1.1.1	192.168.2.9	0x5eeb	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	16:09:21
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\8qQwTWK3jx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8qQwTWK3jx.exe"
Imagebase:	0x160000
File size:	1'522'688 bytes
MD5 hash:	01B0429B0912380FD5D2DF6DE3EE9E06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1388208463.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1374161661.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:09:23
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x1f0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:09:24
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1144
Imagebase:	0xd90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3%
Total number of Nodes:	395
Total number of Limit Nodes:	7

Executed Functions

Function 04D76228 Relevance: 86.4, Strings: 68, Instructions: 1353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 04D76B36
hm}, xrefs: 04D7673A
hm}, xrefs: 04D768BE
hm}, xrefs: 04D765C4
hm}, xrefs: 04D76A10
hm}, xrefs: 04D76FA2
hm}, xrefs: 04D7660A
hm}, xrefs: 04D76B9D
hm}, xrefs: 04D76FCE
hm}, xrefs: 04D779F9
hm}, xrefs: 04D7669B
hm}, xrefs: 04D76DE9
hm}, xrefs: 04D764C6
hm}, xrefs: 04D76E15
hm}, xrefs: 04D76C5C
hm}, xrefs: 04D775C2
hm}, xrefs: 04D773C8
hm}, xrefs: 04D77306
hm}, xrefs: 04D76BC9
hm}, xrefs: 04D778A0
hm}, xrefs: 04D77674
hm}, xrefs: 04D77B6F
hm}, xrefs: 04D77A75
hm}, xrefs: 04D76538
hm}, xrefs: 04D7645A
hm}, xrefs: 04D7640E
hm}, xrefs: 04D768EA
hm}, xrefs: 04D76651
hm}, xrefs: 04D77035
hm}, xrefs: 04D76398
hm}, xrefs: 04D770C8
hm}, xrefs: 04D76857
hm}, xrefs: 04D76F0F
hm}, xrefs: 04D76AA3
hm}, xrefs: 04D76B0A
hm}, xrefs: 04D77629
hm}, xrefs: 04D769E4
hm}, xrefs: 04D7791D
hm}, xrefs: 04D76F3B
hm}, xrefs: 04D772C0
hm}, xrefs: 04D77573
hm}, xrefs: 04D770F4
hm}, xrefs: 04D76A77
hm}, xrefs: 04D77760
hm}, xrefs: 04D771A2
hm}, xrefs: 04D76367
hm}, xrefs: 04D774DD
hm}, xrefs: 04D764F2
hm}, xrefs: 04D7740E
hm}, xrefs: 04D76951
hm}, xrefs: 04D767AC
hm}, xrefs: 04D7750F
hm}, xrefs: 04D76C30
hm}, xrefs: 04D76CC3
2, xrefs: 04D77216
hm}, xrefs: 04D77061
hm}, xrefs: 04D7657E
hm}, xrefs: 04D76E7C
hm}, xrefs: 04D7681C
hm}, xrefs: 04D76D56
hm}, xrefs: 04D7697D
hm}, xrefs: 04D76CEF
hm}, xrefs: 04D77454
hm}, xrefs: 04D76EA8
hm}, xrefs: 04D7798B
hm}, xrefs: 04D77832
hm}, xrefs: 04D776A5
hm}, xrefs: 04D76D82

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 2$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-3826879970
Opcode ID: 587e33b32ba5bbd85dab31a9cd9bef6bcc0c45d04e97bca5f75793d50369a806
Instruction ID: d6a2ea888cfc99503d09d93d711c408c21ab7a083a1d232e17c6b1e7aea1dbaf
Opcode Fuzzy Hash: 587e33b32ba5bbd85dab31a9cd9bef6bcc0c45d04e97bca5f75793d50369a806
Instruction Fuzzy Hash: 26E2B5B4A05628CFDB64DF68D884B99B7F6FB89301F1081EAD409A7355DB34AE81CF50

Function 04D77B9B Relevance: 21.8, Strings: 17, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 04D780E6
hm}, xrefs: 04D7819F
hm}, xrefs: 04D78228
hm}, xrefs: 04D78003
hm}, xrefs: 04D77CD8
hm}, xrefs: 04D77C62
hm}, xrefs: 04D77F7F
hm}, xrefs: 04D77D2A
hm}, xrefs: 04D77CAC
hm}, xrefs: 04D77BE6
hm}, xrefs: 04D77DE8
hm}, xrefs: 04D77F4D
hm}, xrefs: 04D785EC
hm}, xrefs: 04D785AA
hm}, xrefs: 04D78124
hm}, xrefs: 04D77E61
hm}, xrefs: 04D77EA5

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-2941558317
Opcode ID: 8133c1ff6bb74df2bbe21c2016fde0847db85e1ec6a602fc7e8cf223c8910644
Instruction ID: 958d13bdb876328511209b3dc1fe2b1a33ffd2f40cadf89e8c8654a8e685b829
Opcode Fuzzy Hash: 8133c1ff6bb74df2bbe21c2016fde0847db85e1ec6a602fc7e8cf223c8910644
Instruction Fuzzy Hash: 8452B2B4A00628CFDB64DF28D988B9AB7B2FB49301F1081E9D50DA7355DB34AE81CF51

Function 053C6FB0 Relevance: 15.6, Strings: 12, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 053C7672
hm}, xrefs: 053C76A4
hm}, xrefs: 053C7047
hm}, xrefs: 053C7406
8, xrefs: 053C70BA
hm}, xrefs: 053C7018
hm}, xrefs: 053C7898
hm}, xrefs: 053C734B
hm}, xrefs: 053C747D
hm}, xrefs: 053C71A6
hm}, xrefs: 053C7989
hm}, xrefs: 053C7139

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 8$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-179163989
Opcode ID: 33043b665d9e2cb5c8a532e4a5f977c6fc5eefb4aebf2de4734f13d35f76bcfa
Instruction ID: 6d751f981f6f2368449568c3a6b0e1469d6261f12ef4eb19518352cb1632d2ec
Opcode Fuzzy Hash: 33043b665d9e2cb5c8a532e4a5f977c6fc5eefb4aebf2de4734f13d35f76bcfa
Instruction Fuzzy Hash: 5252C575E00629CFDB64DF69C854AD9B7B2FB89300F1085EAD809A7355DB70AE81CF90

Function 04D7E3F0 Relevance: 15.5, Strings: 12, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 04D7E596
hm}, xrefs: 04D7E55E
hm}, xrefs: 04D7E8FA
hm}, xrefs: 04D7E52C
hm}, xrefs: 04D7E638
hm}, xrefs: 04D7E77D
hm}, xrefs: 04D7E9BC
hm}, xrefs: 04D7E74B
hm}, xrefs: 04D7E66A
hm}, xrefs: 04D7E86E
hm}, xrefs: 04D7E48A
hm}, xrefs: 04D7E4DA

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-2004070249
Opcode ID: 62723d8246bb48c4c56e5c31584334d4e11e89cb404f79f63596cc2c8e9eb5ff
Instruction ID: 75eeceb4e053476044c31d9b070ebce84f54e665242e216246d67af3268d6077
Opcode Fuzzy Hash: 62723d8246bb48c4c56e5c31584334d4e11e89cb404f79f63596cc2c8e9eb5ff
Instruction Fuzzy Hash: 0F12E274A05218CFEB64DF69D854BA9B7F2FB89300F1080EAD449A7355EB38AD85CF11

Function 053C6FAB Relevance: 6.4, Strings: 5, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 053C7047
hm}, xrefs: 053C7018
h, xrefs: 053C70AE
hm}, xrefs: 053C71A6
hm}, xrefs: 053C7139

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: h$hm}$hm}$hm}$hm}
API String ID: 0-3887555789
Opcode ID: b0e4735433cbb9d71247de8e2d2441b2fc2bebb191c2abca2332e363884acb33
Instruction ID: c677df098cf5d05d795fad21543cac3d995625c2ba43a3d862e5df7430851a7d
Opcode Fuzzy Hash: b0e4735433cbb9d71247de8e2d2441b2fc2bebb191c2abca2332e363884acb33
Instruction Fuzzy Hash: C371C575E00628CBEB24DFA9D850BD9B7B2FF89300F50C1AAD909A7254DB746E85CF50

Function 0525ECC8 Relevance: 5.3, Strings: 4, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 0525EF1D
hm}, xrefs: 0525EE5A
hm}, xrefs: 0525EEF3
hm}, xrefs: 0525ED46

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}
API String ID: 0-2943400445
Opcode ID: 5a56b775ed4a691cc4a379d53486ee61dedfeef3d07c0b2276fec20572cc22cf
Instruction ID: 1a7883403a16ad93deb104821cf6e4bdaf44861505755cbb790455ac2789a760
Opcode Fuzzy Hash: 5a56b775ed4a691cc4a379d53486ee61dedfeef3d07c0b2276fec20572cc22cf
Instruction Fuzzy Hash: BEC106B4E15218CFDB14DFA9D844BADBBF6BF89320F2081AAD809A7345DB745985CF10

Function 0525ECBB Relevance: 5.3, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hm}, xrefs: 0525EF1D
hm}, xrefs: 0525EE5A
hm}, xrefs: 0525EEF3
hm}, xrefs: 0525ED46

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}
API String ID: 0-2943400445
Opcode ID: d184adc260613e025f0852d355cbeda15e41cc8afd232e1d423728bdf6ec6a28
Instruction ID: 68271900e7516b365056b2b52fdbdaaf0b609ee3c1c496ade96b7c199e5b5fd6
Opcode Fuzzy Hash: d184adc260613e025f0852d355cbeda15e41cc8afd232e1d423728bdf6ec6a28
Instruction Fuzzy Hash: 9AC115B4E15218CFDB14DFA9D844BADBBF6BF89310F2081AAD808A7344DB749985CF10

Function 050B2CB0 Relevance: 2.4, Strings: 1, Instructions: 1171COMMON

Download Yara Rule

Strings

4, xrefs: 050B3685

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: c0a3e8d2c939650ced5350089b25ab2eb65bdca859010df1a8b2c7e15e242627
Instruction ID: da30dcc4f7d80f459dd54b5f195045e87689cbdb60b8db29410d219a63f49bfe
Opcode Fuzzy Hash: c0a3e8d2c939650ced5350089b25ab2eb65bdca859010df1a8b2c7e15e242627
Instruction Fuzzy Hash: 72B2F734A00218CFEB54DFA4D894BADB7B6FB88700F258599E505AB3A5CBB0ED41CF50

Function 04D73C98 Relevance: 2.2, Strings: 1, Instructions: 983COMMON

Download Yara Rule

Strings

A9D, xrefs: 04D74075

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: A9D
API String ID: 0-624094898
Opcode ID: 90a837cb2aa56e72e558b8da60d43c98d8e005be96869822a391a103b9b5c21a
Instruction ID: 9b39ebb4f0171c3f90faeed2136335eba3855cd9f7104e0f82686ab248e38e78
Opcode Fuzzy Hash: 90a837cb2aa56e72e558b8da60d43c98d8e005be96869822a391a103b9b5c21a
Instruction Fuzzy Hash: E5A2B675A00628CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325D731AE81CF40

Function 050B2FD7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 050B3685

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 14047e43d856acaa2c453ead4911caefc4ba05a4fe4c07a20d40e554e59c8afe
Instruction ID: c4e023fc1f2536d559b3389d1f34ea18d4fbca447b5137cd8387a6043d240b66
Opcode Fuzzy Hash: 14047e43d856acaa2c453ead4911caefc4ba05a4fe4c07a20d40e554e59c8afe
Instruction Fuzzy Hash: EE22E674A00218CFEB64DFA4D994BEDB7B6BF88300F248599D509AB395DB70AD81CF50

Function 053CA8B0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 053CA96D

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0129c72a59f1821be6cb416fe4c11187f6caaa28c1f7f0c0df1b9d4d030084c8
Instruction ID: 2401a8dc5174cb13cd575e9c111c1fef4de9a92bd9065248ad7d387d117d2d31
Opcode Fuzzy Hash: 0129c72a59f1821be6cb416fe4c11187f6caaa28c1f7f0c0df1b9d4d030084c8
Instruction Fuzzy Hash: 394198B9D0421C9FCF10CFAAD884ADEFBB1BB09310F10942AE819BB210D775A905CF65

Function 053CA8B8 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 053CA96D

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 964aa92fa34d31c725b55cc411071a69476dbb0d48bc439918dd3b8fcfa39928
Instruction ID: 9d99893c722b05896ae79d4c701efbbc071e56733f5c7dbc8fa7e614333e10cb
Opcode Fuzzy Hash: 964aa92fa34d31c725b55cc411071a69476dbb0d48bc439918dd3b8fcfa39928
Instruction Fuzzy Hash: 1E4187B9D0425C9FCF10CFAAD880ADEFBB1BB09310F14902AE819BB210D775A945CF64

Function 053CD1B8 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 053CD24E

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4fc5d69b94ec11a87ca2d323b0f260b002ce48bc109d2b0e13ae52ad07172b82
Instruction ID: 0e1287a613f0b5e5e57b8eaa72b4ff0e365a100f6b30b301d0b62faae253c6e0
Opcode Fuzzy Hash: 4fc5d69b94ec11a87ca2d323b0f260b002ce48bc109d2b0e13ae52ad07172b82
Instruction Fuzzy Hash: 7031CAB4D052589FCB10CFAAD980ADEFBF1FB49310F14942AE815B7200C775A945CF94

Function 053CD1C0 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 053CD24E

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f95f79dbd2adbb8d3e42f2364459058310c71c15099b6636fe3441935a270676
Instruction ID: fd6b265a7f97ae969f016ad5d6f0c936c204f39d742018bcc77bc940f26b882d
Opcode Fuzzy Hash: f95f79dbd2adbb8d3e42f2364459058310c71c15099b6636fe3441935a270676
Instruction Fuzzy Hash: 5B31C8B8D052189FCB10CFAAD980ADEFBF1BB49310F24842AE819B7200C775A905CF94

Function 053CD1BF Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 053CD24E

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b550df19e8baeb3ca9157587fb9ecdae2042f28fc8299a373cae8eef9889ea45
Instruction ID: 9cac1dfe9fffd8137b05f68fa24b6f457c0328623ddb37a32e480b8fa3640c9e
Opcode Fuzzy Hash: b550df19e8baeb3ca9157587fb9ecdae2042f28fc8299a373cae8eef9889ea45
Instruction Fuzzy Hash: C531A8B9D052189FDB10CFA9D980ADEFBF1BB49310F24942AE819B7200D775A945CF94

Function 05251DE0 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4aab535a628ce21a59f06cf06807787cdd17028fc99e438ea157c026cb2b48f
Instruction ID: a11fc4f5e43183309bac06f34dad1213d74baa6a88a2ae4b215bcad923b82163
Opcode Fuzzy Hash: a4aab535a628ce21a59f06cf06807787cdd17028fc99e438ea157c026cb2b48f
Instruction Fuzzy Hash: 68F1E474D14229CFDB24CFA8C881BDDBBF1BF49310F1081AAD909A7290EB749A85CF51

Function 050C7AD0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b49044541be1323fad1e26e0851fb39ac5e7947a6ffbffabbc5d0d567a1758e
Instruction ID: 6710eefa93f3241d338a46a2202b960cd40a50897c66a3b294c152357db860d5
Opcode Fuzzy Hash: 1b49044541be1323fad1e26e0851fb39ac5e7947a6ffbffabbc5d0d567a1758e
Instruction Fuzzy Hash: 9FA1C774E05618CFDB54CF69E984BADBBF2FB8A300F2080ADD409A7255DB749985CF50

Function 00A70CDC Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d3beaae2914b5235c82411b7fe0395c8c08cae638b3dd385fb5da0e7c9196f
Instruction ID: d4c5ea64be1a5aaeb2e1d79e3da48cf2b2032e2638192a810bec230c956fdcab
Opcode Fuzzy Hash: 76d3beaae2914b5235c82411b7fe0395c8c08cae638b3dd385fb5da0e7c9196f
Instruction Fuzzy Hash: 49713FB4905644CFE708EF7AE895699BBF2FBC8301F14C16ED0089B2A5EB785806CF55

Function 00A70CE8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5919ba843a8d97b246530355c3a404d245702e5390ff2bb253b72a4707ada574
Instruction ID: 4e908185953832292b4a0f472dc462e7ffa2f2d0ba131d77686059a92fa59ab7
Opcode Fuzzy Hash: 5919ba843a8d97b246530355c3a404d245702e5390ff2bb253b72a4707ada574
Instruction Fuzzy Hash: FA710FB5A05604CFE708EF7AE88569ABBF2FBC8301F14C12ED0089B265EB785905CF55

Function 050CF3C8 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

hm}, xrefs: 050CF493
hm}, xrefs: 050CF4BF
hm}, xrefs: 050CF45B

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}
API String ID: 0-1130070429
Opcode ID: ebec03a7276a9fb493098087e9af2a676c554da27e834f5a7f18f9863ba54b50
Instruction ID: 288f54bcbb0445debe17845b46264601e6f10cee849e534131b2754f10330e07
Opcode Fuzzy Hash: ebec03a7276a9fb493098087e9af2a676c554da27e834f5a7f18f9863ba54b50
Instruction Fuzzy Hash: D141D8B4E04609DFDB04DFAAE484AAEBBF2FB89300F10C0A9D515A7354DB3899428F51

Function 053D51F1 Relevance: 3.8, Strings: 3, Instructions: 48COMMON

Download Yara Rule

Strings

hm}, xrefs: 053D527E
hm}, xrefs: 053D520F
hm}, xrefs: 053D52B0

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}
API String ID: 0-1130070429
Opcode ID: 6c589e0f8f911e8b4d2d1a6840edb2f1905a2c333e72acd93013da23a2b267e3
Instruction ID: f74199f105e45fe928b83b679670fb30bf90f2201c6c4ac64cbad10350367eb1
Opcode Fuzzy Hash: 6c589e0f8f911e8b4d2d1a6840edb2f1905a2c333e72acd93013da23a2b267e3
Instruction Fuzzy Hash: 3E21A774A0422CCFDB65DF54D888AE9B7B2FB89301F1081DAE90AA7354C7389E85CF51

Function 05254447 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 052544B6
GetSystemMetrics.USER32(00000001), ref: 052544F0

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: 998b37c79676c4d81abdaa32c1b767d302c0ae2f950ec289497b9e17c2147b15
Instruction ID: 163caf3aa3e83734fcc680ad3bb739ad723bde08f3b61d5a767eb53d95babc06
Opcode Fuzzy Hash: 998b37c79676c4d81abdaa32c1b767d302c0ae2f950ec289497b9e17c2147b15
Instruction Fuzzy Hash: 4E3168758143498FEB11CF9AC44979EBFF4FF09318F24805AD449AB351D3B96584CBA1

Function 05254468 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 052544B6
GetSystemMetrics.USER32(00000001), ref: 052544F0

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: c98607b1e2ed1ab0364fb9637436d7fa5260a34952e00ebf8894c92735467855
Instruction ID: afcb85da9e678e37507771d4497d01f8b81121e28fe634dce5ae2971f23cf806
Opcode Fuzzy Hash: c98607b1e2ed1ab0364fb9637436d7fa5260a34952e00ebf8894c92735467855
Instruction Fuzzy Hash: A721F0B58103498FDB11DF9AC44979EFFF4AB08324F24841AD519A7340D3B96584CBA5

Function 04D913F0 Relevance: 2.8, Strings: 1, Instructions: 1560COMMON

Download Yara Rule

Strings

*q~, xrefs: 04D91DE3, 04D91DEE

Memory Dump Source

Source File: 00000000.00000002.1386582661.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d90000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: *q~
API String ID: 0-1258426024
Opcode ID: b1f489a31c5fe08f4fe3e76918c0069ad8cdee7650536de715b83d7bd09fc3a6
Instruction ID: 172ef33d0a98a1f40fb611178d97df6aec654fbb7a26caedf979a4574f4aad06
Opcode Fuzzy Hash: b1f489a31c5fe08f4fe3e76918c0069ad8cdee7650536de715b83d7bd09fc3a6
Instruction Fuzzy Hash: C1D26270A09389DFEB16CBA4D858BAE7FB1BF46300F1544DAE141EB2A2C7746C45CB61

Function 053D6BA2 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

hm}, xrefs: 053D6C69
hm}, xrefs: 053D6BD8

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}
API String ID: 0-124673948
Opcode ID: 668b6bde07fff85bf24c14756f6c4b4e50f1b3b83e0442e720fa97365a577521
Instruction ID: cc26856d735408a890e387c059cb660ad4452e22be6b154b5783619b1dd08f8d
Opcode Fuzzy Hash: 668b6bde07fff85bf24c14756f6c4b4e50f1b3b83e0442e720fa97365a577521
Instruction Fuzzy Hash: FE315374A01628CFEB64DF28C884A99B7F1FB49304F1085DAD81DA7356DB349E85DF50

Function 053D6EA9 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

hm}, xrefs: 053DA636
hm}, xrefs: 053DA663

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}
API String ID: 0-124673948
Opcode ID: 23b3f6463ea0978e12e80c77b8cdaa72fab4b3e71b982f1a1ea595a9ab9d7d9f
Instruction ID: 305ef3c67b955be7fc8a3707218e913da52736fbffe22e0f3751888371883ccd
Opcode Fuzzy Hash: 23b3f6463ea0978e12e80c77b8cdaa72fab4b3e71b982f1a1ea595a9ab9d7d9f
Instruction Fuzzy Hash: E911E4B4A01228CFDB68DF14E999BA9B3B6BB45304F1050E9D018A7640D7785EC8CF11

Function 050CB8DB Relevance: 2.5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

Strings

~}, xrefs: 050CB8DB
|, xrefs: 050CB97B

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: ~}$|
API String ID: 0-2020681732
Opcode ID: f2d7d6824089e60f27fbb9a1d58a420d94833a677445109cfc344b05728f99a6
Instruction ID: 06be75b19eb7ddc555809527a4e55fd9cc3a6b94fce9bd92cf52389744a94e1d
Opcode Fuzzy Hash: f2d7d6824089e60f27fbb9a1d58a420d94833a677445109cfc344b05728f99a6
Instruction Fuzzy Hash: 921190B4A4052A8FCB54DF24D954BADBBB2AF49301F0080EAD60EAB391DA345E80CF55

Function 053D5B08 Relevance: 2.5, Strings: 2, Instructions: 34COMMON

Download Yara Rule

Strings

hm}, xrefs: 053D5B44
hm}, xrefs: 053D5B17

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}
API String ID: 0-124673948
Opcode ID: 4ea763c5a643968bf40adadfd3a110c556056ec505020eb67f5b82b746196b9c
Instruction ID: 250d5a2f35f7c79b5b54cc1af4b482aef081cb5afb4dfdbcd77dae331a1aff5e
Opcode Fuzzy Hash: 4ea763c5a643968bf40adadfd3a110c556056ec505020eb67f5b82b746196b9c
Instruction Fuzzy Hash: 9711C5B4A04168CFDB64DF64E888BA9B7B1FB48704F2048E9D51DA7384DB785E84CF11

Function 04D913B9 Relevance: 2.3, Strings: 1, Instructions: 1071COMMON

Download Yara Rule

Strings

*q~, xrefs: 04D91DE3, 04D91DEE

Memory Dump Source

Source File: 00000000.00000002.1386582661.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d90000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: *q~
API String ID: 0-1258426024
Opcode ID: de1ef19c60ace6221f3a918356865a1c1c4a62687deb9f91ca8a3d77834cb15d
Instruction ID: 4d231fd9ac617353d313a273afabd5e737ecfa278a61b7bedf04128d186c0457
Opcode Fuzzy Hash: de1ef19c60ace6221f3a918356865a1c1c4a62687deb9f91ca8a3d77834cb15d
Instruction Fuzzy Hash: 5292397150A3C59FEB178B789C58B9A3FB5AF03300F1A41DBE180DB2E2C6785849C766

Function 053CB457 Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053CB6C7

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 79f4ee49435c470ec5d58da79f2340e1effbe9b1b28f981ce1957ed719d612a8
Instruction ID: fc8da0364be270ada9f46635087e7f47a047fba1dee4aa390b364f4b596ecd63
Opcode Fuzzy Hash: 79f4ee49435c470ec5d58da79f2340e1effbe9b1b28f981ce1957ed719d612a8
Instruction Fuzzy Hash: 08A111B4D002188FDF10CFA9C896BEEFBB1BF09304F5491AAE859A7240DB748985CF45

Function 053CB460 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053CB6C7

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c7a034ed0fa80a237933b177af36b392afac2294e6c1a4252c17bb51687666c9
Instruction ID: 95dce141a514302c2bb30f15c3db1ea26edbe953b93196365dafcd223047de47
Opcode Fuzzy Hash: c7a034ed0fa80a237933b177af36b392afac2294e6c1a4252c17bb51687666c9
Instruction Fuzzy Hash: 98A101B4D002188FDF10CFA9C896BEEFBB1BF09300F5491AAE859A7240DB749985CF45

Function 053C0195 Relevance: 1.7, APIs: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 053C031B

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 18ef15ceffac86fce41abbe577921819967514d8893120378ecfcc80572ab0af
Instruction ID: 2273cd75f4275f6aef2f53cebeb0086f6e41fa9de82fb0eba201e9dc2b1f6992
Opcode Fuzzy Hash: 18ef15ceffac86fce41abbe577921819967514d8893120378ecfcc80572ab0af
Instruction Fuzzy Hash: 91610170D04358DFDB18CFA9C8897EDBBB1BB49310F248169E855AB280DBB49985CF85

Function 053C01A0 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 053C031B

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 80bca6ad051698d8f8c67665f94911be3d8c5c1c7ffb159e6f1b54dce1988538
Instruction ID: dd340097d85c69bc3855b91df8f67cb5fd654a01d0a8e16d1b2fac03ad138eeb
Opcode Fuzzy Hash: 80bca6ad051698d8f8c67665f94911be3d8c5c1c7ffb159e6f1b54dce1988538
Instruction Fuzzy Hash: 12611270D04358CFDB14CFA9C8897EDBBB1BB49310F24816DE855A7280DBB89985CF85

Function 053CC6C8 Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053CC7A3

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8b61e4b169332c438d08c9156633f7e92ecfc66e37f42144278c6ed33b655c7c
Instruction ID: 9bedf1e794ad8f050a276a7ea6ea752c7f0bc817fb004b12f15ab78c54189bba
Opcode Fuzzy Hash: 8b61e4b169332c438d08c9156633f7e92ecfc66e37f42144278c6ed33b655c7c
Instruction Fuzzy Hash: 1441ABB5D0125C9FCF00CFA9D984AEEBBF1FB49310F14902AE819B7200D775AA45CB54

Function 053CC6D0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053CC7A3

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 23e518648269dc68b4fc3161e360bdc39b94503add3717533bc49c1a6f1e78ee
Instruction ID: 2614a5d959d4f422ed6e3bf282a535fed52506b06a289040af87d20c46cb7820
Opcode Fuzzy Hash: 23e518648269dc68b4fc3161e360bdc39b94503add3717533bc49c1a6f1e78ee
Instruction Fuzzy Hash: DB41AAB9D012589FCF00CFA9D984ADEFBF1FB49310F14902AE819B7200D775AA45CB64

Function 053CC3C8 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053CC47A

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad6377ef777b707712d6c066082e1c47cbbf7c5da0a1b06b27889a5e4af56e81
Instruction ID: 295b0558332e1653ba7c5571ac4844c533039a0610d9e22284b7baf91577cd16
Opcode Fuzzy Hash: ad6377ef777b707712d6c066082e1c47cbbf7c5da0a1b06b27889a5e4af56e81
Instruction Fuzzy Hash: 64319AB9D0425C9FCF10CFA9D980AEEFBB5BB09310F14A46AE829B7210D775A941CF54

Function 053CC3D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053CC47A

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3d593c1c168c11fb4f6771826bf1cca2bd6f77842e934a33b2fdd73628dbb0a5
Instruction ID: ccafc78fe5cca564141261f92f10adb89fb969c47e0a93172449a666c49fa999
Opcode Fuzzy Hash: 3d593c1c168c11fb4f6771826bf1cca2bd6f77842e934a33b2fdd73628dbb0a5
Instruction Fuzzy Hash: 6B31A8B9D042589FCF10CFA9D880AEEFBB5BB09310F14A42AE819B7210D775A941CF64

Function 0525670A Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 052567B4

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51ff737c15d758747ea814ce821e3fdc6fc3f3288679b004c6be41be1f315b7e
Instruction ID: 531a4f284ce7c0ca5b7a1bb79e0e41bbeafa823a7f4bc0dfb7cc750618ec2fc7
Opcode Fuzzy Hash: 51ff737c15d758747ea814ce821e3fdc6fc3f3288679b004c6be41be1f315b7e
Instruction Fuzzy Hash: E331DAB9C042089FDF00CFAAD880AEEFBB1BF09310F24942AE814B7200D775A945CF54

Function 05256710 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 052567B4

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 11078927b8b5ac5206e724bf1cf8418f371e77a8e301508998846f4f3a2e821f
Instruction ID: 6d7683c5545265fe2c5b68675b4cb3efb40203c9e9e08c82812ae1cfbe705595
Opcode Fuzzy Hash: 11078927b8b5ac5206e724bf1cf8418f371e77a8e301508998846f4f3a2e821f
Instruction Fuzzy Hash: 4D31CAB9D042589FDF10CFAAD984AEEFBB1BF09310F14942AE814B7210D775A945CF54

Function 00A7EC18 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A7ECBC

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 98b5661e00ffefec957ca5ed0867efe401017ff86c282d585a16c4cc6f3afd39
Instruction ID: 3b9e7232a4a32f5563eda0417678ea38d378834a471fb44d79e33a45c6fbc5cc
Opcode Fuzzy Hash: 98b5661e00ffefec957ca5ed0867efe401017ff86c282d585a16c4cc6f3afd39
Instruction Fuzzy Hash: 3F31A9B8D002089FCF10CFAAD984ADEFBB0BF09310F24902AE819B7210D775A945CF94

Function 053CBD19 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 053CBDCF

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 77fd8a11c77d257eb5e6aca61f4612bf2834e52bf01ef3e5dd1629598036711a
Instruction ID: 71bb80f6421c40b66780e70b2e6b968a6e8a24a8fe4ad6ce38969e7169ec4dae
Opcode Fuzzy Hash: 77fd8a11c77d257eb5e6aca61f4612bf2834e52bf01ef3e5dd1629598036711a
Instruction Fuzzy Hash: 5E41ABB5D002589FDB10CFAAD885AEEFBF1BB49310F64806AE415B7240D778A945CF54

Function 053CBD20 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 053CBDCF

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fffc6b3dd6804877a331cec5591584ed1f4b1228c1056d04b0af8f38636e49f9
Instruction ID: 36528e72542e8a25ed36fa776cc07e7f4fa4014ef4da029cb953e8711de50858
Opcode Fuzzy Hash: fffc6b3dd6804877a331cec5591584ed1f4b1228c1056d04b0af8f38636e49f9
Instruction Fuzzy Hash: B231BBB5D002589FDB10CFAAD885AEEFBF1BF49310F14802AE415B7240D778A945CF54

Function 050B8498 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

d, xrefs: 050B86F9

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: da217ed2d387c97a187edc114f2cec783d2e4572d084c03effb82522748dfed1
Instruction ID: 4dfc1ee054444fc6c9a9456a8b862956424e1cc5999af04c1463cfd244bd2758
Opcode Fuzzy Hash: da217ed2d387c97a187edc114f2cec783d2e4572d084c03effb82522748dfed1
Instruction Fuzzy Hash: 3DD16735600606CFDB24CF28D484AAEB7F6FF88314B65C969D45A9B361DB70F842CB94

Function 053E9C78 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

hm}, xrefs: 053E9DEA

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}
API String ID: 0-1197628385
Opcode ID: c466a3e3b21c31980f4674a3a49c356d7d8b2e49e612c668dc12c5b3c5bf5bb2
Instruction ID: ab4e054f1230839e65d7e7feedb368766ad3afe42eb4ddc27e89001201e3209c
Opcode Fuzzy Hash: c466a3e3b21c31980f4674a3a49c356d7d8b2e49e612c668dc12c5b3c5bf5bb2
Instruction Fuzzy Hash: 47519EB6E04228DBDB04EFA9D848BEEBBF6FB89300F10842AD415B7394DB745945CB50

Function 04D701D0 Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04D70277

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4880c36ed79bedfd921c5e6b469cc635a55088fd85c07949f38a7a7034792ca7
Instruction ID: d2836d511bdc02811089e9a3c6841dc39a51f481520d488370c76baca77c1394
Opcode Fuzzy Hash: 4880c36ed79bedfd921c5e6b469cc635a55088fd85c07949f38a7a7034792ca7
Instruction Fuzzy Hash: 6D31B8B9D002489FCF10CFA9D884AEEFBB1BB49310F14942AE814BB250D735A9418F94

Function 04D701D8 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04D70277

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b962646450fa9663b37236935936964b91b0ff9fb6015204a8374a46737f0abc
Instruction ID: a7905847e74b0dfc695c44ee3fb17737d3dfe09e82d94d35d485f4c0690181bc
Opcode Fuzzy Hash: b962646450fa9663b37236935936964b91b0ff9fb6015204a8374a46737f0abc
Instruction Fuzzy Hash: 2231B6B9D002089FCF10CFAAD880AEEFBB0BF09310F24942AE814B7210D735A945CF94

Function 053D888D Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

hm}, xrefs: 053DAFF1

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}
API String ID: 0-1197628385
Opcode ID: e89a2d6e741db484697800fabfc42e74017159c73c76dac20272c508458fb51e
Instruction ID: a5e09fcef70ac6bd854eb40c7d453ac352ecebfa3694b8d0e6b9035b714ab5c6
Opcode Fuzzy Hash: e89a2d6e741db484697800fabfc42e74017159c73c76dac20272c508458fb51e
Instruction Fuzzy Hash: FE11F774941518CFDB64DF18DC98BA9B7B5FB4430AF0044E5D418A7650D7749EC88F11

Function 053D5DAD Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

hm}, xrefs: 053DBD38

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}
API String ID: 0-1197628385
Opcode ID: 782234b1119d55121539231aef99ddcf554eabeac38f28f477976cd3233fd30c
Instruction ID: 73a0b34e19893128229480f19ad60ff0d14c127d4bffeed8358181bb43a6f50d
Opcode Fuzzy Hash: 782234b1119d55121539231aef99ddcf554eabeac38f28f477976cd3233fd30c
Instruction Fuzzy Hash: E301EDB4A4122DCFEB64DF14E959BA8B7B2FB45705F1080E9D019A7680DB781EC8CF12

Function 053D1741 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

hm}, xrefs: 053DBD38

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}
API String ID: 0-1197628385
Opcode ID: aa5367bfb91d3b18a9f74cb85f52f846f089f2feb27b034f9141227d3be9f696
Instruction ID: 3aed1ab966853ca19b237d6d0df148b34bac43deb214669005524e6c8247161f
Opcode Fuzzy Hash: aa5367bfb91d3b18a9f74cb85f52f846f089f2feb27b034f9141227d3be9f696
Instruction Fuzzy Hash: E9F0CD70A0915DDFE724DF10D95CBA9FB72EF41704F1480E9D01957682C9B80E48CF16

Function 050CB0E7 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

h, xrefs: 050CC3DD

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 89593c6714f518468b7bf47fb9ecb290e2c8f35ee2910341fb784212db93e775
Instruction ID: d89bb7f5c1a21b09e5df7e8be3f5bc06a8ecba95cd67545896620cb3dd5cfe45
Opcode Fuzzy Hash: 89593c6714f518468b7bf47fb9ecb290e2c8f35ee2910341fb784212db93e775
Instruction Fuzzy Hash: FFF0FFB4A00218CFEBA0DF24E84479DBBB1FF45306F5080DAD50997251DB344AC5CF0A

Function 050C9517 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

h, xrefs: 050CC3DD

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 9201e08112bb25ca0323b0307c3f7188c63a1ac591129681117db8ce3576f3b5
Instruction ID: 71531087ac8bdc41f1c43cd9e89760e5d349f04b67fc5003aadc65a6592f9d52
Opcode Fuzzy Hash: 9201e08112bb25ca0323b0307c3f7188c63a1ac591129681117db8ce3576f3b5
Instruction Fuzzy Hash: 7DF0AFB4A01218CFEBA0DF24D95479DBBB1FB45306F5080D9D54997241DB745AC5CF0A

Function 050C1027 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

], xrefs: 050C104F

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 4a191d80b7cf6f43c29574d667ef82174d882e46e2a243930794353be11a0a4b
Instruction ID: 5c6feead3cfac05eb75ad81a0e0d742b93e25a9ac8bceef5bbe8b6411a4e3498
Opcode Fuzzy Hash: 4a191d80b7cf6f43c29574d667ef82174d882e46e2a243930794353be11a0a4b
Instruction Fuzzy Hash: 22F0B27091022ECFDB61CF64E898BADFBB1BF06308F4040EAE918A3240C7745A80CF40

Function 050BB980 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377a76c84baa8c8a001b446e21ac3e4564c0b8218ee1dfe36bce1422f409fb83
Instruction ID: a0ff55a9d2ccb2976e11af01d02871e98f938085d840af497068e835878ac52a
Opcode Fuzzy Hash: 377a76c84baa8c8a001b446e21ac3e4564c0b8218ee1dfe36bce1422f409fb83
Instruction Fuzzy Hash: E2521875A002288FEB64CF68C995BEDB7F2BF88300F1581D9E509A7351DA749E80CF61

Function 050B5EAF Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ba6d6b6114d48a9fc3ad884984f446526bffeba10276e9dff5fba390a28037
Instruction ID: c8a1eef848401f14c5567b82eeffd495dbe83366fdd561d7b13561d423e9e97d
Opcode Fuzzy Hash: c8ba6d6b6114d48a9fc3ad884984f446526bffeba10276e9dff5fba390a28037
Instruction Fuzzy Hash: CC224B35A00204DFEB44DF94E494AADB7F6FF88300F188569E906AB396DB76ED41CB50

Function 050B8DE8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f47f8c5dc43159e18ec08dc5115b2c539d45cf8538cb520541f091ba2a20640
Instruction ID: a25345212d092b5502d298d2ee3707b75333d3acf286fde58c408d1629c96fa5
Opcode Fuzzy Hash: 3f47f8c5dc43159e18ec08dc5115b2c539d45cf8538cb520541f091ba2a20640
Instruction Fuzzy Hash: 68122B31A00604DFEB64DFA5D494AAEB7F2FF88300B14892DE506AB391DB75EC46CB51

Function 050BE988 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e906849e5d6e6d5b0b071e6c4a066289fb9079ad358ff1f3237f2297b89d2e4b
Instruction ID: 16c2a7c81f2adc40c25190dd09cd5849b03acc58ba73df7d61d7dd3190974183
Opcode Fuzzy Hash: e906849e5d6e6d5b0b071e6c4a066289fb9079ad358ff1f3237f2297b89d2e4b
Instruction Fuzzy Hash: A412D634B002198FEB14EF64D898BDDB7B6BF89300F5185A8D44AAB365DB70ED85CB50

Function 050BA0B0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e1a101428b3a9d374aa17ee31125ea2c6c873de44b571a0c8175a0ef16b6f5
Instruction ID: bc25e2a604ee4103593f9687f5382f0ab7fa7a8da44b643f74f902a63c3b9702
Opcode Fuzzy Hash: f5e1a101428b3a9d374aa17ee31125ea2c6c873de44b571a0c8175a0ef16b6f5
Instruction Fuzzy Hash: 72D17B36A00214DFDB05DFA4D844E99BBB2FF88310F0584A8E509AB272DB75EE55DF90

Function 050BAAA8 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fcebb8719da27a345bca157d9587a6ec58fad804383135d256c06806726c04
Instruction ID: 393f5811e37429e91e2047eb0a43e445313ed319073dc20e92148517046265cd
Opcode Fuzzy Hash: d9fcebb8719da27a345bca157d9587a6ec58fad804383135d256c06806726c04
Instruction Fuzzy Hash: AAF1C834B00218DFDB04DFA4D998AADB7B2FF89300F558559E406AB3A5DB75EC42CB90

Function 050BF070 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b90ecb655ad298d62bbdeeeb2c9a878358f5f06dc81001a5ee53d0aeef087b9
Instruction ID: b8dd161ca92a589d35f710a5cce9f977bf3bf759c27f7e3fb55190b7f57d1f1b
Opcode Fuzzy Hash: 8b90ecb655ad298d62bbdeeeb2c9a878358f5f06dc81001a5ee53d0aeef087b9
Instruction Fuzzy Hash: 00F13E34B00209DFDB04DFA4E4949ADBBB2FF89300F508569E805AB365DB74ED82CB91

Function 04D929D0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386582661.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d90000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f604eb0dcaf8dcbdb0c368b4d7e4c63d398c5dc605a233bd5999178493a7962e
Instruction ID: 1e01f1a5a84f5ed1414854ac23baeac813e1daa186e0dde05996bc5aa3e84176
Opcode Fuzzy Hash: f604eb0dcaf8dcbdb0c368b4d7e4c63d398c5dc605a233bd5999178493a7962e
Instruction Fuzzy Hash: 0AF16C74E01218EFDF18DFA4E4A86ACBBB2FF89315F204569E416A7351DB34AD81CB41

Function 050BB970 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a6e1fac9efe717c00b5658331755d9a8bcab7e95cd540e1bde587b91e0c702
Instruction ID: 844a0f4a3fa31275e6376b22a4ee91211d97f843703a1d86d3586f9c0d89c908
Opcode Fuzzy Hash: 40a6e1fac9efe717c00b5658331755d9a8bcab7e95cd540e1bde587b91e0c702
Instruction Fuzzy Hash: 1EC16B75A002188FEB18CB68D995BDDB7F6FF88700F158099E509AB3A1CA74DD81CF61

Function 050B6648 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0369398dc6f29f7370ea5b8684b743f1da89067e1a626eef96485024e6593fa3
Instruction ID: d92e3c0a0f7af0679c3bf0ad7972397e73127f3a365298a591d478b69748259b
Opcode Fuzzy Hash: 0369398dc6f29f7370ea5b8684b743f1da89067e1a626eef96485024e6593fa3
Instruction Fuzzy Hash: 40910334B006148FEB54DF68D484AAE7BF6FF89710B1180A9E506DB3A1DBB1EC41CB91

Function 050BE979 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a691c396b0eefd378cd0118a940e537732260497b1ea84177daf65be85533e
Instruction ID: 313549b80945262717de0aea88b2d99f9d0a81d5efc99c18bda1e229b7b50d7b
Opcode Fuzzy Hash: a2a691c396b0eefd378cd0118a940e537732260497b1ea84177daf65be85533e
Instruction Fuzzy Hash: 7DA1E634B002158FEB14DF64D898BDDB7B6BF89300F5085A8E50AAB3A1DB74ED85CB50

Function 04D926A8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386582661.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d90000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfd80b8d719de714973ad668937fdd4a52938fe96e1163538f54ef375a7b7f0
Instruction ID: b97ab2e9f20e2f1440c5001088102e52254fd15c11bda6470b90bd40033a0b56
Opcode Fuzzy Hash: 0dfd80b8d719de714973ad668937fdd4a52938fe96e1163538f54ef375a7b7f0
Instruction Fuzzy Hash: DCA19F74E05209EFDF18DFA5D458AADB7B2FB49301F1088A9D412A7350D738AD86CF51

Function 050BF930 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3333b2680ba9538086814641e6a659dc2840bcfdb723a33ff46315fa04d8569
Instruction ID: 7b605002b58d2e8975d9088f674cbfa05b87d99d99e6dddb63d64e33af8fb24a
Opcode Fuzzy Hash: c3333b2680ba9538086814641e6a659dc2840bcfdb723a33ff46315fa04d8569
Instruction Fuzzy Hash: 2D912C31750215DFDB44DF68E8A8AADB7B6FF89710F148169E4069B3A1CB74EC41CB90

Function 050BAA99 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bb700c1bd1efadf0e97a694f0835452e4e4f707635af7272b2df9dd6179b5b
Instruction ID: a14a1e168e307d8f8c9dbecb6c9f5d9aa2a972e3a27396b3d3bd250e6ccfb7ce
Opcode Fuzzy Hash: 75bb700c1bd1efadf0e97a694f0835452e4e4f707635af7272b2df9dd6179b5b
Instruction Fuzzy Hash: AAA1B434B10618DFDB04EFA4E898ADDB7B2FF89300F558559E406AB361DB74AC42CB91

Function 050B1A38 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80043caf4c95f8fdfe7643f06ba09d72c51e7a7c0ab0edd1d656a70115793616
Instruction ID: d8576ffa93445834f9c4bd8d82104af52c4270b4df632220de5cbc19e745b2b7
Opcode Fuzzy Hash: 80043caf4c95f8fdfe7643f06ba09d72c51e7a7c0ab0edd1d656a70115793616
Instruction Fuzzy Hash: FE813A35B012049FEB04DFA5E9A8AEDBBF2FF89211F144069E402AB390DB79DD51CB50

Function 050B73A8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36aec1934a941f0c6ed15445fc37de9ffa15a9b166aa8de3aa7bc8ce1115d8fe
Instruction ID: a97dc901ae3f23bb6aa4fe5f0c4c08b8a7efcc1056861eb58deb9ffbf38d5c74
Opcode Fuzzy Hash: 36aec1934a941f0c6ed15445fc37de9ffa15a9b166aa8de3aa7bc8ce1115d8fe
Instruction Fuzzy Hash: 5B812935A00218CFDB14DF69D484E9EBBF6FF88710B1585A9E816AB360DB70ED41CB90

Function 050B48F9 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee55850080deb91e381e60473d83ccac657abebcbb343d10e4a63082a3f9f2e
Instruction ID: 7a50667c8ec84f634746cdf2429f493692ed00fc4cca4a267f872d1c2794f3cb
Opcode Fuzzy Hash: 6ee55850080deb91e381e60473d83ccac657abebcbb343d10e4a63082a3f9f2e
Instruction Fuzzy Hash: A2519C347002008FEB19AF79E494A6E77B7FF89310B10846CD906AB391CE79ED42CB95

Function 050BF920 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e73d1acdc0f8ea4b278221102d9fb979067b947c75a58a587df768fb47f7f9
Instruction ID: 329da366858ea6ac6f85de6229d2b7d8766594a823b5c44f1c40638f4e18462f
Opcode Fuzzy Hash: 69e73d1acdc0f8ea4b278221102d9fb979067b947c75a58a587df768fb47f7f9
Instruction Fuzzy Hash: F0611574B102159FDB08DF68D8A8EADB7B6FF88710F148169E5069B361CBB0EC41CB90

Function 050B06F8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfec4c4fa31f2be0ea2829e636a5939af64e5407223b83f232f4f24c9821a6e
Instruction ID: 0574181a93ad7e9aa9b035ed8f68416a4511e5e45d189f101996ed7234cada8e
Opcode Fuzzy Hash: 3bfec4c4fa31f2be0ea2829e636a5939af64e5407223b83f232f4f24c9821a6e
Instruction Fuzzy Hash: E0515D76600100EFDB459FA8D845E69BBF3FF8D3147158098E2099B372DA36DC22EB51

Function 050B25A0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280bdc7c0841d9e7bd8ec295fabd5a8469d2618f0e4fb53f85451219e6e2ae10
Instruction ID: 967a273e71115e5739bd40c2faace5f47539b0ac0748cc3ffb37cd69bc7ac51c
Opcode Fuzzy Hash: 280bdc7c0841d9e7bd8ec295fabd5a8469d2618f0e4fb53f85451219e6e2ae10
Instruction Fuzzy Hash: 5D518E357002158FDB04DF69D890AAEBBE2FF89310B158169EA05DF361CB71ED01CBA1

Function 050B16C8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5bed056e6a8b7c35bcb1fc40729aff83306ce0cd0b54c044ef668fc459afd6
Instruction ID: f95ec6ee3ca500e05f19bfdea1eb16d1eebbac6f1ea74b4926bf27e2c4abddee
Opcode Fuzzy Hash: 7e5bed056e6a8b7c35bcb1fc40729aff83306ce0cd0b54c044ef668fc459afd6
Instruction Fuzzy Hash: A851DE35E046068FDB00DF68E494AAEF7B6FF85320F258699E915AB241C730ED51CBC4

Function 050B6ED8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb759cb94fb6aa5fbfc43fe0d9db0f2e43dbe06a5e1b111b8f12aab06c3e45e
Instruction ID: ae413009203e619d8a3b9d167ded68b82f1e7d2d893ec7dcdbd29b43dd97ed39
Opcode Fuzzy Hash: fcb759cb94fb6aa5fbfc43fe0d9db0f2e43dbe06a5e1b111b8f12aab06c3e45e
Instruction Fuzzy Hash: BC519D317042058FEB159F69E855BAE37A6FF88340F148169E806DB391CE79EC92CB91

Function 050BF798 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec0bcda3eb1d620eb33756e2402e09a45b5fcbab886613b6f323c507ccf68d6
Instruction ID: dfbac0a9196dff5a3b09fe0cf9e43e6cbf1714b97d083df34856a06ebd1c372e
Opcode Fuzzy Hash: 3ec0bcda3eb1d620eb33756e2402e09a45b5fcbab886613b6f323c507ccf68d6
Instruction Fuzzy Hash: 3341A036704200AFEB058F68E814E597BB6FF89720B1580EAE605DB3B2CA35DC11DB50

Function 050BE739 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb4d0bde2741c919dcac3b444a64094c212b260951d0007ba904273c783d963
Instruction ID: e878c574791eb284d25743790870f8ce08d9cde8ea8b86681a0b5d89f4f43220
Opcode Fuzzy Hash: efb4d0bde2741c919dcac3b444a64094c212b260951d0007ba904273c783d963
Instruction Fuzzy Hash: 79418230B106148FEB04EB68E8D8AED77BBAFD9700F504529D006AB394DFB49D46CB91

Function 050B2158 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfe368b58166902ea9bb09a7e80913fd3ab209f0ad27e525a089e4b89354751
Instruction ID: da595ee96b21074a5b562dd5c016831005005d3453f6d10b9c5f30a9b428d8c7
Opcode Fuzzy Hash: 4dfe368b58166902ea9bb09a7e80913fd3ab209f0ad27e525a089e4b89354751
Instruction Fuzzy Hash: 89412D34B04206DFEB14DB64E894BAEB7F2FB88714F14C429E906AB355DBB5E841CB50

Function 050BA0A0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b958c54b86bf6e039a7ecd6d82a9453b7df1599d200884dfa5a7d9762c0a84f
Instruction ID: ea7cbf9385a0fc5e586556802c610cfeb78e1feba69779e45503bb7d94447fa6
Opcode Fuzzy Hash: 1b958c54b86bf6e039a7ecd6d82a9453b7df1599d200884dfa5a7d9762c0a84f
Instruction Fuzzy Hash: F7418071A003059FEB44DBA9D8407AEB7F6BF88304F54892CD406AB341DB75AD468BA1

Function 050C7818 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2cf37563d6a6ea5aa7d5ea44a387d5cbcd1da788c09b873e9c16e9ab42dab5
Instruction ID: 9dca2f32f6e807e908098339f1fe12933d8f2f30a9d87abc0007f679d9de086b
Opcode Fuzzy Hash: 2e2cf37563d6a6ea5aa7d5ea44a387d5cbcd1da788c09b873e9c16e9ab42dab5
Instruction Fuzzy Hash: 9C51B070E01218DFDB58DFA9D894A9DBBB2FF89300F20806ED816AB360DB349941DF54

Function 050C7808 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf206e022681b26d2380349de0f65b76f43cee7a231ac53bc842b5b021a2bc9
Instruction ID: e3d28cdd7f9ce082e8f684a254524c8ee3b12e035ef6b8a7af8939b3d96f379d
Opcode Fuzzy Hash: 4bf206e022681b26d2380349de0f65b76f43cee7a231ac53bc842b5b021a2bc9
Instruction Fuzzy Hash: 7A41C470E01218DFDB58DFB9D494A9DBBB2FF89300F20816ED416AB260DB309941DF54

Function 050BD250 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2c7c06c0675f04587a64922a2a5d78dce66c5ba209615c58ae320ba3ea01e1
Instruction ID: 2e89998729ea0c854afcb4859e07c5b12af2022e12a00f9a77a39890770dbd28
Opcode Fuzzy Hash: fc2c7c06c0675f04587a64922a2a5d78dce66c5ba209615c58ae320ba3ea01e1
Instruction Fuzzy Hash: C131F536610105DFDB45DF68E898EA9BBB2FF48720F0680A8E5099B372C771EC55DB40

Function 050BA678 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cadc13d9c9fcacbd2907316fcfc8b7eebd447dc5b16bd8a4631c385f56cf00
Instruction ID: 026a591f69072b367a34461ccbd92a8e8b462029d0bbe2693b97792e6a9a183a
Opcode Fuzzy Hash: 06cadc13d9c9fcacbd2907316fcfc8b7eebd447dc5b16bd8a4631c385f56cf00
Instruction Fuzzy Hash: B1317334B405089FDB049B64E4A8ABE7BB7FFC8710F108419E9029B3A0DF745D46CB91

Function 050B22E8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e8a4eed1fd325b62023023e950f01bd92678c8c2e06e6550582e8635dbf79f
Instruction ID: 912bed9f2a1b3da6afd36b6b095480af5c5e36690ee7a05268a819809e8df9da
Opcode Fuzzy Hash: 01e8a4eed1fd325b62023023e950f01bd92678c8c2e06e6550582e8635dbf79f
Instruction Fuzzy Hash: D041BD34A002168FEB60CFA5D880AFEBBF1FF88700F00862AD906E7254D7B4D945CB90

Function 050B7348 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63244d8f34fc8c5e4b4a983921d37ba394266ad8ce1842ba4368f08072f5f3d9
Instruction ID: dd6a1cad42a206401eedee317a05f896b5a2d930b09db535c3174e522f34887d
Opcode Fuzzy Hash: 63244d8f34fc8c5e4b4a983921d37ba394266ad8ce1842ba4368f08072f5f3d9
Instruction Fuzzy Hash: 6F319272A042089FDB15DF95E8809DEBBF9FF89310F04456AE905D7350EA74AD06CB91

Function 050BFC38 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5891157b88b7b4a15cd08af9a0bf676a04191313916d843c74c7a5b5de0c0a
Instruction ID: 30a3b7c6d8b1484d53939d3eabb3a0db4922e7ee42ab00364a8515e874dfd510
Opcode Fuzzy Hash: 1e5891157b88b7b4a15cd08af9a0bf676a04191313916d843c74c7a5b5de0c0a
Instruction Fuzzy Hash: 56311E35A00519DBDF04DFA5E895AEEB7B6FF9C311F108025D801BB260CB75AD45CBA0

Function 050B9B10 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d0df47a9eea1237e4fb48152b40f292754a4f1f9d9d941cc9af821b9a02a4c
Instruction ID: 605faf5d60b19f75a725cb8ba4afd6c37c7255ebb8baece1ddf69e4733657747
Opcode Fuzzy Hash: f8d0df47a9eea1237e4fb48152b40f292754a4f1f9d9d941cc9af821b9a02a4c
Instruction Fuzzy Hash: 9B318F36B00104DFEB059F94D894A9DBBB6FF8C310F1584A9EA069B3A1DA71EC52CB51

Function 050B2CA2 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf7a6afd59ae09b98559497934e6125fae3fc2741c49756819373260e047216
Instruction ID: 33525c4cd1ab8d1090dd8e46a99c6d5dee2f9484442c591ae67c17a1710bc6bc
Opcode Fuzzy Hash: bdf7a6afd59ae09b98559497934e6125fae3fc2741c49756819373260e047216
Instruction Fuzzy Hash: 5141C178A012288FEB64DF24DC95FADB7B1BB59710F1045D5EA09AB3A0CA71ED81CF50

Function 050BB418 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bc956dcd838cc753b87b698ffa0b4dcfdf5c3edbe8e09382a4416f0f0c1dab
Instruction ID: 2b11b78691207aae41909351d8a305b6ef24674a9611ee96b04538e2400a0a78
Opcode Fuzzy Hash: 49bc956dcd838cc753b87b698ffa0b4dcfdf5c3edbe8e09382a4416f0f0c1dab
Instruction Fuzzy Hash: FA21F8323052109FE7208B69F884A6AB7E5FBC0321B15807AE50EC7651CB64EC41C792

Function 050B6EC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c09ee3346e2927e41eb51bbae3674705b054cf0a78a200ab36a9105b075eb36
Instruction ID: bdbb4cc94a6eb252da77ffea25026d4cfac3f22f33c8c4d238133132a329dc22
Opcode Fuzzy Hash: 5c09ee3346e2927e41eb51bbae3674705b054cf0a78a200ab36a9105b075eb36
Instruction Fuzzy Hash: A4314C31600205DFEB14CF25D885BAE77E6FF88345F148169F9058B261CBB5ED91CB90

Function 050B4770 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9cd5463e04b715f04499788b643f029b5c06d51764c8794bf8a8577fae60b3
Instruction ID: b1b1ecd70473cb424bba99740fff93764c46b42e97bf79ec5b675fc5fc05f3ea
Opcode Fuzzy Hash: 6f9cd5463e04b715f04499788b643f029b5c06d51764c8794bf8a8577fae60b3
Instruction Fuzzy Hash: 58214A71E40249DFEF50DEB8E584BEEBBF6AB04340F508066D515D7292E7B4CA40CB91

Function 050B5210 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32d4786b312d8e79c135b17a4094426d560a9ecfaf7ab01eb2f299225083752
Instruction ID: b367248ab8880a1bf72702217b6cf324a8b7696113ef5ae712acb11d09430c50
Opcode Fuzzy Hash: e32d4786b312d8e79c135b17a4094426d560a9ecfaf7ab01eb2f299225083752
Instruction Fuzzy Hash: 3D214C713092449FEB41CF69D884AAE7BEABF9A200B094096FC55CB3A1D675DC51CB20

Function 007DD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371170823.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dd000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bed441adcb8e27a746fa8758233e70faf2aa1ac8104effa18ebefd5b355a9a0
Instruction ID: b611109cfde92c1eee4e30dfca7ae513a82f06fdf2c1c1f7da9c27369cb28330
Opcode Fuzzy Hash: 0bed441adcb8e27a746fa8758233e70faf2aa1ac8104effa18ebefd5b355a9a0
Instruction Fuzzy Hash: 2721C271504244DFDB25EF14D9C4B26BB75FBC8314F24856AE9094B346C33ADC5ACBA2

Function 050B0AB0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1555a78f4067a7637c384dcf26cd9c96602648a756b48ad1e126c29c0910fa0
Instruction ID: edeb2fae0c2443eaaea65ddff7bd505b1e283b5c44e4eb68a7ddf57a9b53552b
Opcode Fuzzy Hash: e1555a78f4067a7637c384dcf26cd9c96602648a756b48ad1e126c29c0910fa0
Instruction Fuzzy Hash: 0A217C75A00208DFDB09CF68D4A89EE7BB6EB8C324F148569E811A7390DB759D41CB90

Function 050B88B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2837e0734ce43ae4cf619fb7e2718f1c1645b1f2eeb32376238a2cb458e0e190
Instruction ID: ff6408e28563c399c34a2b0f66369df06f7b4b0943db7f8de299a42309093830
Opcode Fuzzy Hash: 2837e0734ce43ae4cf619fb7e2718f1c1645b1f2eeb32376238a2cb458e0e190
Instruction Fuzzy Hash: FF21D275A002098FEB05DFA4D594ADDB7F2FF88300F2045A5E405BB3A1CB76AE45CBA1

Function 050C7EB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9b6e7520e8ae5b2512c97c2f21aacd9ab00a99bea4750e77e844195d9d4123
Instruction ID: 1003ff151ef8fe493a3b39bcdc6c72c97393a4cc1431cdaa4169dfd9a419a3bb
Opcode Fuzzy Hash: ba9b6e7520e8ae5b2512c97c2f21aacd9ab00a99bea4750e77e844195d9d4123
Instruction Fuzzy Hash: 4421F874E04209DFDB44DFA9E4856AEBBF2FB49301F10C5AED415A7250D7349982CF91

Function 050B043A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826785cbc102e93b219881c7fc5bb05d28536af5cded2ba7aff1cc17bdc37838
Instruction ID: d05a165a98a2e90d64087095cdd8a2f24a9cd6a6867434e1fa2952cdc15cffd4
Opcode Fuzzy Hash: 826785cbc102e93b219881c7fc5bb05d28536af5cded2ba7aff1cc17bdc37838
Instruction Fuzzy Hash: 29219F317003059FE714EBA8E8597AE77F6EB88304F008429E009D7785DBB9EE558B96

Function 007DD005 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371170823.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dd000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd0ee65b0625c0a18636ad3f48266677d28d0d7dbcd662f490a306ef72ab156
Instruction ID: 72001ed0112e06c3beeb5f8011ad33a5c48bec606930a8dd78e0584fe5ae9bc1
Opcode Fuzzy Hash: dcd0ee65b0625c0a18636ad3f48266677d28d0d7dbcd662f490a306ef72ab156
Instruction Fuzzy Hash: B1217F714083849FCB12CF14D994B16BF71EB86314F2985EAD8454B697C33ADC5ACBA2

Function 050C7EA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff25fee2e682a0ccd1fe917972ffd90d428f19a62b4e8f6d0a5e3899447988f7
Instruction ID: 761824d205d1b3f65430bbfb7174fee376b2b0f02d5048f9287608cbe2f38e53
Opcode Fuzzy Hash: ff25fee2e682a0ccd1fe917972ffd90d428f19a62b4e8f6d0a5e3899447988f7
Instruction Fuzzy Hash: 03212571D052099FCB48CFA9E4456ADBFF2FB4A300F2485AED009E7251E7745981CF90

Function 050B0448 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a802f850d813818967ae28d51409867f28d8e0fd1ee6386c2d0d67a23cd9a17
Instruction ID: 08973db7d0c36225369b8777dd1b052a38a22e1c07e7527b27c0be3e76e67138
Opcode Fuzzy Hash: 4a802f850d813818967ae28d51409867f28d8e0fd1ee6386c2d0d67a23cd9a17
Instruction Fuzzy Hash: FE2193317002059FE714EB68E85576E77F6EB88304F00852DD009D7785DEB9DD1587D1

Function 050B99A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5446d94ceb5febc745f645b09b67a6cde6df019d9eda6e721d6b596ffc3d9ff5
Instruction ID: 95ecd5155395f7fd75e9a8f8b9c3b190c6fd5e956fdf5842d61f196e74d1cfe3
Opcode Fuzzy Hash: 5446d94ceb5febc745f645b09b67a6cde6df019d9eda6e721d6b596ffc3d9ff5
Instruction Fuzzy Hash: A9219571900615AFDB04DF58E8C4ABEBBB5FB44300F018929D606AB605D7B4F891CBC5

Function 050B1860 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5425989c1ac8087ac5bb85a7c3afa2df3cbf5964affdeaf089ee59b1a6858340
Instruction ID: 62312085276b53c9001bd72989c8122879f8df3cd33d5993b773ccf49ba184ce
Opcode Fuzzy Hash: 5425989c1ac8087ac5bb85a7c3afa2df3cbf5964affdeaf089ee59b1a6858340
Instruction Fuzzy Hash: EB118431F042459FEB61DF64A8A4BED7BF6FB89310F04455AE505DB381DAB4C941CBA0

Function 050B2590 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4a08408c5a2a6d81bb869c7506dda951b9706ab9d7570b6c71b2f62bbc3c9e
Instruction ID: fac6ceeff6ca5d826b350c88c11fdb3239d7898055c34a5fa5cb1489baa4835b
Opcode Fuzzy Hash: 8c4a08408c5a2a6d81bb869c7506dda951b9706ab9d7570b6c71b2f62bbc3c9e
Instruction Fuzzy Hash: 92115B35B00206CFDB04DF69D894AAEBBB6EF89340F158165E9059F365DB70ED01CBA1

Function 050BAFC8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cb7f3fded6602470fc4e4dbc5dfdbfc22126e962d863a224079ef1ba1336a4
Instruction ID: 10f8d978cceae29b012d0329c4643451c6a08a8a87592671d6fe016d49ceb3bc
Opcode Fuzzy Hash: 07cb7f3fded6602470fc4e4dbc5dfdbfc22126e962d863a224079ef1ba1336a4
Instruction Fuzzy Hash: 0A011B317501004BAB149E6AE8D8DBEB7ABEFD4625318803AE506CB325CE75DC15CB91

Function 050B15E1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda11097204ab026b1dfc31151e0cbf604609bf25c40b0d3b40699de3c9645e1
Instruction ID: 588228224f93c762e4ff99615b52c992ac706280d4d237e48d2291a7d7fc2807
Opcode Fuzzy Hash: cda11097204ab026b1dfc31151e0cbf604609bf25c40b0d3b40699de3c9645e1
Instruction Fuzzy Hash: 05216278A02219DFDB04CF58E5A4EADB7F2BF49704F144058E802AB361CB74AD41CF54

Function 050BFD7A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d4b394e0dd414ccf7b2722a27740773157a1daa82538b34edd3c04b31b7c9a
Instruction ID: c61057124456c7f9ccacdf2e92ab76e9e796c5042a6c2d2cf9b31c546d91f8de
Opcode Fuzzy Hash: f0d4b394e0dd414ccf7b2722a27740773157a1daa82538b34edd3c04b31b7c9a
Instruction Fuzzy Hash: 4611E3357006048FE724AB74E884BEE7BA3FBC9325F104939D1558B790CBB5D842C780

Function 050B1870 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f614e9777865e2430038ab5d388c01521b419f188cf7ad9cac49c2e7a9e1853
Instruction ID: bbfc1abfb76f72cd88237688df2acffc59047bca12868c801632ebf0d92d7013
Opcode Fuzzy Hash: 8f614e9777865e2430038ab5d388c01521b419f188cf7ad9cac49c2e7a9e1853
Instruction Fuzzy Hash: 25118235F002059FEB54DF699864BEE7BF2FB88710F10442AE906DB380DAB4C941CBA0

Function 050B2510 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a9959d2171e875592d6894343dd1a1f78d5dddd21818e1473f4e09937694c2
Instruction ID: d0474337428080490fb8d8e3e08eb2915b01a800e8387f273254b70b1817d9b0
Opcode Fuzzy Hash: b4a9959d2171e875592d6894343dd1a1f78d5dddd21818e1473f4e09937694c2
Instruction Fuzzy Hash: FB0128376082599FE794CAD8E040BEEBFE9FB40260F2480ABF484D7250D671EA80C760

Function 050B14C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3d76c01e0b8bc450111e1e4290aecec9d5ec5ee9904a9c38682c4aa9c9a803
Instruction ID: a1666eadf4ddde11a6da809ca7e097f923ea7e129627d8c5dfd53a2ec7e2d094
Opcode Fuzzy Hash: 6a3d76c01e0b8bc450111e1e4290aecec9d5ec5ee9904a9c38682c4aa9c9a803
Instruction Fuzzy Hash: F0012136340215AFDB108E59EC94FEA77A9FB88761F148066FA15CB290D6B1D9108760

Function 050B9A50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c945d65e7496c93047e465425b30954ec2a88a0bd035d5eebbfef967fc1628
Instruction ID: 8874e69d0848ec9d39c5ef1cbb199eff846d994b3020b6602dce2f136ac45c6d
Opcode Fuzzy Hash: c7c945d65e7496c93047e465425b30954ec2a88a0bd035d5eebbfef967fc1628
Instruction Fuzzy Hash: 63F078E770A2000BF7010D19BCD179EBB62EB92B14B8E88BEEA86C7341D444CC0286D2

Function 050C4F08 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf827a7534308c2fc68b542c52b92b03a815c6acfcc8160e1d2ca8ad2bd820ba
Instruction ID: a98c465508a9eb2ce4caa327a383df13af30473c295699288d26d04818b5f610
Opcode Fuzzy Hash: bf827a7534308c2fc68b542c52b92b03a815c6acfcc8160e1d2ca8ad2bd820ba
Instruction Fuzzy Hash: 32018CB1909248AFDB45CF68E955BACBFF5FB0B302F2040DAE8059B361D2719E50CB10

Function 053EF590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c347ec89d741ddaa62459ef66988f08631123d782cdfd382b140cd8807afc
Instruction ID: da099ee2faac8bd9d1701b6fc5bef4aa85a2bf12c98a4e6f912f5c6d8c79af7e
Opcode Fuzzy Hash: b05c347ec89d741ddaa62459ef66988f08631123d782cdfd382b140cd8807afc
Instruction Fuzzy Hash: B71109B0E00219DFDB44DFA9D845BAEBBF5FF88300F20806AD419B7350DA349A418B91

Function 050BFD88 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41402ff6d6b73f7af0c3655b583ccb2e1210c677ec0e6bd6fdaf23a93359bacd
Instruction ID: e528ffbbca8e77255c9aa0081764e48a48de4e456951139961787b489c447dbe
Opcode Fuzzy Hash: 41402ff6d6b73f7af0c3655b583ccb2e1210c677ec0e6bd6fdaf23a93359bacd
Instruction Fuzzy Hash: F8015E353006049FE714AB38E898ABE77A3FBC9314F20896CD5564B790CBB5E842DB90

Function 050BDC81 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f2431bd635e8dcccaa42c35413fc073ac07270811f52a947a9dba8b6b7e8b6
Instruction ID: 935776d944f524be78903837ae5dfb10459232c95446bfe18950e4719fca2de9
Opcode Fuzzy Hash: 15f2431bd635e8dcccaa42c35413fc073ac07270811f52a947a9dba8b6b7e8b6
Instruction Fuzzy Hash: 4E018F35700610DFC308EB24E468E5AB7A2EBDCB11B108A28E90A8B350CF35EC52CB91

Function 050BA7B1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e02c376c718a9fbd3b67b225eb621dbcff70e64995dfebd08f5793764ca514
Instruction ID: bce3e2c184edbef4c2a22ec63b84af78a1c5e3c3081b30678cd9c5b46ae856aa
Opcode Fuzzy Hash: c0e02c376c718a9fbd3b67b225eb621dbcff70e64995dfebd08f5793764ca514
Instruction Fuzzy Hash: F1012134B50A19CFCB04EF64E49899DB7B1FF89701F008159E5029B364EB34A955CF91

Function 050B08E2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093fdd595c6b6f2640b06e4030d5c070560825cc945ebe550aec088fc20eab8e
Instruction ID: c7f6c2fe20498b97dce42999cbf1e53dbaf22eeb68bb3944f4d7b19bc9349a39
Opcode Fuzzy Hash: 093fdd595c6b6f2640b06e4030d5c070560825cc945ebe550aec088fc20eab8e
Instruction Fuzzy Hash: 7CF0C836B042156FF7048754F85479FB7A9EBC8720F144469D545D7354CAA2EC40C790

Function 050C7A50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8cb10e2c18fc72b751588a9084221097a980e513e6931d9db4a57862a4ffa7
Instruction ID: da27f33c5710d674a99bed547ee2b966d13e36ed320efa75f1d524f7a2ffa8da
Opcode Fuzzy Hash: 6c8cb10e2c18fc72b751588a9084221097a980e513e6931d9db4a57862a4ffa7
Instruction Fuzzy Hash: 950104B0D0A2489FCB45DFB8D8446ADBFF0EB4A204F2081EED409E3291E7350A45CB51

Function 050B14B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5833eb9b38f2522fa779b2d6193e675f71ac3db3e1d7eebb7ca28affa99c705
Instruction ID: 06ac999eb9cbffcb8077a7814c42cc5e815c0f04709ee2932f83d48b8c58f25b
Opcode Fuzzy Hash: d5833eb9b38f2522fa779b2d6193e675f71ac3db3e1d7eebb7ca28affa99c705
Instruction Fuzzy Hash: 62F0CD7A3006008FE7048F5AECA8E8E7BB9FB897A1B04406AE905C7321DAB0D810C660

Function 050BDC90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461988ee57756914459f6df6244e08b0383cc0afd8264fec29a725168fda4344
Instruction ID: 2d4dd295c5ef10f1dba72052b8419c5c5283605c12545380a28fef5e681be0cc
Opcode Fuzzy Hash: 461988ee57756914459f6df6244e08b0383cc0afd8264fec29a725168fda4344
Instruction Fuzzy Hash: C301A435300610DFC3089B24D468E5EB7A2EFCC7117148668E90A8B390CF75EC52CBD1

Function 050BA66B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5bb45dbfbbc1eeeb562e6b97cfd5927281f28adfd6510970627851bb3fc677
Instruction ID: 640509f01bd7ef45cc2d3d15e5d1eeff0cfdada05717a0b15bdc22f4090ca3cb
Opcode Fuzzy Hash: 4f5bb45dbfbbc1eeeb562e6b97cfd5927281f28adfd6510970627851bb3fc677
Instruction Fuzzy Hash: 1AF0BB377101146BDB149719EC99DFEB7AEFB88360B048026E915C7360EE70EC16C791

Function 050BCDF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb2637561787520a9d4251dc2b5597376755eac50cb2f5cf432a00fd9fbd3d0
Instruction ID: 8bac50cc9eff50d2dd736d5ab8fa0f17d16abef1d7d3ed6f9322b2a06ed731e0
Opcode Fuzzy Hash: 8fb2637561787520a9d4251dc2b5597376755eac50cb2f5cf432a00fd9fbd3d0
Instruction Fuzzy Hash: 14F012326003059BD724DF19D880F9AF7AAFFC4714F008A2EF55687661DAB5FD198BA0

Function 050B0948 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd4f42f08104f762664e13a58baed5178ea7379f38478f4e13e3e4594b96296
Instruction ID: 84cee2ddd5abc5f3b7e71ee4259b2f8c8960ac0f7d0c395516db38a57dc41463
Opcode Fuzzy Hash: ddd4f42f08104f762664e13a58baed5178ea7379f38478f4e13e3e4594b96296
Instruction Fuzzy Hash: 9FF0F062F0E2915FF322423428743AEABA1DB86200F0944EBC0869F2A6DA96D802C351

Function 050B08F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717ad9b6aa98d475defd2436c7bb613e851b943a412c2745e989692a83eb50be
Instruction ID: ebad27228630729c74627e4877b4746359c2f9a57fee2d6fd97298c28d6aaf0d
Opcode Fuzzy Hash: 717ad9b6aa98d475defd2436c7bb613e851b943a412c2745e989692a83eb50be
Instruction Fuzzy Hash: AEF05932F042116FF3048614A864BAFF7E9EBCC720F04402AD5499B380CAB2EC418380

Function 050BA668 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41d302d1e45a211abad829c8f5200efbe6c5c1ba356ec21705e6b94bdef3bd5
Instruction ID: 8d09f907a69c419c2c62d4297d63c15f6a6cf364bb993fb246de4e7fe7d65fba
Opcode Fuzzy Hash: c41d302d1e45a211abad829c8f5200efbe6c5c1ba356ec21705e6b94bdef3bd5
Instruction Fuzzy Hash: F3F0B4367501089FDB099B18E8989ADB7ABEB88360B048036E916CB360EF709C16C791

Function 050CFE18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc61f555d2a6852991b1d9a7cb1da8984b4bb507be493bf0e05f3d4313a4a80
Instruction ID: 0550617f1acaf00cfa728ab9ee9c8d1a910985ab0b7d43d45c6fd9c3f0816414
Opcode Fuzzy Hash: 2bc61f555d2a6852991b1d9a7cb1da8984b4bb507be493bf0e05f3d4313a4a80
Instruction Fuzzy Hash: 2CF082313403169BE7645E74A814BAE7697AB86514F1045ADE5068B380DE75E800C345

Function 050C3D01 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7554d619fc3be7ffe6f396cf58ef713767bb47b755803ed6cb9d4bc21719a281
Instruction ID: afc734f171b5c6cb2054be97984485b76dcd94cc652f9870fa85fbce90c59116
Opcode Fuzzy Hash: 7554d619fc3be7ffe6f396cf58ef713767bb47b755803ed6cb9d4bc21719a281
Instruction Fuzzy Hash: E1F0ECB290A68AEBE706AFF4E6001DD3BB0EF06200B1189D6C840AB151EF219E18D7C1

Function 050C1D03 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f803ce92576e321752433b2ef4b1b03269d0de6a995aa13f092ba289b84a018e
Instruction ID: dfecdfc276912363bf3164d4fd3ca167a70b6c3015a6c5bf13dcd6246f1696db
Opcode Fuzzy Hash: f803ce92576e321752433b2ef4b1b03269d0de6a995aa13f092ba289b84a018e
Instruction Fuzzy Hash: B5011374A11128DFDB20AF14D88CBADBBB1FF86304F1401EAD94967255DBB55A80CF51

Function 050BDA08 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0ab31cb908aad61003b53775343551a4713336aea9b23fea452e3ddd83d8cd
Instruction ID: f369f4424a469f324e5aac4b91f7c03066f04d9a91de5d1a9066b32ad6d94d4e
Opcode Fuzzy Hash: 9b0ab31cb908aad61003b53775343551a4713336aea9b23fea452e3ddd83d8cd
Instruction Fuzzy Hash: CBF06D3A3402008FD3099F14D4A4A797766FF98721B0544A9EA46CB3B0CB31DC12CB40

Function 050B2BA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4410a4f47a6183cff30060fd66a075baff441d82ca8c8abd0ae3f6d1ca3d976a
Instruction ID: b3b65cf204d3abd6c03e40d0ad4d90b97319305f73fa9904847cf20e9f3ff0c1
Opcode Fuzzy Hash: 4410a4f47a6183cff30060fd66a075baff441d82ca8c8abd0ae3f6d1ca3d976a
Instruction Fuzzy Hash: F8F08936E04219AFD705DF94D898BDD7FF6EB44310F048069D405D7390DB785985C791

Function 050BDA18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b08a3ca4c8c2d9777c1c797cc6aa44b94a82e15fd9df1684601945c8632b4e
Instruction ID: c43d2442516bb3bef6a114f1f12ac01f1779eb3636e885e3e7964b8104d2667b
Opcode Fuzzy Hash: 06b08a3ca4c8c2d9777c1c797cc6aa44b94a82e15fd9df1684601945c8632b4e
Instruction Fuzzy Hash: A3F05E353402009FC304DB19D4A4D3A77AAFFC8721B104469F9068B370CA71EC42CB90

Function 050C31F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8462f1c9276e0ed4229511eb096db1a19f7e708fc866c6682e91d61d9b582116
Instruction ID: fa4f88292297d928a2a21edcc960d41d216fed1f2831d543c3225caa1bbaeb4b
Opcode Fuzzy Hash: 8462f1c9276e0ed4229511eb096db1a19f7e708fc866c6682e91d61d9b582116
Instruction Fuzzy Hash: 13F09070E09288AFCB85CFA8D844AADBFF5EB0A310F14C0DEE859D7252C2358A11DF00

Function 050B9AC0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb68548e960549c5468343aaab31ca69473f18a5e53e575f1d02ba79106b0745
Instruction ID: b25c1266eb60912054753e4e8f50936d84f761db4137f7a224790c902f9eea16
Opcode Fuzzy Hash: bb68548e960549c5468343aaab31ca69473f18a5e53e575f1d02ba79106b0745
Instruction Fuzzy Hash: D9E0E5726003055BC7109A16EC88E4BF79AEBD4210B04C53AE10987210EE74ED15C790

Function 050C3208 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813cf7d121d9d7d72f522f1647f395c590c6e6ae07c863f4a3bed0915400b5c6
Instruction ID: d88398477a21b710c1bffd1827c145091bd86079384f1ff317a0ad7b8dac685f
Opcode Fuzzy Hash: 813cf7d121d9d7d72f522f1647f395c590c6e6ae07c863f4a3bed0915400b5c6
Instruction Fuzzy Hash: D0F0F874D08248AFCB84DFA8E840AADBBF9AB4A210F14C49AA859D3241D6359A51DF50

Function 050C4F90 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb4a1206e5748261642f052f94d03c3b01aff0a77f5010f49f0e7dbdfa12aa8
Instruction ID: d6fa8574959a821c4e9c1d976ef7dac6e76cdcb0eb739f4f993927a617ebc4a4
Opcode Fuzzy Hash: 4bb4a1206e5748261642f052f94d03c3b01aff0a77f5010f49f0e7dbdfa12aa8
Instruction Fuzzy Hash: 5CE06DB1954208AFEB44DFA8D846B9CBBF4FB06702F2000E9EA04D7390E2309A40CB44

Function 050B9AD0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c7dff2e0995dd2e147fb2343a8b1c609d64c4debdabc47b9593bcda34637c1
Instruction ID: 3867985777ab4cbeb788684db69aabb1902b35325c540ffe437e9f801083bc1e
Opcode Fuzzy Hash: 04c7dff2e0995dd2e147fb2343a8b1c609d64c4debdabc47b9593bcda34637c1
Instruction Fuzzy Hash: E9E04F317003055BD7149B2AFC88D4BF79AEFC4264710CA3AE10A87225EEB4ED5AC791

Function 050B4B08 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043475c79f46d9d8a1efc2499b47aada6001dfcda478ffafb0296fa0f3d7f7d2
Instruction ID: 33f50943b7ac9af14222f3db4ae47742798add4c1545ea67e184bd948422de2c
Opcode Fuzzy Hash: 043475c79f46d9d8a1efc2499b47aada6001dfcda478ffafb0296fa0f3d7f7d2
Instruction Fuzzy Hash: 52E086303443145BFE54A9617855FEA72E7AB45650F200465E7065F381D9F3F801C359

Function 053ED968 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction ID: 3e69faced3979cb3e75e11808695a35d47be4a003b1d4708dcd64c67680725d2
Opcode Fuzzy Hash: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction Fuzzy Hash: 2BE0C974D05208EFCB44DFA8D841A9CFBF5EB49300F10C5AAA80993350D6359A51DF44

Function 053EDF50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction ID: 514f585200a94dfe676cd37adca1ba401df6e2c4e60a2cffc1670f62a1501af1
Opcode Fuzzy Hash: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction Fuzzy Hash: 45E0C974D05208EFCB44DFA8D540A9DBBF5EB49300F10C4AA981993350D6759A52DF94

Function 053E5E18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction ID: 592738d08fc4b71c0460bab14d44376f5d97fbbf5b1effa73bdb76e94d7a619a
Opcode Fuzzy Hash: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction Fuzzy Hash: 8AE0C274E05208EFCB54DFA8D840AADBBF5EB99314F20C0AA9809A3350D735AA51DF84

Function 053EA650 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction ID: 18ff872acbfa409cca97bbb9631a6f0dccf14e7b1aeb77136ff136d9e50cbc19
Opcode Fuzzy Hash: 591b9b20649bf398d60335ee688613be8fdd01a6be344ac8a830b132baf0b84d
Instruction Fuzzy Hash: 15E0C974D05208EFCB44DFA8D444A9DBBF5EB4A300F10C0AA981993350D6759A51DF44

Function 050CF8F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6be6ff67837f74ad006c3d5dfeacd495e6e93a00b0edc95cb7be557f0b23bd
Instruction ID: 8d0348323e775c21f67219f6ef5350bc093fda7a3727f8c22edd2790939932f7
Opcode Fuzzy Hash: 6a6be6ff67837f74ad006c3d5dfeacd495e6e93a00b0edc95cb7be557f0b23bd
Instruction Fuzzy Hash: 4FE0C274E05209AFCB84DFA8E4406ACBBF6EB49200F20C0EA980997340E6359A42CB41

Function 050C729B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b70049eb7dbad3422b2d6e4237e8548ec3c0041fc842d7a51db5f3b6ffac66
Instruction ID: cf4ee4f1555f9f38e8a5dbd37688f662748041519a1d1dd628bd0f33d7253691
Opcode Fuzzy Hash: c8b70049eb7dbad3422b2d6e4237e8548ec3c0041fc842d7a51db5f3b6ffac66
Instruction Fuzzy Hash: 6DF0DA74A04614DFDB14CF58E584B9CBBF2FB8A301F10C49DD409A3265D7749981DF11

Function 053E9C28 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882dffdbcf3e73ad5428764566d1a63e6d1eedb86d77278ea6a346d6ff4c86ab
Instruction ID: 40861bf0ebb2e8ea126bb6d00fa2d0e27f082816eb536ade047fcdc317afc61a
Opcode Fuzzy Hash: 882dffdbcf3e73ad5428764566d1a63e6d1eedb86d77278ea6a346d6ff4c86ab
Instruction Fuzzy Hash: DFE0E574E05208EFCB48EFA8D4416ACBBF9EB49300F20C1AAD809A3340D6359A42CF40

Function 053EBE00 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882dffdbcf3e73ad5428764566d1a63e6d1eedb86d77278ea6a346d6ff4c86ab
Instruction ID: 7a041f06dccdee6a829670795c2b827c70e40d031a192fc1e88df570f3eac1bc
Opcode Fuzzy Hash: 882dffdbcf3e73ad5428764566d1a63e6d1eedb86d77278ea6a346d6ff4c86ab
Instruction Fuzzy Hash: FAE0E574E05208EFCB84DFA8E4406ACFBF5EB89300F20C0AA985993350D7359A51CF80

Function 050C2923 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c94bd9005cb3de308247a5a109bf378ef23687cfbb71799bb89ba4124df0957
Instruction ID: a6cd73d4f7f1f80ad3ca601fd1482a693db695b67401331fbff966cc47535b5e
Opcode Fuzzy Hash: 6c94bd9005cb3de308247a5a109bf378ef23687cfbb71799bb89ba4124df0957
Instruction Fuzzy Hash: A9F07474955228DFEBA1DF18E894FDDBBF1BB0A340F1005D9E509A3280D7759A80CF01

Function 050CAC03 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cc82bd6097fa45fc30deb05ca1082ef7a99d2ec4483e33e2e1b85ab3d20266
Instruction ID: b22d74ca85684f85fedf9472cba41212309772370e0c54843a4fddcf384c84f9
Opcode Fuzzy Hash: 11cc82bd6097fa45fc30deb05ca1082ef7a99d2ec4483e33e2e1b85ab3d20266
Instruction Fuzzy Hash: 89F03A70A01258CFEBA0CF24E844B9DFBB0AF02342F1481EAC508A7241C7B49AC4CF56

Function 050CDC40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f671fd16d4c92f82a60145a28537c3f260ed8420a20cb6e0053a3fd339279f
Instruction ID: 54a7d190cf9ea69af274e7a468bf0b06a6ac68b1cea98748d78cca9ce9b21ee2
Opcode Fuzzy Hash: 26f671fd16d4c92f82a60145a28537c3f260ed8420a20cb6e0053a3fd339279f
Instruction Fuzzy Hash: F3E01A70D05248EFCB44DFA8E48469DBBF5AB49304F10C4EDD81893300D7755A40DF80

Function 050C8B97 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0296264ff7edecd616e1053a157a6381b170b89612c5dc999165dd17d9a008
Instruction ID: cd85f6840b111a30a3a6c5683ff4e043f1773bea0177413f6942bdd6c0d709ac
Opcode Fuzzy Hash: 1a0296264ff7edecd616e1053a157a6381b170b89612c5dc999165dd17d9a008
Instruction Fuzzy Hash: 7FF05478902229CFEBA0DF65D958B9DBBF1BB05305F20C0DAD909A7241DB349A848F15

Function 050C4FA0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5326768632644b0f0a5a41bb4d86433f0efe622c5d76c193f83849cde234f09
Instruction ID: 1671810d0f2e0c961a23af14d84f6f67166e8efaae6d104a47fc4411e8144297
Opcode Fuzzy Hash: b5326768632644b0f0a5a41bb4d86433f0efe622c5d76c193f83849cde234f09
Instruction Fuzzy Hash: 24E0B674915248DFCB84EFA8E495A9CBBF9FB0A701F6040EDE809D7361E7309A51CB91

Function 050CF2B8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9392697437c57743f46265d3b9d924ac2148b0bd8b72221ebdae38776afb61da
Instruction ID: 08f2467ebc95691e62a4400edb4de19a9fed92b743ca1ca6e3fa1599e0f062b3
Opcode Fuzzy Hash: 9392697437c57743f46265d3b9d924ac2148b0bd8b72221ebdae38776afb61da
Instruction Fuzzy Hash: E6E0E674905248DFCB84DFACD54569CBBF5EB4A204F2080EDD809D3351D7319E51CB41

Function 050BC85D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de56c0562fb05f34373382b59733d32c613bf7fd01f10616324ab37ff1b7b5f1
Instruction ID: 7cdbf6946c054ba54bd490dbb8cd897948df06c8dc1bab47978eefb88fc2e59e
Opcode Fuzzy Hash: de56c0562fb05f34373382b59733d32c613bf7fd01f10616324ab37ff1b7b5f1
Instruction Fuzzy Hash: E4E08C76B041499FDF10CF08E4A44EEBB71FB89361720806AED61C3312CB389D26DB80

Function 053E8BE0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d14d53ad29c484ce2296b56aad13dd965fa1fab35c822eaa05480dc06d0245
Instruction ID: 9b9fd2c0f999789aa84d14fd5a17cf9aa5512d72a62451f2aaef9b16a906cfbe
Opcode Fuzzy Hash: e2d14d53ad29c484ce2296b56aad13dd965fa1fab35c822eaa05480dc06d0245
Instruction Fuzzy Hash: 31E01A74D09248EFCB04DF98D8406ACFBF5AB49204F24C0EAD81963381C6355A42DB44

Function 050C3D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935f3b127e88b291e153f6f4c32ee518705e6c1ea54a755ff26257889d2585ce
Instruction ID: 15710f836a2649cb3255d91833e0b0513c5c4427b31eb5e32a858eb97b61adaf
Opcode Fuzzy Hash: 935f3b127e88b291e153f6f4c32ee518705e6c1ea54a755ff26257889d2585ce
Instruction Fuzzy Hash: E0E012B194224CABEB01EFF899046DE77F9DB46204F1084E9D40597150EA315A14D795

Function 050C7066 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c76dfb033e58b23f97c26a6d662c5d77aca408c6dde70517a60a463af0a205b
Instruction ID: 2f3a555ae8a4563c90c3300646b163cc42866278f3dfe213ecb76ff03399973a
Opcode Fuzzy Hash: 5c76dfb033e58b23f97c26a6d662c5d77aca408c6dde70517a60a463af0a205b
Instruction Fuzzy Hash: DDF09274E10218DFDB54CF59E484B9CBBF2EF46310F68C4A9E009A3221DB3499859F01

Function 050CDCE8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e33288bec61ccccd3151f44d410a4d8a723010ff07499a5b47a5146af0e705
Instruction ID: 59b0737235be32909764f36970a712e631f30b6cfeda45687049e5d8dcc40d1e
Opcode Fuzzy Hash: 84e33288bec61ccccd3151f44d410a4d8a723010ff07499a5b47a5146af0e705
Instruction Fuzzy Hash: 04E0EC71D06288EFCB44EFA8E54969CBFF5AB46201F2040ED980993350E7705A54DB45

Function 053EE558 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a68527da0ac7f0a0e7712d28977f267f07819a6fca7da9620fb719c02486934
Instruction ID: 61005e188dc0d6d2fe9a04ecb5b69b574942db6672c7abcaceb06101a45cbd68
Opcode Fuzzy Hash: 0a68527da0ac7f0a0e7712d28977f267f07819a6fca7da9620fb719c02486934
Instruction Fuzzy Hash: 50E01274D09208EBCB04DF98E9419ACBBBDEB46304F2081DDD80917391DB719E52EB85

Function 050CA978 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a38ad60f619bcfddc4ef6656858d81b4a9fe22bdf7d30255eeb348fb67e3c44
Instruction ID: eadf6160e1f153b0a280252f6b63e93b8e54970432f2fcf0f4982a3ffac2d665
Opcode Fuzzy Hash: 2a38ad60f619bcfddc4ef6656858d81b4a9fe22bdf7d30255eeb348fb67e3c44
Instruction Fuzzy Hash: D4F0FAB4D012288FCBA4CF29D8957DCBBB1BB49315F1080EAD949A3250DA341E91CF49

Function 050BB537 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d894cc71ccabb6760ae37f927d1b54c7b4e40bd36c52e6c4d5d43fc448b4046e
Instruction ID: 02cd3fae8402549981f2eae7c4ed7be3c0097c79abe8146ba46310956e8cebb9
Opcode Fuzzy Hash: d894cc71ccabb6760ae37f927d1b54c7b4e40bd36c52e6c4d5d43fc448b4046e
Instruction Fuzzy Hash: 2AD05E31B046124BEB15DB19F98179B33E3EB88600F004664E809C7314FA28ED074B85

Function 050CC62F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a298c29fcd30bc10d3afdfe3f241aba4ac071438fdc5246e37aec8fd93c399b8
Instruction ID: 433a760903112ef80bbed6c9c1bee0fea29313ea41e31361bf0f1d225290c2a4
Opcode Fuzzy Hash: a298c29fcd30bc10d3afdfe3f241aba4ac071438fdc5246e37aec8fd93c399b8
Instruction Fuzzy Hash: 00E0B6B494521ACBEBA0CF20D888B9DBBB1BB02306F1082EAC10963151C7745E84CF56

Function 050B1840 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797906982d6795e2a477027a8d13da6482f2159ba8e716e77d62c59ecdeb740c
Instruction ID: e99f6ba7f1a53d2e7a6ab599e0f730b4d2a624ed75b99917b285879b27a6c07c
Opcode Fuzzy Hash: 797906982d6795e2a477027a8d13da6482f2159ba8e716e77d62c59ecdeb740c
Instruction Fuzzy Hash: FDC012B1C4C3D55FCB17475059645407FB5FB1326470641C2D040C9057D2AC4982C762

Function 050BF8F8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecd8c2afc85ddc8a82f0c7916f72c06d10516eae12570963dd4930b3af7436e
Instruction ID: 06232d482c153e1ea609c532f8a79028457489bcfecdd4c40cb42eca0778d3a2
Opcode Fuzzy Hash: eecd8c2afc85ddc8a82f0c7916f72c06d10516eae12570963dd4930b3af7436e
Instruction Fuzzy Hash: F5C080B60643844FE746DE3D90006913F149F3572031545D1F1D186492CA25C42CC615

Function 050CBCDF Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e637c1f1ed85dce4c167fefbe59481a482a7d4c21d67cbd490f7ea688d764e9
Instruction ID: 43c7dc56823bccc2d6e5adbaffca5b81cf702be2d287e040e39af66198adb66c
Opcode Fuzzy Hash: 9e637c1f1ed85dce4c167fefbe59481a482a7d4c21d67cbd490f7ea688d764e9
Instruction Fuzzy Hash: 2BD0C9B494031ACFDB90DF20D888B9DB7B1FB45302F0086EA8009A3111CB345EC4CF55

Function 050C7A01 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3959949f9e0a315f02e6ad5d06f2f687c2970bc12b9f7ca7fc6660a70cce4d
Instruction ID: ae4d92e59e459269f86ed9a3387df8c924e6cc32738454eefe39ac7b41f8472c
Opcode Fuzzy Hash: de3959949f9e0a315f02e6ad5d06f2f687c2970bc12b9f7ca7fc6660a70cce4d
Instruction Fuzzy Hash: 0DC00276E1001A9ACB00DAD9E4408DCF775EB94321B008036D614A6204D63115268B50

Function 050BD9EF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beca8c067ad047d826b3d42ba241905e7ab1b38d5ef8f73e0b7d96335fa8424
Instruction ID: 12969de6eb55ec39618da62b2ade2694096f2eb615d35948cb1460481cc890cd
Opcode Fuzzy Hash: 3beca8c067ad047d826b3d42ba241905e7ab1b38d5ef8f73e0b7d96335fa8424
Instruction Fuzzy Hash: 3EC0487A140108AF87009F64E488C84BBB4EB1966171180A1FA088B232C632D961DA80

Function 050BD9F0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 050BB520 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a68f48ab97cdc8b39fe71ce214d388c47fcc05c85df1bd963036eda9581642
Instruction ID: 2620a247ffd9985413c8e7ac808c9c4faecac200c33a2b59844ff612bd20e2a8
Opcode Fuzzy Hash: e9a68f48ab97cdc8b39fe71ce214d388c47fcc05c85df1bd963036eda9581642
Instruction Fuzzy Hash: 02B00277D0012047E711DF50EDD67CD3364FB70744F845155C45052720D75DD5119B50

Function 050B474A Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33d9d9d45eb6bc90117f376f458b370591ab54a103b2c7c97cf24fe2a0de523
Instruction ID: c15ee227a1ea5afd1d68904298d3bd3f218a43acf16d7f29b31a7e37f17d7c6a
Opcode Fuzzy Hash: c33d9d9d45eb6bc90117f376f458b370591ab54a103b2c7c97cf24fe2a0de523
Instruction Fuzzy Hash: 59B01273C00000DFCB01DB10D91A80DB761EBE0F01708C424B0848231CD7B6ED30DB00

Non-executed Functions

Function 05257310 Relevance: 7.7, Strings: 6, Instructions: 223COMMON

Download Yara Rule

Strings

hm}, xrefs: 052573E7
hm}, xrefs: 0525747D
hm}, xrefs: 0525761A
hm}, xrefs: 05257513
hm}, xrefs: 0525755D
hm}, xrefs: 05257531

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-2865380681
Opcode ID: ca334b1edcef6bbabcb3c2cabbea1e5f640edee7231d1477e97304b3eef17d48
Instruction ID: 77079ad9b838ea8c046a20a58e090849bb35944a99e146426cb9c68c01984db6
Opcode Fuzzy Hash: ca334b1edcef6bbabcb3c2cabbea1e5f640edee7231d1477e97304b3eef17d48
Instruction Fuzzy Hash: 66914474A64208CFDB14DFA9D444BADBBF6FF89310F24906AE809A7345DB789945CF10

Function 05257300 Relevance: 7.7, Strings: 6, Instructions: 219COMMON

Download Yara Rule

Strings

hm}, xrefs: 052573E7
hm}, xrefs: 0525747D
hm}, xrefs: 0525761A
hm}, xrefs: 05257513
hm}, xrefs: 0525755D
hm}, xrefs: 05257531

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}$hm}$hm}
API String ID: 0-2865380681
Opcode ID: ac89a16c003f1513f6e99db3045bd698c5ba241a1d2f4bf775260ca25f7d74b9
Instruction ID: 385dd7be32e0fe3d380d1fb2e77ac79a6400dbb8fde35e5bf0bc7190c6f015ed
Opcode Fuzzy Hash: ac89a16c003f1513f6e99db3045bd698c5ba241a1d2f4bf775260ca25f7d74b9
Instruction Fuzzy Hash: C8912474A64208CFDB18DFA9D444BADBBF2FF89310F14906AD809A7345DB789985CF10

Function 050C0040 Relevance: 6.4, Strings: 5, Instructions: 170COMMON

Download Yara Rule

Strings

R, xrefs: 050C283F
hm}, xrefs: 050C200C
hm}, xrefs: 050C04C3
hm}, xrefs: 050C0457
7, xrefs: 050C286B

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 7$R$hm}$hm}$hm}
API String ID: 0-243271715
Opcode ID: 7f968b4f9b69526fd2390fa931b83c371310a91bda54d18793bc0b6acab8352d
Instruction ID: c9fc0b7b726fa455e9d9398234299d09641fdaa6df8badb8c0e2db8c2faf187b
Opcode Fuzzy Hash: 7f968b4f9b69526fd2390fa931b83c371310a91bda54d18793bc0b6acab8352d
Instruction Fuzzy Hash: E181D970E05628CBDB69DF5AD844A9EFBF6BF89300F14C1E9D908A7254D7345A81CF50

Function 053C0620 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

hm}, xrefs: 053C090E
hm}, xrefs: 053C082F
hm}, xrefs: 053C06F1
hm}, xrefs: 053C09A8

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}
API String ID: 0-2943400445
Opcode ID: a1b99f47b6df9bbd47dfab7c9b69861c8fd6a29b40d1d702e27bc7b9d99bb0c8
Instruction ID: ecdd3f7c0e6eb7cf3c3833cc9ec35c8b2008ad3b2437ef0b2c6fa36f1e246b93
Opcode Fuzzy Hash: a1b99f47b6df9bbd47dfab7c9b69861c8fd6a29b40d1d702e27bc7b9d99bb0c8
Instruction Fuzzy Hash: C9D10674E04258CFEB18DFA5D848BADBBF2FB89300F1080A9D419AB295DB749D85CF50

Function 053C0610 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

hm}, xrefs: 053C090E
hm}, xrefs: 053C082F
hm}, xrefs: 053C06F1
hm}, xrefs: 053C09A8

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}$hm}$hm}
API String ID: 0-2943400445
Opcode ID: d94db60e67bf2612cf6dcfab0c1a383338bd84347eda0026e897fb239ced2ff2
Instruction ID: af6135152bbc08388b58d3955ee6017812b0af173c9bd79250651ad863a03a15
Opcode Fuzzy Hash: d94db60e67bf2612cf6dcfab0c1a383338bd84347eda0026e897fb239ced2ff2
Instruction Fuzzy Hash: 09D1F874E04258CFEB58DFA5D848BADBBF2FB89304F1080A9D419AB294DB749D85CF50

Function 04D7F490 Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

hm}, xrefs: 04D7F6F6
hm}, xrefs: 04D7F5FC

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}$hm}
API String ID: 0-124673948
Opcode ID: 508c113cb76ad74e9bc8021ea01c40e1dfdf67f16dcb244c3bdbd485b8bef5e3
Instruction ID: dac556384a005cff09dbe7c0bdb0abe4bc57e694548754f85a0014d1260bea15
Opcode Fuzzy Hash: 508c113cb76ad74e9bc8021ea01c40e1dfdf67f16dcb244c3bdbd485b8bef5e3
Instruction Fuzzy Hash: 22B1EA74E04618CFEB24DFA9D884B9DB7F2FB89304F20816AD449A7355E738A985CF14

Function 050C6468 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

A9D, xrefs: 050C671F

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: A9D
API String ID: 0-624094898
Opcode ID: 0767feb0378a50957a6dc497f6cb5e6e2fc612828ea1fdb0985b34257eb0103e
Instruction ID: a8e137e150557da925887c96a38eb4cd77eb39dbd4a42c4334029f88deeb6d4c
Opcode Fuzzy Hash: 0767feb0378a50957a6dc497f6cb5e6e2fc612828ea1fdb0985b34257eb0103e
Instruction Fuzzy Hash: C012C170E046188FDB18CFAED98069EFBF2BF89304F24C569D459AB219D734A946CF50

Function 053EE598 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

hm}, xrefs: 053EE747

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: hm}
API String ID: 0-1197628385
Opcode ID: 37ccae3e36adf9c52470471292a7bb2901262eedb42a45075036dceae3845868
Instruction ID: 9f30c1eaf9a78367aae570cd13d1145d7a06f67b1d4f9fb6a12a88fda15edea3
Opcode Fuzzy Hash: 37ccae3e36adf9c52470471292a7bb2901262eedb42a45075036dceae3845868
Instruction Fuzzy Hash: E381FA70E05228CFEB24DF65C844BADBBFAFF4A304F10846AD409A7691EB749985DF11

Function 00A7106F Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

xu}, xrefs: 00A7107C

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: xu}
API String ID: 0-3646906568
Opcode ID: e51f84c67cb6c670fc4236cf492e0b0cd0b13edaa678624fb56bd03330c930e7
Instruction ID: 7c7d5f2d1dda657078d23ca352f275d443d22611fbb48a779fb53863cfd53078
Opcode Fuzzy Hash: e51f84c67cb6c670fc4236cf492e0b0cd0b13edaa678624fb56bd03330c930e7
Instruction Fuzzy Hash: E241FEB4D043489FDB14CFAAD885A9EBFF1BB4A310F20D06AE819AB251D7749885CF45

Function 00A7107C Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

xu}, xrefs: 00A7107C

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: xu}
API String ID: 0-3646906568
Opcode ID: 91346d31cdfb54dba67181a9160271b659e34fd66a386a949fa5dac702121c03
Instruction ID: 761c249a0db3e4feada20ce6bd06f3851657a1b7436961dd284e5321d26abbb7
Opcode Fuzzy Hash: 91346d31cdfb54dba67181a9160271b659e34fd66a386a949fa5dac702121c03
Instruction Fuzzy Hash: 3541CCB4D043589FDB14CFAAD885A9EBFF1BB49300F24D06AE819BB250D7749885CF85

Function 04D70350 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

t}, xrefs: 04D7035C

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: t}
API String ID: 0-608084876
Opcode ID: 81c71c1e7642ac358c7428e24efe66c03d256d8cb96b674e7e162526509b1365
Instruction ID: c49cec090f09dd502e14928d71dce5b013fb2dcafb5229c20837c5992edeaa95
Opcode Fuzzy Hash: 81c71c1e7642ac358c7428e24efe66c03d256d8cb96b674e7e162526509b1365
Instruction Fuzzy Hash: D731D2B1D016188BEB69CF6BC94579AFBF3AFC5304F14C1A9D40C67264EB7419458F40

Function 05250FB0 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b560f943e8218bdd88b1ffe4545aec5fdcf2893a209e4455e730594c5c579c54
Instruction ID: 203baf34c5239b067a560e8e2654d1eb6b1bf008f08a964fef5c364699089192
Opcode Fuzzy Hash: b560f943e8218bdd88b1ffe4545aec5fdcf2893a209e4455e730594c5c579c54
Instruction Fuzzy Hash: E002E570D10269CFEB24CFA8C881BDDBBB1BF49310F1481AAD849B7250EB749A95CF55

Function 05250A60 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389133384.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5250000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86448bfce6594a9396be9e6b366be92d5800a6526cafb624252cd1c0a6c96ea3
Instruction ID: 1d537ba2189b3c1bfe7573b69159fab67f007c69fbeb34eb804ed5d37dddbb20
Opcode Fuzzy Hash: 86448bfce6594a9396be9e6b366be92d5800a6526cafb624252cd1c0a6c96ea3
Instruction Fuzzy Hash: B9E1E370D10259CFEB20CFA9CC84BDDBBB1BF49314F1085AAE809A7250EB749A85CF55

Function 050B42B8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388060308.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02397daad38583f655fb334008498252626eaa605e0c11337ce7d0df229907ca
Instruction ID: 3b4d29c9b6269de527539f4201845bdaa4f9f1546d0ad045b67411d6089b403d
Opcode Fuzzy Hash: 02397daad38583f655fb334008498252626eaa605e0c11337ce7d0df229907ca
Instruction Fuzzy Hash: 73D11734A006048FEB14CF69D584AAEB7F3BF88310F25C599E815AB362DB74ED81CB51

Function 04D73854 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537333640eb7623640a487cacd7fa3b200ceaf33aa3ea2542247137b05241690
Instruction ID: d910886f6a8c866b726603042a0f7dbc83487ee9f68f34e469da2a80a76811a3
Opcode Fuzzy Hash: 537333640eb7623640a487cacd7fa3b200ceaf33aa3ea2542247137b05241690
Instruction Fuzzy Hash: 8831377351A2815FE747563889D96C9BBA2CBA2150B67C2B1CC9487C23E92E324FF301

Function 00A71673 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373518193.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21596eba435513be6a7b7da464093a2fdbc4278d5f4a6746a43444cefab00762
Instruction ID: 8d00e4dc9f548587a9aae086f58374508c3b904158db355ba2385177adc248b5
Opcode Fuzzy Hash: 21596eba435513be6a7b7da464093a2fdbc4278d5f4a6746a43444cefab00762
Instruction Fuzzy Hash: 9E513A71D016588BEB6CCF6B8D446CAFAF3AFC9300F14C1FA990CA6264DB740A858E50

Function 04D702E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262dcf2e6cffcc425158376d7102965833004fc0635cd2377b47220947c7f18e
Instruction ID: 8913ad1eda6f7e1226a006ceb623fc4e20ce5597db1c317e30f2545220dd8743
Opcode Fuzzy Hash: 262dcf2e6cffcc425158376d7102965833004fc0635cd2377b47220947c7f18e
Instruction Fuzzy Hash: 9931E9B1D016188BEB19CF6BD84578DFBF2AFC9304F14C1AAC50CA6265EB7419858F15

Function 04D70360 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2790c597a24de268bb622c3b389a51b8808c5ce6dce3005b07ef991a414db8
Instruction ID: a0c657ea13353c3417edeb3dfc8ba1bd2e7b33f9441a37cafa138db5ab2f118a
Opcode Fuzzy Hash: 9f2790c597a24de268bb622c3b389a51b8808c5ce6dce3005b07ef991a414db8
Instruction Fuzzy Hash: D5317AB1D056188BEB68CF6BC949799FAF6BFC9304F14C1A9D40CA6255EB741A85CF00

Function 053D0006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004a3b6978a491c4826ffe75e78fdfb5de05a5bab499b89572682b1334dd3798
Instruction ID: a06dfb97fd3c0ef1b8d03dca70a746b1543aef0ea788e12379cb918ca7bf2c46
Opcode Fuzzy Hash: 004a3b6978a491c4826ffe75e78fdfb5de05a5bab499b89572682b1334dd3798
Instruction Fuzzy Hash: F1310CB1D097548BE729CF2B8C5878ABBF7AF85300F05C4EAC44CA6265EB340986CF11

Function 053D0040 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c7ac7383546bedff5e89f87c3ca0d7b6aca76fe28f0c6b447cba48bbc03a
Instruction ID: fc61f546ea3590de63c92579f9d39ea062a8b984650c9495a9dd275d73396a3a
Opcode Fuzzy Hash: c1d6c7ac7383546bedff5e89f87c3ca0d7b6aca76fe28f0c6b447cba48bbc03a
Instruction Fuzzy Hash: B731A975D056298BEB68CF2ADC48799FBF7AB88300F04C0EA940CA6255EB705A858F11

Function 050C0039 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1388151753.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c139b472d65390d501bf7500d90a4cf3f9a7bab362f8dce2c1bfcc3db460be
Instruction ID: 847ec31f4de741302e4f523cd296e76e8d09da9854be33ce705dbee0077d0a89
Opcode Fuzzy Hash: 82c139b472d65390d501bf7500d90a4cf3f9a7bab362f8dce2c1bfcc3db460be
Instruction Fuzzy Hash: D9219B71E156588BEB1DCF5B9C5069EFAFBAFC9200F04D1FAD40CA6254DB740A828F04

Function 053C8F70 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594aba9b63349a4029e90c1006c11cd3b988450b6f80eb6b59600c171cabfb39
Instruction ID: bd4ce626703e495932b3dcc10490bece0896ae41ca18806be3768c772963b627
Opcode Fuzzy Hash: 594aba9b63349a4029e90c1006c11cd3b988450b6f80eb6b59600c171cabfb39
Instruction Fuzzy Hash: 2F2102B5C042189FDB14CFA9D880AEEFFF1BB49310F14906AE80577200C7756941CFA4

Function 053C8F78 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389455470.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53c0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782f02f1eb02f39cca76abf4fdd787e8406b51f9cd610d79f884ffdee20d858
Instruction ID: 9a92959b608f1885ac885577c0768fd68486210c56996a6f46b0c4ddf60a8f53
Opcode Fuzzy Hash: a782f02f1eb02f39cca76abf4fdd787e8406b51f9cd610d79f884ffdee20d858
Instruction Fuzzy Hash: 4721FEB5C142189FDB14CFAAD880AEEFBF4FB49310F14906AE805B7200C776A901CFA4

Function 04D7C080 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e1947ed21f7323531ffce3c0ef8f2522084069463f7116c8771e4275e17983
Instruction ID: 9e590fd436012bc6f7b0205207d25790c56e7a5b33263728d117daa9e012e60e
Opcode Fuzzy Hash: a3e1947ed21f7323531ffce3c0ef8f2522084069463f7116c8771e4275e17983
Instruction Fuzzy Hash: 5D21CC71E10A548BDB2DCF6BCC442DDBBF7AFC9740F14C0BAD80966224EA3419458E44

Function 04D7C090 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1386533381.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d70000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd7020179b5b18dc74b201ad2c4ae51a3673f4c2e5372787db8992f1c8dd1ef
Instruction ID: 8810fb3099ad4c5dd60cea660ecf028d0a1ae88ca02caa53d44553dc24f4e14f
Opcode Fuzzy Hash: 2fd7020179b5b18dc74b201ad2c4ae51a3673f4c2e5372787db8992f1c8dd1ef
Instruction Fuzzy Hash: 76219871E056588BDB18CF6BDC446DDB6F7AFC9300F14C0BAD909AA214EA345A858F54

Function 053D1396 Relevance: 7.6, Strings: 6, Instructions: 116COMMON

Download Yara Rule

Strings

hm}, xrefs: 053D5AA3
hm}, xrefs: 053DDB4C
hm}, xrefs: 053D1396
D, xrefs: 053D5AF9
hm}, xrefs: 053D5A76
hm}, xrefs: 053D5A24

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: D$hm}$hm}$hm}$hm}$hm}
API String ID: 0-1223120656
Opcode ID: 995db232918e974c039b6b42d6532a4b34f4e1cebb821502242d02076b68ccb5
Instruction ID: 1337707cde8636626c80a99c7212a338cbffe992a1d19a7367e948848cf255cc
Opcode Fuzzy Hash: 995db232918e974c039b6b42d6532a4b34f4e1cebb821502242d02076b68ccb5
Instruction Fuzzy Hash: 8D51B474A05229CFDB24DF58E988BD9B7B2FB44304F1081EAD549A7284DB74AEC4CF61

Function 053D31EA Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

O, xrefs: 053DF0E9
hm}, xrefs: 053E3233
hm}, xrefs: 053E31F8
hm}, xrefs: 053E31B7

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: O$hm}$hm}$hm}
API String ID: 0-2791494378
Opcode ID: b6468e9a39d78cca761a932ec2408a1928f5724164e1d0b8fbbf23ef11537eec
Instruction ID: eb39182280f1d0e93b96d27ae02084eac94e59bf45a3b870d7046fc2bffba775
Opcode Fuzzy Hash: b6468e9a39d78cca761a932ec2408a1928f5724164e1d0b8fbbf23ef11537eec
Instruction Fuzzy Hash: AC41A6B4A04228DFDB64EF24E888BA8B7B1FB48704F1045EAD419A7744DB349F85CF11

Function 053D1EA9 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

hm}, xrefs: 053D2BD0
hm}, xrefs: 053D2B76
hm}, xrefs: 053D1EA9
7, xrefs: 053D1F30

Memory Dump Source

Source File: 00000000.00000002.1389546875.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_8qQwTWK3jx.jbxd

Similarity

API ID:
String ID: 7$hm}$hm}$hm}
API String ID: 0-1184201987
Opcode ID: 8b90e145721a57abe5c730f155d281d6d9f404a166be1207fb642c698efe3a8e
Instruction ID: 6305b34a5ccc0c13120cf842a5474f3dfeedd28e5b26c05e8179eee5008450c2
Opcode Fuzzy Hash: 8b90e145721a57abe5c730f155d281d6d9f404a166be1207fb642c698efe3a8e
Instruction Fuzzy Hash: 5331C774A04128CFEB64EF64D848BA9B7F2FB89308F1480EA944DA7244DB755E84CF51

Analysis Process: InstallUtil.exePID: 7928, Parent PID: 3504COMMON

Executed Functions

Function 00B12E81 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

]t^, xrefs: 00B12FF4

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID: ]t^
API String ID: 0-1554359536
Opcode ID: 9d69ce9f321fda8e7c81ca928537c866575cf8aa541a4108537ecf84f6952278
Instruction ID: d3435d8fe20283d441e98495dcf95e3e899c8689ecd4e59291ef9e10ac10ab5b
Opcode Fuzzy Hash: 9d69ce9f321fda8e7c81ca928537c866575cf8aa541a4108537ecf84f6952278
Instruction Fuzzy Hash: 64915C35B00104CFEB44DF64D898BAA77F3FB88710FA580A5E406AB3A5DB709D96CB40

Function 00B13234 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

]t^, xrefs: 00B12FF4

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID: ]t^
API String ID: 0-1554359536
Opcode ID: 811fe5e34b540d0421090e6d947efd2424a9d8be81c9e5b09852a0b8e1ad9bd2
Instruction ID: 7928bd288304ea4116736f5297ca0efab7b5a35608305a9a595593ae3d1cdbf2
Opcode Fuzzy Hash: 811fe5e34b540d0421090e6d947efd2424a9d8be81c9e5b09852a0b8e1ad9bd2
Instruction Fuzzy Hash: 91914935B00105CFEB44DF68D898BA977F3FB88710FA581A5E006AB3A5DB319D96CB40

Function 00B16D30 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5022b7a5a8046c5fbef6905ecdf289a578340ea43e1775dcfaeaf34e23d661c4
Instruction ID: f79a3b9398470885b130cb7c45b87d82e5b60ce632d6172340f9b63e212b2929
Opcode Fuzzy Hash: 5022b7a5a8046c5fbef6905ecdf289a578340ea43e1775dcfaeaf34e23d661c4
Instruction Fuzzy Hash: A1C18071E442298FDB15CBA8C9846EDF7F1FB88300FA486A9D455E7242D734ED86CB90

Function 00B14468 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da83b4ba2da3c52e2a185e5fa0193a05d5f2ff2004bbb6835c808053193ae88b
Instruction ID: d8cf2e69039578ecb285a10e27002bf726a80a575fb678a045b76b235e208a39
Opcode Fuzzy Hash: da83b4ba2da3c52e2a185e5fa0193a05d5f2ff2004bbb6835c808053193ae88b
Instruction Fuzzy Hash: 47E10F75604A508FD711DF38D865ADABBF2BF89304B6581ADD405AF3A3DB31AC42CB90

Function 00B14459 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c3795847651c1473a3fb7defcacf9c6b2838da30326309783674605fe231d8
Instruction ID: afdd611744cc1738d9c390c778bddc41c684436f579a5c55864d157aa32af5e5
Opcode Fuzzy Hash: c8c3795847651c1473a3fb7defcacf9c6b2838da30326309783674605fe231d8
Instruction Fuzzy Hash: FD7139786006108FCB14EF29D584999BBF2FF89714B5681A8E416AF3B6DB30EC45CF90

Function 00B11960 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c14d1baa0688396b4ff9bd3c57597d888e87775d5854077df7983ca21b1cf4
Instruction ID: d8d2413db956c557776fbd67b0c9dd1e1f654d8eccb4ee6b69d36b06f32c6e67
Opcode Fuzzy Hash: e0c14d1baa0688396b4ff9bd3c57597d888e87775d5854077df7983ca21b1cf4
Instruction Fuzzy Hash: 6B517D34B00204CFDB00DB68D8A4BEA77F2EB88350F6488A9D216DB365DB719D86CB51

Function 00B11970 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd6286b82725c2fbda42e8e8f66c76b71db620f3a97b96b929ff0e956b01759
Instruction ID: afea3c9601dd1347dc8bd1cb00bed823b2ab2a884e78191cf218fab01a68ec7f
Opcode Fuzzy Hash: afd6286b82725c2fbda42e8e8f66c76b71db620f3a97b96b929ff0e956b01759
Instruction Fuzzy Hash: 82418D34B00204CFDB00DF68D9A4BAA77F2EB88350FA488A5D216DB365DB71DD86DB51

Function 00A6D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611075365.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a6d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52428a0abec906caba4cd15a5c6664ec30f1452c0e851e26d9d4f595e5af95d3
Instruction ID: 13fd41c09ccca768c5c9930b170b3a8be3f9fc84582ad32c21949ed4067d554d
Opcode Fuzzy Hash: 52428a0abec906caba4cd15a5c6664ec30f1452c0e851e26d9d4f595e5af95d3
Instruction Fuzzy Hash: 9F210371A04340DFDB05DF10D8C4B26BB75FB98354F24C569E8094B286C736E856CAA2

Function 00B117F8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60eb08f47709c404b6b5859e9fc292dbf1f62787b19fb781f8f4b85c7b01d7e6
Instruction ID: f6f9b4e870865b26ff73bd1f5206b727004c61c2c8c0137931077aa3e548676b
Opcode Fuzzy Hash: 60eb08f47709c404b6b5859e9fc292dbf1f62787b19fb781f8f4b85c7b01d7e6
Instruction Fuzzy Hash: E9213870D09348DFCB01DBA8C9953DCBFF0EB06304F60C9EAC5469B652D2784A8ADB02

Function 00A6D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611075365.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a6d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 8ae488c56e2b02fa357ce44c96587a67c31442215b9506319756e2439e74477a
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 6B11E676904280CFCF16CF10D5C4B56BF71FB94314F24C5A9D8490B656C336E856CBA1

Function 00B1A520 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f00ed44e18604acadf82fa78a13cd9e229fe00a50eec45399b59e7142c1d64
Instruction ID: e0dbd01f39a27ef1206c8d2ab71bb2c4e1f1dce75b599325797160156dc2d46b
Opcode Fuzzy Hash: 47f00ed44e18604acadf82fa78a13cd9e229fe00a50eec45399b59e7142c1d64
Instruction Fuzzy Hash: BB019E713002185FE708EABA9855B6B66EAFFCD710F1084A9A10AEB391DD709C0187A0

Function 04B90DDF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614351998.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b90000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422d98f6ac4a12ca3acd511d3a179d1b135e464b56125d622ae9d9340b813783
Instruction ID: c3ac2f365ac603d3009aa1da51efab72e825ae9901abb409c817dcac7f37fa29
Opcode Fuzzy Hash: 422d98f6ac4a12ca3acd511d3a179d1b135e464b56125d622ae9d9340b813783
Instruction Fuzzy Hash: 37117670D08608AFEF01EFA5C95839EBBF1EB49304F20C4F6D4099B251D7745A86DB42

Function 04B90DF0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614351998.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b90000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a32003b02b14250c017fb57b7b1dc826931b10ca60cc864e63665256a8d335f
Instruction ID: e4b1377fcbb4333eba55197c1ba8f6b55dda82a396cc2b5228369ee3bd6b6cba
Opcode Fuzzy Hash: 3a32003b02b14250c017fb57b7b1dc826931b10ca60cc864e63665256a8d335f
Instruction Fuzzy Hash: D9111870E08509EFDB40EFA5D54835DBBF1EB88305F10C8F5D4099B255DB746A819B51

Function 00B11840 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e22857a6b4436487efb3ab4c90154ff67ca299121320393f47068f4633c5bdd
Instruction ID: 6fc5f5c0b917f670b8956adec12b56d6d27ae194cab7918d6a29faaa23b5593a
Opcode Fuzzy Hash: 0e22857a6b4436487efb3ab4c90154ff67ca299121320393f47068f4633c5bdd
Instruction Fuzzy Hash: 8911C570D04208EFDB40DFA9D5847EDBBF4EB04304FA0C9EAD609A7280E7749AC59B46

Function 00B11C80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62ebf378ff069c74201786718e59105f79c3749404b65ab8d680639289dafcb
Instruction ID: b9be555c5fb4ac505f52cb218549902a1a53ca194b2d7d05038fbe2090d67392
Opcode Fuzzy Hash: e62ebf378ff069c74201786718e59105f79c3749404b65ab8d680639289dafcb
Instruction Fuzzy Hash: 33F0E2725183548FCB11EB7CA85489E7FF4EF462103458AEEE04ACBA62CB71D8058F81

Function 00B12DF9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26622dce1875af75d90b212ce1f65a6e7f272ddc7689d122d24512f4234225e4
Instruction ID: a8798007c09601fe4775d0c5534ecd290ba2ea6c4eacbf163ec42b1d843f1b68
Opcode Fuzzy Hash: 26622dce1875af75d90b212ce1f65a6e7f272ddc7689d122d24512f4234225e4
Instruction Fuzzy Hash: 32E06D356040208FC348DBB8E468B993BE1AF8821971541E9E50EDB326CA3288028F41

Function 00B13E30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b74b7997e179e1406186901a22a2ff462f62c2ee67a84e05e8d55b4638d48a
Instruction ID: d9461745617624ee4816f748965b1cd2c55824c638be895e9b6b89448b56b67d
Opcode Fuzzy Hash: b4b74b7997e179e1406186901a22a2ff462f62c2ee67a84e05e8d55b4638d48a
Instruction Fuzzy Hash: D6F0D478704201CFC704DF68D488AA977F2FB49710F9181E5E80A9F3A5EB30AD82DA50

Function 00B1093D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8da0f2164117bc482574bfc05b7b9ceafdf42572ac6b20fbb1526355b960703
Instruction ID: 31c8d10b463de4c66de059da8aa5123398d413d9d2a6ac2eed8c6915c3db29e3
Opcode Fuzzy Hash: c8da0f2164117bc482574bfc05b7b9ceafdf42572ac6b20fbb1526355b960703
Instruction Fuzzy Hash: B9D0922148E7C85FC70353B05D6A484BF75AD0B01170E82DBD48ACB8A3C298049AC717

Function 00B12E47 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcdc92237ec2663c5a318cde77f4aa6a442112a115acc8849b6315cb4ac9f21
Instruction ID: 7b7742230ac3d6b8f6e40d588c50ac87fef68297c931ac62e326b2d69ee0d822
Opcode Fuzzy Hash: 7dcdc92237ec2663c5a318cde77f4aa6a442112a115acc8849b6315cb4ac9f21
Instruction Fuzzy Hash: 0CE0EC396491908FCB02DBB898686DD3FB29FCA65571444ADE54BCB276CA234C478B44

Function 00B14F2C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c0548fe3d0a955d9c740eaaf5274988fd5de6230229b7932265775e1748f95
Instruction ID: fe6c604e2c11265b6a36b67a2a888dedc3c17b853a563136a52c9837b59c3d82
Opcode Fuzzy Hash: e2c0548fe3d0a955d9c740eaaf5274988fd5de6230229b7932265775e1748f95
Instruction Fuzzy Hash: 4DE04F397000149FDB06EB74EA989ADB7F3EF44340B1080B8E806AB3B1CF359C429B01

Function 00B1253D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d1726e533c69a7faf25728e0f0cc5c177ce5c53a888e3c3df23e704a4297f
Instruction ID: 9596b7b8d2a33b6a69f77b3c5f7a2a6c074c1d9db0a0b157146028cb88c031d2
Opcode Fuzzy Hash: 009d1726e533c69a7faf25728e0f0cc5c177ce5c53a888e3c3df23e704a4297f
Instruction Fuzzy Hash: 00E08C32844120CBEB25AB28D8847AD73E1EB00310F8689B4C6466F2A0CB705DCA8BD1

Function 00B12E58 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d58b3a36206fe936582e5936765f8778007852213a38b0b43f08ef3c342471c
Instruction ID: bb85fc46a620b3ca0d5201342e9ee4697753c35843d190182fd6a8a77cdb1b1b
Opcode Fuzzy Hash: 3d58b3a36206fe936582e5936765f8778007852213a38b0b43f08ef3c342471c
Instruction Fuzzy Hash: 65D0C9397142148FCB00ABF9E81C85D3BF9AF8966134140A5F50BC7370DF359C428B94

Function 00B11BF1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6add86c3997ab6d4d9bddd67ab513414a37dc8307298d22df9b88b08d387ba4a
Instruction ID: 640764bbecf5b0ddb3ebcd9e4308624c913555827891e086ec3a7e8424a0f8b8
Opcode Fuzzy Hash: 6add86c3997ab6d4d9bddd67ab513414a37dc8307298d22df9b88b08d387ba4a
Instruction Fuzzy Hash: E5D05E219092C08FCF0697B45D283483F31EF03308F4988DAC648AF1A7C667288A8715

Function 00B162B5 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f238db1871ca2ec469b4557caf8c36b213e18f21fa722a3f6b8a6c8f50a5f65
Instruction ID: 47655111bbdd48512ef1f5dd3940789c96b88d81ea4a76127dad665b3187fdcf
Opcode Fuzzy Hash: 9f238db1871ca2ec469b4557caf8c36b213e18f21fa722a3f6b8a6c8f50a5f65
Instruction Fuzzy Hash: 55D0227A60A004CBCB02AB80C90E2CAFF70EB087D07204281E80A512A0D3354C229B80

Function 04B9194A Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614351998.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b90000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f324ae9257d9c12b9cb3820d32f9bc7ed6c68cc4bad338b6eb07eed937e645
Instruction ID: 0c9f0d67b57a139c1728b776c8260bdec3702ca09dbfb97792559ad69e79c8ce
Opcode Fuzzy Hash: c6f324ae9257d9c12b9cb3820d32f9bc7ed6c68cc4bad338b6eb07eed937e645
Instruction Fuzzy Hash: 7CD012B5F002005FDF409BB45C1C21D75A1ABA5321F6D8A79541AC33D0EB348942DA02

Function 00B11C90 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c61e5bbdc4fdf7e4ad2638642fd2efd4baf6c2356b853187da4efdb66340e40
Instruction ID: 46b7e99c38b7a41cfc816b03798ecd816718849227c70f8d4d2b8665f5dcac27
Opcode Fuzzy Hash: 9c61e5bbdc4fdf7e4ad2638642fd2efd4baf6c2356b853187da4efdb66340e40
Instruction Fuzzy Hash: E9A0023104CA0C8B464077FD7D0E5AD7B9C9944697FC085D1F64D415135E66649245E6

Function 04B98A60 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614351998.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4b90000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50a38f435fdb2157f874c6cf581b44ab02fd2a51521199b68e311b77c5c5b2f
Instruction ID: 518d3a42617559861b35629645e5f887008e66ca23df215438d7a318b3717cf7
Opcode Fuzzy Hash: b50a38f435fdb2157f874c6cf581b44ab02fd2a51521199b68e311b77c5c5b2f
Instruction Fuzzy Hash: 1DA02230002B0C82AA023AB8320023033CC080000C38000F8820C08E23083BF8B0C088

Function 00B10960 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2611422754.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b10000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4413ac476e877ad3dad490e8a78e8d55d07a0d9c6e59b03b3b78dfecc87b854
Instruction ID: 11d5b933f8e45ea5a01fb263d8d6ce93697a66ec11571a7cd7ecfb080f6c1a95
Opcode Fuzzy Hash: f4413ac476e877ad3dad490e8a78e8d55d07a0d9c6e59b03b3b78dfecc87b854
Instruction Fuzzy Hash: 7B90023204464C8B454067D57C095D5B75DB6489377854061E51D415115B9564A14595

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8qQwTWK3jx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Current.exe

C:\Users\user\AppData\Roaming\Current.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
8qQwTWK3jx.exe

Function 04D76228 Relevance: 86.4, Strings: 68, Instructions: 1353
COMMON

Function 04D77B9B Relevance: 21.8, Strings: 17, Instructions: 539
COMMON

Function 053C6FB0 Relevance: 15.6, Strings: 12, Instructions: 615
COMMON

Function 04D7E3F0 Relevance: 15.5, Strings: 12, Instructions: 454
COMMON

Function 053C6FAB Relevance: 6.4, Strings: 5, Instructions: 161
COMMON

Function 0525ECC8 Relevance: 5.3, Strings: 4, Instructions: 274
COMMON

Function 0525ECBB Relevance: 5.3, Strings: 4, Instructions: 272
COMMON